matrix | 224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914

Analysis

max time kernel
148s
max time network
150s
platform
windows10_x64
resource
win10v20201028
submitted
08-03-2021 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

new_jdpr.exe
Size

1.3MB
MD5

2c52f3918b636736bdf0022c64115b26
SHA1

88cf55ae8c77ed23219e7c8fe794afa93301ad6d
SHA256

224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914
SHA512

551f22bc10ceb1af2d6f8da6a27ec842176a14108383a2d46a37f4ee3bdfda0b08732aa5549e4a07d3dc337f1ebb07ca1852eb7b0ed9320fe5117b2d5cb62495

Score

10^/10

matrix discovery evasion persistence ransomware spyware upx

Malware Config

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

new_jdpr.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-ae\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Protect\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pt-br\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hu-hu\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sv-se\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\art\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sk-sk\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\cs-cz\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\tr-tr\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\root\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-fr\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ca-es\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sk-sk\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\pt-PT\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nb-no\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\AppData\Local\Packages\DesktopView_cw5n1h2txyewy\Settings\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hr-hr\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\it-it\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\All Users\Microsoft\Network\Downloader\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ca\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fi-fi\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-ma\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sr-Latn-RS\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\deploy\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\cs\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\vi\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Mozilla Firefox\fonts\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\JDPR_README.rtf	new_jdpr.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

3140 bcdedit.exe
3148 bcdedit.exe
Drops file in Drivers directory 1 IoCs

Processes:

e905pXEL64.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP152.SYS e905pXEL64.exe

pid	process
3140	bcdedit.exe
3148	bcdedit.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	e905pXEL64.exe

Executes dropped EXE 64 IoCs

Processes:

NWGesn9z.exee905pXEL.exee905pXEL64.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exee905pXEL.exe

pid	process
3700	NWGesn9z.exe
3124	e905pXEL.exe
3652	e905pXEL64.exe
4076	e905pXEL.exe
4336	e905pXEL.exe
4340	e905pXEL.exe
4348	e905pXEL.exe
2248	e905pXEL.exe
2096	e905pXEL.exe
3132	e905pXEL.exe
1012	e905pXEL.exe
3308	e905pXEL.exe
4976	e905pXEL.exe
4560	e905pXEL.exe
212	e905pXEL.exe
4564	e905pXEL.exe
1112	e905pXEL.exe
2172	e905pXEL.exe
976	e905pXEL.exe
4324	e905pXEL.exe
4044	e905pXEL.exe
4900	e905pXEL.exe
3408	e905pXEL.exe
4888	e905pXEL.exe
304	e905pXEL.exe
2708	e905pXEL.exe
2240	e905pXEL.exe
4400	e905pXEL.exe
2576	e905pXEL.exe
4084	e905pXEL.exe
4600	e905pXEL.exe
3540	e905pXEL.exe
4912	e905pXEL.exe
3080	e905pXEL.exe
4396	e905pXEL.exe
208	e905pXEL.exe
2092	e905pXEL.exe
2524	e905pXEL.exe
2340	e905pXEL.exe
4056	e905pXEL.exe
4588	e905pXEL.exe
1916	e905pXEL.exe
4544	e905pXEL.exe
3552	e905pXEL.exe
3140	e905pXEL.exe
3580	e905pXEL.exe
3752	e905pXEL.exe
60	e905pXEL.exe
3168	e905pXEL.exe
2216	e905pXEL.exe
1584	e905pXEL.exe
4572	e905pXEL.exe
4240	e905pXEL.exe
3012	e905pXEL.exe
3668	e905pXEL.exe
5156	e905pXEL.exe
5176	e905pXEL.exe
5284	e905pXEL.exe
5304	e905pXEL.exe
5408	e905pXEL.exe
5424	e905pXEL.exe
5528	e905pXEL.exe
5544	e905pXEL.exe
5648	e905pXEL.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe	upx

