Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    08-10-2020 15:06

General

  • Target

    ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe

  • Size

    1.2MB

  • MD5

    0e527383dc50b48d63183e1176c4d79e

  • SHA1

    c1437130dd774db14dd16c45771e7e1a484d5ee5

  • SHA256

    ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a

  • SHA512

    58a3edde62268c34b2577530b520559c8c8f4f085210703c59c75442b9162e396ea38973302afc3e54d6d546ccd7b246650b4e9aef137d7b7787ab3354aec457

Malware Config

Signatures

  • Matrix Ransomware 64 IoCs

    Targeted ransomware with information collection and encryption functionality.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 64 IoCs
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Sets service image path in registry 2 TTPs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Modifies file permissions 1 TTPs 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 26 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Control Panel 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
    "C:\Users\Admin\AppData\Local\Temp\ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe"
    1⤵
    • Matrix Ransomware
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:3736
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe" "C:\Users\Admin\AppData\Local\Temp\NWmQwMXy.exe"
      2⤵
        PID:2140
      • C:\Users\Admin\AppData\Local\Temp\NWmQwMXy.exe
        "C:\Users\Admin\AppData\Local\Temp\NWmQwMXy.exe" -n
        2⤵
        • Executes dropped EXE
        PID:1412
        • C:\Users\Admin\AppData\Local\Temp\NWmQwMXy.exe
          "C:\Users\Admin\AppData\Local\Temp\NWmQwMXy.exe" "\\10.10.0.12\C$"
          3⤵
            PID:5620
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\AeHtHf61.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4136
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\AeHtHf61.bmp" /f
            3⤵
            • Sets desktop wallpaper using registry
            • Modifies Control Panel
            PID:4324
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
            3⤵
            • Modifies Control Panel
            PID:4400
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
            3⤵
            • Modifies Control Panel
            PID:4428
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\AYjddmgv.vbs"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4148
          • C:\Windows\SysWOW64\wscript.exe
            wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\AYjddmgv.vbs"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4336
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\lZgqBLCp.bat" /sc minute /mo 5 /RL HIGHEST /F
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4532
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\lZgqBLCp.bat" /sc minute /mo 5 /RL HIGHEST /F
                5⤵
                • Creates scheduled task(s)
                PID:4684
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
              4⤵
                PID:4832
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /Run /I /tn DSHCA
                  5⤵
                    PID:4884
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa""
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4272
              • C:\Windows\SysWOW64\cacls.exe
                cacls "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa" /E /G Admin:F /C
                3⤵
                  PID:4372
                • C:\Windows\SysWOW64\takeown.exe
                  takeown /F "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa"
                  3⤵
                  • Modifies file permissions
                  PID:4508
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "classes.jsa" -nobanner
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4620
                  • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                    UxaXqOSf.exe -accepteula "classes.jsa" -nobanner
                    4⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:4652
                    • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf64.exe
                      UxaXqOSf.exe -accepteula "classes.jsa" -nobanner
                      5⤵
                      • Drops file in Drivers directory
                      • Executes dropped EXE
                      • Enumerates connected drives
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: LoadsDriver
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4720
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db""
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:4560
                • C:\Windows\SysWOW64\cacls.exe
                  cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db" /E /G Admin:F /C
                  3⤵
                    PID:4640
                  • C:\Windows\SysWOW64\takeown.exe
                    takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db"
                    3⤵
                    • Modifies file permissions
                    PID:4668
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "qmgr.db" -nobanner
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4760
                    • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                      UxaXqOSf.exe -accepteula "qmgr.db" -nobanner
                      4⤵
                      • Executes dropped EXE
                      PID:4776
                  • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                    UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                    3⤵
                    • Executes dropped EXE
                    PID:4800
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db""
                  2⤵
                    PID:5084
                    • C:\Windows\SysWOW64\cacls.exe
                      cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /E /G Admin:F /C
                      3⤵
                        PID:808
                      • C:\Windows\SysWOW64\takeown.exe
                        takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"
                        3⤵
                        • Modifies file permissions
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1332
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "SmsInterceptStore.db" -nobanner
                        3⤵
                          PID:2980
                          • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                            UxaXqOSf.exe -accepteula "SmsInterceptStore.db" -nobanner
                            4⤵
                            • Executes dropped EXE
                            PID:4164
                        • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                          UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                          3⤵
                          • Executes dropped EXE
                          PID:4296
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui""
                        2⤵
                          PID:4360
                          • C:\Windows\SysWOW64\cacls.exe
                            cacls "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
                            3⤵
                              PID:4140
                            • C:\Windows\SysWOW64\takeown.exe
                              takeown /F "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui"
                              3⤵
                              • Modifies file permissions
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4192
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "WinMail.exe.mui" -nobanner
                              3⤵
                                PID:4692
                                • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                  UxaXqOSf.exe -accepteula "WinMail.exe.mui" -nobanner
                                  4⤵
                                  • Executes dropped EXE
                                  PID:4704
                              • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                3⤵
                                • Executes dropped EXE
                                PID:4748
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Security\BrowserCore\manifest.json""
                              2⤵
                                PID:4688
                                • C:\Windows\SysWOW64\cacls.exe
                                  cacls "C:\Program Files\Windows Security\BrowserCore\manifest.json" /E /G Admin:F /C
                                  3⤵
                                    PID:4552
                                  • C:\Windows\SysWOW64\takeown.exe
                                    takeown /F "C:\Program Files\Windows Security\BrowserCore\manifest.json"
                                    3⤵
                                    • Modifies file permissions
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3804
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "manifest.json" -nobanner
                                    3⤵
                                      PID:1508
                                      • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                        UxaXqOSf.exe -accepteula "manifest.json" -nobanner
                                        4⤵
                                        • Executes dropped EXE
                                        PID:4364
                                    • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                      UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                      3⤵
                                      • Executes dropped EXE
                                      PID:4824
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Mail\wabmig.exe""
                                    2⤵
                                      PID:4816
                                      • C:\Windows\SysWOW64\cacls.exe
                                        cacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C
                                        3⤵
                                          PID:4872
                                        • C:\Windows\SysWOW64\takeown.exe
                                          takeown /F "C:\Program Files\Windows Mail\wabmig.exe"
                                          3⤵
                                          • Modifies file permissions
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4604
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "wabmig.exe" -nobanner
                                          3⤵
                                            PID:4892
                                            • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                              UxaXqOSf.exe -accepteula "wabmig.exe" -nobanner
                                              4⤵
                                              • Executes dropped EXE
                                              PID:4836
                                          • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                            UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                            3⤵
                                            • Executes dropped EXE
                                            PID:4852
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Mail\wab.exe""
                                          2⤵
                                            PID:4992
                                            • C:\Windows\SysWOW64\cacls.exe
                                              cacls "C:\Program Files\Windows Mail\wab.exe" /E /G Admin:F /C
                                              3⤵
                                                PID:2520
                                              • C:\Windows\SysWOW64\takeown.exe
                                                takeown /F "C:\Program Files\Windows Mail\wab.exe"
                                                3⤵
                                                • Modifies file permissions
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:200
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "wab.exe" -nobanner
                                                3⤵
                                                  PID:2504
                                                  • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                    UxaXqOSf.exe -accepteula "wab.exe" -nobanner
                                                    4⤵
                                                    • Executes dropped EXE
                                                    PID:1680