Modifies file permissions 1 TTPs 64 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
6060	takeown.exe
6048	takeown.exe
3544	takeown.exe
4740	takeown.exe
4664	takeown.exe
5256	takeown.exe
5980	takeown.exe
5332	takeown.exe
204	takeown.exe
5380	takeown.exe
3016	takeown.exe
5616	takeown.exe
5992	takeown.exe
1524	takeown.exe
5860	takeown.exe
6104	takeown.exe
4944	takeown.exe
3488	takeown.exe
4520	takeown.exe
6096	takeown.exe
4248	takeown.exe
6028	takeown.exe
2584	takeown.exe
4496	takeown.exe
3940	takeown.exe
4368	takeown.exe
5252	takeown.exe
3588	takeown.exe
6100	takeown.exe
5716	takeown.exe
6036	takeown.exe
5772	takeown.exe
5236	takeown.exe
5676	takeown.exe
5404	takeown.exe
5448	takeown.exe
672	takeown.exe
4792	takeown.exe
5740	takeown.exe
5936	takeown.exe
5164	takeown.exe
5336	takeown.exe
4212	takeown.exe
5128	takeown.exe
5744	takeown.exe
980	takeown.exe
5432	takeown.exe
3656	takeown.exe
200	takeown.exe
5500	takeown.exe
2060	takeown.exe
4908	takeown.exe
720	takeown.exe
4252	takeown.exe
2880	takeown.exe
288	takeown.exe
5816	takeown.exe
5372	takeown.exe
316	takeown.exe
5620	takeown.exe
5504	takeown.exe
2956	takeown.exe
4632	takeown.exe
3116	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 26 IoCs

Processes:

new_jdpr.exe

description	ioc	process
File opened for modification	C:\Users\Public\Documents\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\desktop.ini	new_jdpr.exe
File opened for modification	C:\Program Files\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	new_jdpr.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

new_jdpr.exee905pXEL64.exe

description	ioc	process
File opened (read-only)	\??\U:	new_jdpr.exe
File opened (read-only)	\??\S:	new_jdpr.exe
File opened (read-only)	\??\N:	new_jdpr.exe
File opened (read-only)	\??\J:	new_jdpr.exe
File opened (read-only)	\??\B:	e905pXEL64.exe
File opened (read-only)	\??\Q:	e905pXEL64.exe
File opened (read-only)	\??\X:	e905pXEL64.exe
File opened (read-only)	\??\M:	new_jdpr.exe
File opened (read-only)	\??\A:	e905pXEL64.exe
File opened (read-only)	\??\T:	e905pXEL64.exe
File opened (read-only)	\??\Y:	new_jdpr.exe
File opened (read-only)	\??\F:	e905pXEL64.exe
File opened (read-only)	\??\I:	e905pXEL64.exe
File opened (read-only)	\??\N:	e905pXEL64.exe
File opened (read-only)	\??\Z:	e905pXEL64.exe
File opened (read-only)	\??\K:	e905pXEL64.exe
File opened (read-only)	\??\Z:	new_jdpr.exe
File opened (read-only)	\??\V:	new_jdpr.exe
File opened (read-only)	\??\T:	new_jdpr.exe
File opened (read-only)	\??\I:	new_jdpr.exe
File opened (read-only)	\??\G:	new_jdpr.exe
File opened (read-only)	\??\E:	e905pXEL64.exe
File opened (read-only)	\??\J:	e905pXEL64.exe
File opened (read-only)	\??\W:	e905pXEL64.exe
File opened (read-only)	\??\X:	new_jdpr.exe
File opened (read-only)	\??\W:	new_jdpr.exe
File opened (read-only)	\??\U:	e905pXEL64.exe
File opened (read-only)	\??\H:	new_jdpr.exe
File opened (read-only)	\??\E:	new_jdpr.exe
File opened (read-only)	\??\G:	e905pXEL64.exe
File opened (read-only)	\??\O:	e905pXEL64.exe
File opened (read-only)	\??\P:	e905pXEL64.exe
File opened (read-only)	\??\S:	e905pXEL64.exe
File opened (read-only)	\??\V:	e905pXEL64.exe
File opened (read-only)	\??\Q:	new_jdpr.exe
File opened (read-only)	\??\P:	new_jdpr.exe
File opened (read-only)	\??\O:	new_jdpr.exe
File opened (read-only)	\??\L:	new_jdpr.exe
File opened (read-only)	\??\M:	e905pXEL64.exe
File opened (read-only)	\??\Y:	e905pXEL64.exe
File opened (read-only)	\??\R:	new_jdpr.exe
File opened (read-only)	\??\K:	new_jdpr.exe
File opened (read-only)	\??\F:	new_jdpr.exe
File opened (read-only)	\??\H:	e905pXEL64.exe
File opened (read-only)	\??\L:	e905pXEL64.exe
File opened (read-only)	\??\R:	e905pXEL64.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\7ZPKpRzd.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

new_jdpr.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\twitch.luac	new_jdpr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_streams.luac	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\ui-strings.js	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_delete@1x.png	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-fr\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hu-hu\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ro-ro\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_same_reviewers.gif	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\de-de\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\QRCode.pmp	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\faf_icons.png	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_ja.jar	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\invalid32x32.gif	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\AppStore_icon.svg	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-ae\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\uk.pak	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\ui-strings.js	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ja-jp\ui-strings.js	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-fr\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast_retina.png	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\boot.jar	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.di_1.0.0.v20140328-2112.jar	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-disabled.svg	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adobe_logo.png	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_CN.jar	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.service.exsd	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ca-es\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\tool-search-2x.png	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-cn\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\es-es\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\check-mark-1x.png	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-dark-focus_32.svg	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-si\ui-strings.js	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\it-it\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Scan_R_RHP.aapp	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_shared_multi_filetype.svg	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lt_get.svg	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon.png	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_partialselected-default_18.svg	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pl-pl\ui-strings.js	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_ja.jar	new_jdpr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\vlc.mo	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ca-es\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\flags.png	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ca-es\ui-strings.js	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\find-text.png	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fi_get.svg	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\tr-tr\JDPR_README.rtf	new_jdpr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

188 schtasks.exe

pid	process
188	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4908 vssadmin.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

5624 WINWORD.EXE
5624 WINWORD.EXE

pid	process
4908	vssadmin.exe

pid	process
5624	WINWORD.EXE
5624	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

e905pXEL64.exe

pid	process
3652	e905pXEL64.exe
3652	e905pXEL64.exe
3652	e905pXEL64.exe
3652	e905pXEL64.exe
3652	e905pXEL64.exe
3652	e905pXEL64.exe
3652	e905pXEL64.exe
3652	e905pXEL64.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