                                                • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                  UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                  3⤵
                                                  • Executes dropped EXE
                                                  PID:3104
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa""
                                                2⤵
                                                  PID:980
                                                  • C:\Windows\SysWOW64\cacls.exe
                                                    cacls "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa" /E /G Admin:F /C
                                                    3⤵
                                                      PID:672
                                                    • C:\Windows\SysWOW64\takeown.exe
                                                      takeown /F "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa"
                                                      3⤵
                                                      • Modifies file permissions
                                                      PID:4380
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "classes.jsa" -nobanner
                                                      3⤵
                                                        PID:4488
                                                        • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                          UxaXqOSf.exe -accepteula "classes.jsa" -nobanner
                                                          4⤵
                                                          • Executes dropped EXE
                                                          PID:3004
                                                      • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                        UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                        3⤵
                                                        • Executes dropped EXE
                                                        PID:252
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
                                                      2⤵
                                                        PID:4416
                                                        • C:\Windows\SysWOW64\cacls.exe
                                                          cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
                                                          3⤵
                                                            PID:4780
                                                          • C:\Windows\SysWOW64\takeown.exe
                                                            takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
                                                            3⤵
                                                            • Modifies file permissions
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:4464
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
                                                            3⤵
                                                              PID:4432
                                                              • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                UxaXqOSf.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
                                                                4⤵
                                                                • Executes dropped EXE
                                                                PID:4772
                                                            • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                              UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                              3⤵
                                                              • Executes dropped EXE
                                                              PID:1020
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe""
                                                            2⤵
                                                              PID:4396
                                                              • C:\Windows\SysWOW64\cacls.exe
                                                                cacls "C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe" /E /G Admin:F /C
                                                                3⤵
                                                                  PID:4612
                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                  takeown /F "C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe"
                                                                  3⤵
                                                                  • Modifies file permissions
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:4764
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "SenseSampleUploader.exe" -nobanner
                                                                  3⤵
                                                                    PID:5004
                                                                    • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                      UxaXqOSf.exe -accepteula "SenseSampleUploader.exe" -nobanner
                                                                      4⤵
                                                                      • Executes dropped EXE
                                                                      PID:4984
                                                                  • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                    UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                    3⤵
                                                                    • Executes dropped EXE
                                                                    PID:4576
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe""
                                                                  2⤵
                                                                    PID:4868
                                                                    • C:\Windows\SysWOW64\cacls.exe
                                                                      cacls "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe" /E /G Admin:F /C
                                                                      3⤵
                                                                        PID:4184
                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                        takeown /F "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe"
                                                                        3⤵
                                                                        • Modifies file permissions
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:4152
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "BrowserCore.exe" -nobanner
                                                                        3⤵
                                                                          PID:5044
                                                                          • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                            UxaXqOSf.exe -accepteula "BrowserCore.exe" -nobanner
                                                                            4⤵
                                                                            • Executes dropped EXE
                                                                            PID:3792
                                                                        • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                          UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                          3⤵
                                                                          • Executes dropped EXE
                                                                          PID:408
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Mail\WinMail.exe""
                                                                        2⤵
                                                                          PID:4156
                                                                          • C:\Windows\SysWOW64\cacls.exe
                                                                            cacls "C:\Program Files\Windows Mail\WinMail.exe" /E /G Admin:F /C
                                                                            3⤵
                                                                              PID:4948
                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                              takeown /F "C:\Program Files\Windows Mail\WinMail.exe"
                                                                              3⤵
                                                                              • Modifies file permissions
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:576
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "WinMail.exe" -nobanner
                                                                              3⤵
                                                                                PID:4168
                                                                                • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                  UxaXqOSf.exe -accepteula "WinMail.exe" -nobanner
                                                                                  4⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:248
                                                                              • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                3⤵
                                                                                • Executes dropped EXE
                                                                                PID:260
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe""
                                                                              2⤵
                                                                                PID:4128
                                                                                • C:\Windows\SysWOW64\cacls.exe
                                                                                  cacls "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" /E /G Admin:F /C
                                                                                  3⤵
                                                                                    PID:4436
                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                    takeown /F "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe"
                                                                                    3⤵
                                                                                    • Modifies file permissions
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:3824
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "MsSense.exe" -nobanner
                                                                                    3⤵
                                                                                      PID:4404
                                                                                      • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                        UxaXqOSf.exe -accepteula "MsSense.exe" -nobanner
                                                                                        4⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:4340
                                                                                    • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                      UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                      3⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:4216
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
                                                                                    2⤵
                                                                                      PID:4500
                                                                                      • C:\Windows\SysWOW64\cacls.exe
                                                                                        cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
                                                                                        3⤵