e905pXEL64.exe

pid process

3652 e905pXEL64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

takeown.exee905pXEL64.exetakeown.exevssvc.exeWMIC.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3544	takeown.exe
Token: SeDebugPrivilege	3652	e905pXEL64.exe
Token: SeLoadDriverPrivilege	3652	e905pXEL64.exe
Token: SeTakeOwnershipPrivilege	204	takeown.exe
Token: SeBackupPrivilege	4688	vssvc.exe
Token: SeRestorePrivilege	4688	vssvc.exe
Token: SeAuditPrivilege	4688	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4600	WMIC.exe
Token: SeSecurityPrivilege	4600	WMIC.exe
Token: SeTakeOwnershipPrivilege	4600	WMIC.exe
Token: SeLoadDriverPrivilege	4600	WMIC.exe
Token: SeSystemProfilePrivilege	4600	WMIC.exe
Token: SeSystemtimePrivilege	4600	WMIC.exe
Token: SeProfSingleProcessPrivilege	4600	WMIC.exe
Token: SeIncBasePriorityPrivilege	4600	WMIC.exe
Token: SeCreatePagefilePrivilege	4600	WMIC.exe
Token: SeBackupPrivilege	4600	WMIC.exe
Token: SeRestorePrivilege	4600	WMIC.exe
Token: SeShutdownPrivilege	4600	WMIC.exe
Token: SeDebugPrivilege	4600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4600	WMIC.exe
Token: SeRemoteShutdownPrivilege	4600	WMIC.exe
Token: SeUndockPrivilege	4600	WMIC.exe
Token: SeManageVolumePrivilege	4600	WMIC.exe
Token: 33	4600	WMIC.exe
Token: 34	4600	WMIC.exe
Token: 35	4600	WMIC.exe
Token: 36	4600	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4600	WMIC.exe
Token: SeSecurityPrivilege	4600	WMIC.exe
Token: SeTakeOwnershipPrivilege	4600	WMIC.exe
Token: SeLoadDriverPrivilege	4600	WMIC.exe
Token: SeSystemProfilePrivilege	4600	WMIC.exe
Token: SeSystemtimePrivilege	4600	WMIC.exe
Token: SeProfSingleProcessPrivilege	4600	WMIC.exe
Token: SeIncBasePriorityPrivilege	4600	WMIC.exe
Token: SeCreatePagefilePrivilege	4600	WMIC.exe
Token: SeBackupPrivilege	4600	WMIC.exe
Token: SeRestorePrivilege	4600	WMIC.exe
Token: SeShutdownPrivilege	4600	WMIC.exe
Token: SeDebugPrivilege	4600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4600	WMIC.exe
Token: SeRemoteShutdownPrivilege	4600	WMIC.exe
Token: SeUndockPrivilege	4600	WMIC.exe
Token: SeManageVolumePrivilege	4600	WMIC.exe
Token: 33	4600	WMIC.exe
Token: 34	4600	WMIC.exe
Token: 35	4600	WMIC.exe
Token: 36	4600	WMIC.exe
Token: SeTakeOwnershipPrivilege	2060	takeown.exe
Token: SeTakeOwnershipPrivilege	2584	takeown.exe
Token: SeTakeOwnershipPrivilege	4496	takeown.exe
Token: SeTakeOwnershipPrivilege	4908	takeown.exe
Token: SeTakeOwnershipPrivilege	3656	takeown.exe
Token: SeTakeOwnershipPrivilege	720	takeown.exe
Token: SeTakeOwnershipPrivilege	4632	takeown.exe
Token: SeTakeOwnershipPrivilege	3488	takeown.exe
Token: SeTakeOwnershipPrivilege	3588	takeown.exe
Token: SeTakeOwnershipPrivilege	4212	takeown.exe
Token: SeTakeOwnershipPrivilege	200	takeown.exe
Token: SeTakeOwnershipPrivilege	4248	takeown.exe
Token: SeTakeOwnershipPrivilege	1524	takeown.exe
Token: SeTakeOwnershipPrivilege	4792	takeown.exe
Token: SeTakeOwnershipPrivilege	3940	takeown.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid process

5624 WINWORD.EXE
5624 WINWORD.EXE
5624 WINWORD.EXE
5624 WINWORD.EXE
5624 WINWORD.EXE
5624 WINWORD.EXE
5624 WINWORD.EXE
5624 WINWORD.EXE

pid	process
5624	WINWORD.EXE
5624	WINWORD.EXE
5624	WINWORD.EXE
5624	WINWORD.EXE
5624	WINWORD.EXE
5624	WINWORD.EXE
5624	WINWORD.EXE
5624	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

new_jdpr.execmd.execmd.exewscript.execmd.execmd.execmd.execmd.execmd.exee905pXEL.exe

description	pid	process	target process
PID 4800 wrote to memory of 2816	4800	new_jdpr.exe	cmd.exe
PID 4800 wrote to memory of 2816	4800	new_jdpr.exe	cmd.exe
PID 4800 wrote to memory of 2816	4800	new_jdpr.exe	cmd.exe
PID 4800 wrote to memory of 3700	4800	new_jdpr.exe	NWGesn9z.exe
PID 4800 wrote to memory of 3700	4800	new_jdpr.exe	NWGesn9z.exe
PID 4800 wrote to memory of 3700	4800	new_jdpr.exe	NWGesn9z.exe
PID 4800 wrote to memory of 3984	4800	new_jdpr.exe	cmd.exe
PID 4800 wrote to memory of 3984	4800	new_jdpr.exe	cmd.exe
PID 4800 wrote to memory of 3984	4800	new_jdpr.exe	cmd.exe
PID 4800 wrote to memory of 4068	4800	new_jdpr.exe	cmd.exe
PID 4800 wrote to memory of 4068	4800	new_jdpr.exe	cmd.exe
PID 4800 wrote to memory of 4068	4800	new_jdpr.exe	cmd.exe
PID 3984 wrote to memory of 4440	3984	cmd.exe	reg.exe
PID 3984 wrote to memory of 4440	3984	cmd.exe	reg.exe
PID 3984 wrote to memory of 4440	3984	cmd.exe	reg.exe
PID 4068 wrote to memory of 4576	4068	cmd.exe	wscript.exe
PID 4068 wrote to memory of 4576	4068	cmd.exe	wscript.exe
PID 4068 wrote to memory of 4576	4068	cmd.exe	wscript.exe
PID 3984 wrote to memory of 4584	3984	cmd.exe	reg.exe
PID 3984 wrote to memory of 4584	3984	cmd.exe	reg.exe
PID 3984 wrote to memory of 4584	3984	cmd.exe	reg.exe
PID 4800 wrote to memory of 4604	4800	new_jdpr.exe	cmd.exe
PID 4800 wrote to memory of 4604	4800	new_jdpr.exe	cmd.exe
PID 4800 wrote to memory of 4604	4800	new_jdpr.exe	cmd.exe
PID 4576 wrote to memory of 4760	4576	wscript.exe	cmd.exe
PID 4576 wrote to memory of 4760	4576	wscript.exe	cmd.exe
PID 4576 wrote to memory of 4760	4576	wscript.exe	cmd.exe
PID 3984 wrote to memory of 228	3984	cmd.exe	reg.exe
PID 3984 wrote to memory of 228	3984	cmd.exe	reg.exe
PID 3984 wrote to memory of 228	3984	cmd.exe	reg.exe
PID 4760 wrote to memory of 188	4760	cmd.exe	schtasks.exe
PID 4760 wrote to memory of 188	4760	cmd.exe	schtasks.exe
PID 4760 wrote to memory of 188	4760	cmd.exe	schtasks.exe
PID 4604 wrote to memory of 4516	4604	cmd.exe	cacls.exe
PID 4604 wrote to memory of 4516	4604	cmd.exe	cacls.exe
PID 4604 wrote to memory of 4516	4604	cmd.exe	cacls.exe
PID 4604 wrote to memory of 672	4604	cmd.exe	takeown.exe
PID 4604 wrote to memory of 672	4604	cmd.exe	takeown.exe
PID 4604 wrote to memory of 672	4604	cmd.exe	takeown.exe
PID 4576 wrote to memory of 708	4576	wscript.exe	cmd.exe
PID 4576 wrote to memory of 708	4576	wscript.exe	cmd.exe
PID 4576 wrote to memory of 708	4576	wscript.exe	cmd.exe
PID 708 wrote to memory of 2148	708	cmd.exe	schtasks.exe
PID 708 wrote to memory of 2148	708	cmd.exe	schtasks.exe
PID 708 wrote to memory of 2148	708	cmd.exe	schtasks.exe
PID 4604 wrote to memory of 2528	4604	cmd.exe	cmd.exe
PID 4604 wrote to memory of 2528	4604	cmd.exe	cmd.exe
PID 4604 wrote to memory of 2528	4604	cmd.exe	cmd.exe
PID 2528 wrote to memory of 3124	2528	cmd.exe	e905pXEL.exe
PID 2528 wrote to memory of 3124	2528	cmd.exe	e905pXEL.exe
PID 2528 wrote to memory of 3124	2528	cmd.exe	e905pXEL.exe
PID 4800 wrote to memory of 4736	4800	new_jdpr.exe	cmd.exe
PID 4800 wrote to memory of 4736	4800	new_jdpr.exe	cmd.exe
PID 4800 wrote to memory of 4736	4800	new_jdpr.exe	cmd.exe
PID 4736 wrote to memory of 3068	4736	cmd.exe	cacls.exe
PID 4736 wrote to memory of 3068	4736	cmd.exe	cacls.exe
PID 4736 wrote to memory of 3068	4736	cmd.exe	cacls.exe
PID 4736 wrote to memory of 3544	4736	cmd.exe	takeown.exe
PID 4736 wrote to memory of 3544	4736	cmd.exe	takeown.exe
PID 4736 wrote to memory of 3544	4736	cmd.exe	takeown.exe
PID 3124 wrote to memory of 3652	3124	e905pXEL.exe	e905pXEL64.exe
PID 3124 wrote to memory of 3652	3124	e905pXEL.exe	e905pXEL64.exe
PID 4736 wrote to memory of 4080	4736	cmd.exe	cmd.exe
PID 4736 wrote to memory of 4080	4736	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\new_jdpr.exe
"C:\Users\Admin\AppData\Local\Temp\new_jdpr.exe"
1⤵
- Matrix Ransomware
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\new_jdpr.exe" "C:\Users\Admin\AppData\Local\Temp\NWGesn9z.exe"
2⤵
PID:2816