                                                                                          PID:4988
                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                          takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
                                                                                          3⤵
                                                                                          • Modifies file permissions
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:4856
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                                                                          3⤵
                                                                                            PID:4584
                                                                                            • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                              UxaXqOSf.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                                                                              4⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:4820
                                                                                          • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                            UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                            3⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:4840
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
                                                                                          2⤵
                                                                                            PID:5040
                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                              cacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
                                                                                              3⤵
                                                                                                PID:4224
                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                takeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
                                                                                                3⤵
                                                                                                • Modifies file permissions
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:3036
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "ImagingDevices.exe.mui" -nobanner
                                                                                                3⤵
                                                                                                  PID:4072
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                    UxaXqOSf.exe -accepteula "ImagingDevices.exe.mui" -nobanner
                                                                                                    4⤵
                                                                                                    • Executes dropped EXE
                                                                                                    PID:4112
                                                                                                • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                  UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                  3⤵
                                                                                                  • Executes dropped EXE
                                                                                                  PID:748
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
                                                                                                2⤵
                                                                                                  PID:4632
                                                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                                                    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
                                                                                                    3⤵
                                                                                                      PID:4544
                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                      takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
                                                                                                      3⤵
                                                                                                      • Modifies file permissions
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:3808
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "Workflow.Targets" -nobanner
                                                                                                      3⤵
                                                                                                        PID:4680
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                          UxaXqOSf.exe -accepteula "Workflow.Targets" -nobanner
                                                                                                          4⤵
                                                                                                          • Executes dropped EXE
                                                                                                          PID:4160
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                        UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                        3⤵
                                                                                                        • Executes dropped EXE
                                                                                                        PID:5112
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui""
                                                                                                      2⤵
                                                                                                        PID:4592
                                                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                                                          cacls "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
                                                                                                          3⤵
                                                                                                            PID:4588
                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                            takeown /F "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui"
                                                                                                            3⤵
                                                                                                            • Modifies file permissions
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:4196
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "msoeres.dll.mui" -nobanner
                                                                                                            3⤵
                                                                                                              PID:4496
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                UxaXqOSf.exe -accepteula "msoeres.dll.mui" -nobanner
                                                                                                                4⤵
                                                                                                                • Executes dropped EXE
                                                                                                                PID:4556
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                              UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                              3⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:4916
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui""
                                                                                                            2⤵
                                                                                                              PID:4976
                                                                                                              • C:\Windows\SysWOW64\cacls.exe
                                                                                                                cacls "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui" /E /G Admin:F /C
                                                                                                                3⤵
                                                                                                                  PID:2400
                                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                                  takeown /F "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui"
                                                                                                                  3⤵
                                                                                                                  • Modifies file permissions
                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                  PID:2492
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "BrowserCore.exe.mui" -nobanner
                                                                                                                  3⤵
                                                                                                                    PID:276
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                      UxaXqOSf.exe -accepteula "BrowserCore.exe.mui" -nobanner
                                                                                                                      4⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      PID:4804
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                    UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                    3⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    PID:4100
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\MsSense.exe.mui""
                                                                                                                  2⤵
                                                                                                                    PID:4672
                                                                                                                    • C:\Windows\SysWOW64\cacls.exe
                                                                                                                      cacls "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\MsSense.exe.mui" /E /G Admin:F /C
                                                                                                                      3⤵
                                                                                                                        PID:5088
                                                                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                                                                        takeown /F "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\MsSense.exe.mui"
                                                                                                                        3⤵
                                                                                                                        • Modifies file permissions
                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                        PID:4968
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "MsSense.exe.mui" -nobanner
                                                                                                                        3⤵
                                                                                                                          PID:4848
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                            UxaXqOSf.exe -accepteula "MsSense.exe.mui" -nobanner
                                                                                                                            4⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            PID:2592