C:\Users\Admin\AppData\Local\Temp\NWGesn9z.exe
"C:\Users\Admin\AppData\Local\Temp\NWGesn9z.exe" -n
2⤵
- Executes dropped EXE
PID:3700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7ZPKpRzd.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7ZPKpRzd.bmp" /f
3⤵
- Sets desktop wallpaper using registry
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
3⤵
PID:4584

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
3⤵
PID:228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\zJlayFkZ.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\SysWOW64\wscript.exe
wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\zJlayFkZ.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\fWONOKas.bat" /sc minute /mo 5 /RL HIGHEST /F
4⤵
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\fWONOKas.bat" /sc minute /mo 5 /RL HIGHEST /F
5⤵
- Creates scheduled task(s)
PID:188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
4⤵
- Suspicious use of WriteProcessMemory
PID:708

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /I /tn DSHCA
5⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db""
2⤵
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db" /E /G Admin:F /C
3⤵
PID:4516

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db"
3⤵
- Modifies file permissions
PID:672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "qmgr.db" -nobanner
3⤵
- Suspicious use of WriteProcessMemory
PID:2528

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "qmgr.db" -nobanner
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124

C:\Users\Admin\AppData\Local\Temp\e905pXEL64.exe
e905pXEL.exe -accepteula "qmgr.db" -nobanner
5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db""
2⤵
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /E /G Admin:F /C
3⤵
PID:3068

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "SmsInterceptStore.db" -nobanner
3⤵
PID:4080

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "SmsInterceptStore.db" -nobanner
4⤵
- Executes dropped EXE
PID:4076

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa""
2⤵
PID:4232

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa" /E /G Admin:F /C
3⤵
PID:3092

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa"
3⤵
- Modifies file permissions
PID:2956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "classes.jsa" -nobanner
3⤵
PID:3240

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "classes.jsa" -nobanner
4⤵
- Executes dropped EXE
PID:4340

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui""
2⤵
PID:4552

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
3⤵
PID:4640

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "WinMail.exe.mui" -nobanner
3⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "WinMail.exe.mui" -nobanner
4⤵
- Executes dropped EXE
PID:2248

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:2096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Security\BrowserCore\manifest.json""
2⤵
PID:4136

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Security\BrowserCore\manifest.json" /E /G Admin:F /C
3⤵
PID:2836

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Security\BrowserCore\manifest.json"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "manifest.json" -nobanner
3⤵
PID:3716

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "manifest.json" -nobanner
4⤵
- Executes dropped EXE
PID:3132

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:1012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
2⤵
PID:2120

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
3⤵
PID:2932

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "Workflow.Targets" -nobanner
3⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "Workflow.Targets" -nobanner
4⤵
- Executes dropped EXE
PID:3308

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui""
2⤵
PID:532

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
3⤵
PID:3988

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "msoeres.dll.mui" -nobanner
3⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "msoeres.dll.mui" -nobanner
4⤵
- Executes dropped EXE
PID:4560

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui""
2⤵
PID:4744

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui" /E /G Admin:F /C
3⤵
PID:3160

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "BrowserCore.exe.mui" -nobanner
3⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "BrowserCore.exe.mui" -nobanner
4⤵
- Executes dropped EXE
PID:4564

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:1112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Mail\WinMail.exe""
2⤵
PID:372

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Mail\WinMail.exe" /E /G Admin:F /C
3⤵
PID:2064

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Mail\WinMail.exe"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "WinMail.exe" -nobanner
3⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "WinMail.exe" -nobanner
4⤵
- Executes dropped EXE
PID:2172