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                          UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                          3⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          PID:4860
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
                                                                                                                        2⤵
                                                                                                                          PID:4828
                                                                                                                          • C:\Windows\SysWOW64\cacls.exe
                                                                                                                            cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
                                                                                                                            3⤵
                                                                                                                              PID:4104
                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                              takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
                                                                                                                              3⤵
                                                                                                                              • Modifies file permissions
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:3940
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "PhotoAcq.dll.mui" -nobanner
                                                                                                                              3⤵
                                                                                                                                PID:4796
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                  UxaXqOSf.exe -accepteula "PhotoAcq.dll.mui" -nobanner
                                                                                                                                  4⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  PID:4768
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                3⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:244
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe""
                                                                                                                              2⤵
                                                                                                                                PID:4676
                                                                                                                                • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                  cacls "C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe" /E /G Admin:F /C
                                                                                                                                  3⤵
                                                                                                                                    PID:2596
                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                    takeown /F "C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe"
                                                                                                                                    3⤵
                                                                                                                                    • Modifies file permissions
                                                                                                                                    PID:5080
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "SenseCncProxy.exe" -nobanner
                                                                                                                                    3⤵
                                                                                                                                      PID:4108
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                        UxaXqOSf.exe -accepteula "SenseCncProxy.exe" -nobanner
                                                                                                                                        4⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        PID:4504
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                      UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                      3⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      PID:2404
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""
                                                                                                                                    2⤵
                                                                                                                                      PID:416
                                                                                                                                      • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                        cacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
                                                                                                                                        3⤵
                                                                                                                                          PID:4880
                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                          takeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"
                                                                                                                                          3⤵
                                                                                                                                          • Modifies file permissions
                                                                                                                                          PID:4844
                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "ImagingDevices.exe" -nobanner
                                                                                                                                          3⤵
                                                                                                                                            PID:4928
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                              UxaXqOSf.exe -accepteula "ImagingDevices.exe" -nobanner
                                                                                                                                              4⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              PID:4536
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                            UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                            3⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            PID:256
                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H""
                                                                                                                                          2⤵
                                                                                                                                            PID:4356
                                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                              cacls "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H" /E /G Admin:F /C
                                                                                                                                              3⤵
                                                                                                                                                PID:5108
                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                takeown /F "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H"
                                                                                                                                                3⤵
                                                                                                                                                • Modifies file permissions
                                                                                                                                                PID:4696
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "Identity-H" -nobanner
                                                                                                                                                3⤵
                                                                                                                                                  PID:5096
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                    UxaXqOSf.exe -accepteula "Identity-H" -nobanner
                                                                                                                                                    4⤵
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    PID:4220
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                  UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                  3⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  PID:4912
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
                                                                                                                                                2⤵
                                                                                                                                                  PID:4348
                                                                                                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
                                                                                                                                                    3⤵
                                                                                                                                                      PID:4608
                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                      takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
                                                                                                                                                      3⤵
                                                                                                                                                        PID:2764
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "ImagingDevices.exe.mui" -nobanner
                                                                                                                                                        3⤵
                                                                                                                                                          PID:4712
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                            UxaXqOSf.exe -accepteula "ImagingDevices.exe.mui" -nobanner
                                                                                                                                                            4⤵
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            PID:4960
                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                          UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                          3⤵
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          PID:4452
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
                                                                                                                                                        2⤵
                                                                                                                                                          PID:4476
                                                                                                                                                          • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                            cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
                                                                                                                                                            3⤵
                                                                                                                                                              PID:5024
                                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                              takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
                                                                                                                                                              3⤵
                                                                                                                                                              • Modifies file permissions
                                                                                                                                                              PID:4528
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                                                                                                                                              3⤵
                                                                                                                                                                PID:4972
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                  UxaXqOSf.exe -accepteula "PhotoViewer.dll.mui" -nobanner
                                                                                                                                                                  4⤵
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  PID:4956
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                3⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                PID:2500
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V""
                                                                                                                                                              2⤵
                                                                                                                                                                PID:4188
                                                                                                                                                                • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                  cacls "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V" /E /G Admin:F /C
                                                                                                                                                                  3⤵
                                                                                                                                                                    PID:4920
                                                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                    takeown /F "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V"
                                                                                                                                                                    3⤵
                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                    PID:5092
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "Identity-V" -nobanner
                                                                                                                                                                    3⤵
                                                                                                                                                                      PID:4616
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                        UxaXqOSf.exe -accepteula "Identity-V" -nobanner
                                                                                                                                                                        4⤵
                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                        PID:268
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                      UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                      3⤵
                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                      PID:4952
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:4908
                                                                                                                                                                      • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                        cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
                                                                                                                                                                        3⤵
                                                                                                                                                                          PID:5072
                                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                          takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
                                                                                                                                                                          3⤵
                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                          PID:4808
                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "PhotoAcq.dll.mui" -nobanner
                                                                                                                                                                          3⤵
                                                                                                                                                                            PID:4864
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                              UxaXqOSf.exe -accepteula "PhotoAcq.dll.mui" -nobanner
                                                                                                                                                                              4⤵
                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                              PID:4596
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                            UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                            3⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            PID:4332
                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin""
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:5104
                                                                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                              cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin" /E /G Admin:F /C
                                                                                                                                                                              3⤵
                                                                                                                                                                                PID:4392
                                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin"
                                                                                                                                                                                3⤵
                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                PID:4492
                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "TileCache_100_0_Data.bin" -nobanner
                                                                                                                                                                                3⤵
                                                                                                                                                                                  PID:4700
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                    UxaXqOSf.exe -accepteula "TileCache_100_0_Data.bin" -nobanner
                                                                                                                                                                                    4⤵
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    PID:4924
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                  UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                  3⤵
                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                  PID:4420
                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui""
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:4232
                                                                                                                                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                    cacls "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
                                                                                                                                                                                    3⤵
                                                                                                                                                                                      PID:4344
                                                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                      takeown /F "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui"
                                                                                                                                                                                      3⤵
                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                      PID:4448
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "WinMail.exe.mui" -nobanner
                                                                                                                                                                                      3⤵
                                                                                                                                                                                        PID:4980
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                          UxaXqOSf.exe -accepteula "WinMail.exe.mui" -nobanner
                                                                                                                                                                                          4⤵
                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                          PID:4240
                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                        UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                        3⤵
                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                        PID:4424
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files (x86)\Windows Mail\wabmig.exe""
                                                                                                                                                                                      2⤵
                                                                                                                                                                                        PID:5116
                                                                                                                                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                          cacls "C:\Program Files (x86)\Windows Mail\wabmig.exe" /E /G Admin:F /C
                                                                                                                                                                                          3⤵
                                                                                                                                                                                            PID:4904
                                                                                                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                            takeown /F "C:\Program Files (x86)\Windows Mail\wabmig.exe"
                                                                                                                                                                                            3⤵
                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                            PID:4936
                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "wabmig.exe" -nobanner
                                                                                                                                                                                            3⤵
                                                                                                                                                                                              PID:3976
                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                UxaXqOSf.exe -accepteula "wabmig.exe" -nobanner
                                                                                                                                                                                                4⤵
                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                PID:272
                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                              UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                              3⤵
                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                              PID:4964
                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat""
                                                                                                                                                                                            2⤵
                                                                                                                                                                                              PID:4460
                                                                                                                                                                                              • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                  PID:4996
                                                                                                                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                  takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat"
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                  PID:5020
                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "settings.dat" -nobanner
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                    PID:5016
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                      UxaXqOSf.exe -accepteula "settings.dat" -nobanner
                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                      PID:2524
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                    UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    PID:4784
                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat""
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                    PID:4932
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                      cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                        PID:4456
                                                                                                                                                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                        takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                        PID:4408
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "settings.dat" -nobanner
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:4564
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                            UxaXqOSf.exe -accepteula "settings.dat" -nobanner
                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                            PID:4812
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                          UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                            PID:4740
                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                            PID:4572
                                                                                                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                              cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                PID:4628
                                                                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                PID:5132
                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "superbar.png" -nobanner
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                  PID:5152
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                    UxaXqOSf.exe -accepteula "superbar.png" -nobanner
                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                      PID:5168
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                    UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                      PID:5192
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edb.chk""
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                      PID:5216
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                        cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edb.chk" /E /G Admin:F /C
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                          PID:5264
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                          takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edb.chk"
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                          PID:5284
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "edb.chk" -nobanner
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                            PID:5304
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                              UxaXqOSf.exe -accepteula "edb.chk" -nobanner
                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                PID:5320
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                              UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                PID:5344
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                PID:5368
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                  cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                    PID:5416
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                                    PID:5436
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "device.png" -nobanner
                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                      PID:5456
                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                        UxaXqOSf.exe -accepteula "device.png" -nobanner
                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                          PID:5472
                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                        UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                          PID:5496
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json""
                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                          PID:5520
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                            cacls "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json" /E /G Admin:F /C
                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                              PID:5568
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                              takeown /F "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json"
                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                                              PID:5592
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "utc.cert.json" -nobanner
                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                PID:5612
                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                  UxaXqOSf.exe -accepteula "utc.cert.json" -nobanner
                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                    PID:5628
                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                  UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                    PID:5656
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd""
                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                    PID:5680
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                      cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd" /E /G Admin:F /C
                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                        PID:5728
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                        takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd"
                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                                                                        PID:5748
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                          PID:5768
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                            UxaXqOSf.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                              PID:5784
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                            UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                              PID:5808
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                              PID:5832
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                  PID:5880
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                  takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                                                                  PID:5900
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "overlay.png" -nobanner
                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                    PID:5920
                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                      UxaXqOSf.exe -accepteula "overlay.png" -nobanner
                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                        PID:5936
                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                      UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                        PID:5960
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json""
                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                        PID:5984
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                          cacls "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json" /E /G Admin:F /C
                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                            PID:6032
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                            takeown /F "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json"
                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                              PID:6052
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "utc.tracing.json" -nobanner
                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                PID:6072
                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                  UxaXqOSf.exe -accepteula "utc.tracing.json" -nobanner
                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                    PID:6088
                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                  UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                    PID:6112
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.jfm""
                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                    PID:6136
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                      cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.jfm" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                        PID:5180
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                        takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.jfm"
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                                                                                                        PID:5156
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "qmgr.jfm" -nobanner
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                          PID:5196
                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                            UxaXqOSf.exe -accepteula "qmgr.jfm" -nobanner
                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                              PID:4896
                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                            UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                              PID:5224
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                              PID:5292
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                  PID:5352
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                  takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                                                                                                  PID:5260
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "Workflow.Targets" -nobanner
                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                    PID:5240
                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                      UxaXqOSf.exe -accepteula "Workflow.Targets" -nobanner
                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                        PID:5376
                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                      UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                        PID:5432
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe""
                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                        PID:5448
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                          cacls "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                            PID:5512
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                            takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                                            PID:5400
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "ImagingDevices.exe" -nobanner
                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                              PID:5380
                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                UxaXqOSf.exe -accepteula "ImagingDevices.exe" -nobanner
                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                  PID:5588
                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                  PID:5596
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe""
                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                  PID:5648
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                    cacls "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                      PID:5560
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                      takeown /F "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe"
                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                                                                                                                      PID:5540
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "GoogleUpdateSetup.exe" -nobanner
                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                        PID:5744
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                          UxaXqOSf.exe -accepteula "GoogleUpdateSetup.exe" -nobanner
                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                            PID:5764
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                          UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                            PID:5804
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                            PID:5820
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                              cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                PID:5692
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                PID:5892
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                  PID:5904
                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                    UxaXqOSf.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                      PID:5956
                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                    UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                      PID:5972
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin""
                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                      PID:5872
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                        cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                          PID:6036
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                          takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin"
                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                          PID:6080
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "TileCache_100_0_Header.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                            PID:6104
                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                              UxaXqOSf.exe -accepteula "TileCache_100_0_Header.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                PID:6124
                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                              UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                PID:6016
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files (x86)\Windows Mail\WinMail.exe""
                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                PID:5996
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                  cacls "C:\Program Files (x86)\Windows Mail\WinMail.exe" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                    PID:4200
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                    takeown /F "C:\Program Files (x86)\Windows Mail\WinMail.exe"
                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                    PID:4900
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "WinMail.exe" -nobanner
                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                      PID:5276
                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                        UxaXqOSf.exe -accepteula "WinMail.exe" -nobanner
                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                          PID:5148
                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                        UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                          PID:5128
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1""
                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                          PID:5356
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                            cacls "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                              PID:5252
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                              takeown /F "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1"
                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                              PID:5428
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "OfficeIntegrator.ps1" -nobanner
                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                PID:5300
                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                  UxaXqOSf.exe -accepteula "OfficeIntegrator.ps1" -nobanner
                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:5296
                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                  UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:5500
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.app.json""
                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:5580
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                      cacls "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.app.json" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:5468
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                        takeown /F "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.app.json"
                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                        PID:5476
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "utc.app.json" -nobanner
                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:5616
                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                            UxaXqOSf.exe -accepteula "utc.app.json" -nobanner
                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:5552
                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                            UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:5752
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""
                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:5740
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:5660
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                  takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd"
                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                  PID:5848
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:5912
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                      UxaXqOSf.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:5940
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                      UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:5928
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json""
                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:5700
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                          cacls "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:6060
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                            takeown /F "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json"
                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                            PID:6096
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "telemetry.ASM-WindowsDefault.json" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:6012
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                UxaXqOSf.exe -accepteula "telemetry.ASM-WindowsDefault.json" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:6084
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:5992
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat""
                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:6040
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                    cacls "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:5280
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                      takeown /F "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat"
                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                      PID:5136
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "StorageHealthModel.dat" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:5360
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                          UxaXqOSf.exe -accepteula "StorageHealthModel.dat" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:5212
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                          UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:5172
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.edb""
                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:5420
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                              cacls "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.edb" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:5328
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                takeown /F "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.edb"
                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5404
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "vedatamodel.edb" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:496
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      UxaXqOSf.exe -accepteula "vedatamodel.edb" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5236
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5516
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui""
                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5556
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          cacls "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5776
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            takeown /F "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui"
                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5572
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "msoeres.dll.mui" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5780
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                UxaXqOSf.exe -accepteula "msoeres.dll.mui" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5828
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5916
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp""
                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5944
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    cacls "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5564
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      takeown /F "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp"
                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5812
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "AcroRdrDCUpd1901020069.msp" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6076
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          UxaXqOSf.exe -accepteula "AcroRdrDCUpd1901020069.msp" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6132
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6120
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6044
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6140
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5232
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "background.png" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5200
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    UxaXqOSf.exe -accepteula "background.png" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5204
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5444
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl""
                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5100
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        cacls "C:\Users\All Users\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5228
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          takeown /F "C:\Users\All Users\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl"
                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5608
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "AutoLogger-Diagtrack-Listener.etl" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5424
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                UxaXqOSf.exe -accepteula "AutoLogger-Diagtrack-Listener.etl" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5484
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5412
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5532
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5908
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5772
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "edbres00001.jrs" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5968
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          UxaXqOSf.exe -accepteula "edbres00001.jrs" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5736
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5732
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5548
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              cacls "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6008
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                takeown /F "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6028
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "KnownGameList.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5668
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    UxaXqOSf.exe -accepteula "KnownGameList.bin" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5672
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5140
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5160
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4280
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5824
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "watermark.png" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5868
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              UxaXqOSf.exe -accepteula "watermark.png" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:640
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5460
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Diagnosis\osver.txt""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5504
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  cacls "C:\Users\All Users\Microsoft\Diagnosis\osver.txt" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4132
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    takeown /F "C:\Users\All Users\Microsoft\Diagnosis\osver.txt"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5640
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "osver.txt" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5664
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        UxaXqOSf.exe -accepteula "osver.txt" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5952
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5524
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5964
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6116
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5644
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "edbres00002.jrs" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5720
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  UxaXqOSf.exe -accepteula "edbres00002.jrs" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5860
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5124
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3904
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6068
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5248
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "background.png" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5480
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            UxaXqOSf.exe -accepteula "background.png" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5864
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4876
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5536
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5688
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5800
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5372
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      UxaXqOSf.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5316
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6048
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files (x86)\Windows Mail\wab.exe""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5788
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          cacls "C:\Program Files (x86)\Windows Mail\wab.exe" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6108
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            takeown /F "C:\Program Files (x86)\Windows Mail\wab.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5528
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "wab.exe" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5696
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                UxaXqOSf.exe -accepteula "wab.exe" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4472
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1964
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.jfm""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5268
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cacls "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.jfm" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6024
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      takeown /F "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.jfm"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5220
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "vedatamodel.jfm" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5756
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          UxaXqOSf.exe -accepteula "vedatamodel.jfm" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5760
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5332
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5836
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              cacls "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5312
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                takeown /F "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5888
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "Data1.cab" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5464
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    UxaXqOSf.exe -accepteula "Data1.cab" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5348
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4788
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Diagnosis\parse.dat""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5884
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        cacls "C:\Users\All Users\Microsoft\Diagnosis\parse.dat" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5924
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          takeown /F "C:\Users\All Users\Microsoft\Diagnosis\parse.dat"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5340
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "parse.dat" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5816
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                UxaXqOSf.exe -accepteula "parse.dat" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6000
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5856
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4792
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5188
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4944
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "SmsInterceptStore.jfm" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5716
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          UxaXqOSf.exe -accepteula "SmsInterceptStore.jfm" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5844
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5176
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1""
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5624
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              cacls "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1" /E /G Admin:F /C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5440
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                takeown /F "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5408
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5288
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    UxaXqOSf.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5676
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    UxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5492
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\lZgqBLCp.bat"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4904
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\vssadmin.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      vssadmin Delete Shadows /All /Quiet
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Interacts with shadow copies
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4984
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      wmic SHADOWCOPY DELETE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5072
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\bcdedit.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      bcdedit /set {default} recoveryenabled No
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies boot configuration data using bcdedit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4420
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\bcdedit.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      bcdedit /set {default} bootstatuspolicy ignoreallfailures
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies boot configuration data using bcdedit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1008
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      SCHTASKS /Delete /TN DSHCA /F
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2500
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\vssvc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\vssvc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5032

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Network

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Downloads