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Mail\wab.exe""
2⤵
PID:2684

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Mail\wab.exe" /E /G Admin:F /C
3⤵
PID:4060

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Mail\wab.exe"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "wab.exe" -nobanner
3⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "wab.exe" -nobanner
4⤵
- Executes dropped EXE
PID:4324

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:4044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe""
2⤵
PID:3144

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe" /E /G Admin:F /C
3⤵
PID:4592

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "SenseSampleUploader.exe" -nobanner
3⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "SenseSampleUploader.exe" -nobanner
4⤵
- Executes dropped EXE
PID:4900

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:3408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe""
2⤵
PID:284

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe" /E /G Admin:F /C
3⤵
PID:2736

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "BrowserCore.exe" -nobanner
3⤵
PID:4648

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "BrowserCore.exe" -nobanner
4⤵
- Executes dropped EXE
PID:4888

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe""
2⤵
PID:2072

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe" /E /G Admin:F /C
3⤵
PID:4532

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "SenseCncProxy.exe" -nobanner
3⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "SenseCncProxy.exe" -nobanner
4⤵
- Executes dropped EXE
PID:2708

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
2⤵
PID:2204

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
3⤵
PID:4420

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "ImagingDevices.exe.mui" -nobanner
3⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "ImagingDevices.exe.mui" -nobanner
4⤵
- Executes dropped EXE
PID:4400

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:2576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""
2⤵
PID:3076

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
3⤵
PID:2228

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "ImagingDevices.exe" -nobanner
3⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "ImagingDevices.exe" -nobanner
4⤵
- Executes dropped EXE
PID:4084

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:4600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa""
2⤵
PID:308

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa" /E /G Admin:F /C
3⤵
PID:4620

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa"
3⤵
- Modifies file permissions
PID:316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "classes.jsa" -nobanner
3⤵
PID:4024

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "classes.jsa" -nobanner
4⤵
- Executes dropped EXE
PID:3540

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:4912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
2⤵
PID:2188

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
3⤵
PID:2892

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
3⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
4⤵
- Executes dropped EXE
PID:3080

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Mail\wabmig.exe""
2⤵
PID:2592

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C
3⤵
PID:4836

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Mail\wabmig.exe"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "wabmig.exe" -nobanner
3⤵
PID:688

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "wabmig.exe" -nobanner
4⤵
- Executes dropped EXE
PID:208

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:2092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe""
2⤵
PID:4896

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" /E /G Admin:F /C
3⤵
PID:4904

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "MsSense.exe" -nobanner
3⤵
PID:3200

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "MsSense.exe" -nobanner
4⤵
- Executes dropped EXE
PID:2524

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:2340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
2⤵
PID:4660

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
3⤵
PID:3148

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "PhotoViewer.dll.mui" -nobanner
3⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "PhotoViewer.dll.mui" -nobanner
4⤵
- Executes dropped EXE
PID:4056

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:4588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V""
2⤵
PID:1556

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V" /E /G Admin:F /C
3⤵
PID:3424

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V"
3⤵
- Modifies file permissions
PID:3116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "Identity-V" -nobanner
3⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "Identity-V" -nobanner
4⤵
- Executes dropped EXE
PID:1916

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
2⤵
PID:4832

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
3⤵
PID:3904

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
3⤵
- Modifies file permissions
PID:4520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "PhotoViewer.dll.mui" -nobanner
3⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "PhotoViewer.dll.mui" -nobanner
4⤵
- Executes dropped EXE
PID:3552

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:3140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\MsSense.exe.mui""
2⤵
PID:4612

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\MsSense.exe.mui" /E /G Admin:F /C
3⤵
PID:2960

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\MsSense.exe.mui"
3⤵
- Modifies file permissions
PID:2880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "MsSense.exe.mui" -nobanner
3⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "MsSense.exe.mui" -nobanner
4⤵
- Executes dropped EXE
PID:3580

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:3752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
2⤵
PID:1576

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
3⤵
PID:4040

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
3⤵
- Modifies file permissions
PID:4740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "PhotoAcq.dll.mui" -nobanner
3⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "PhotoAcq.dll.mui" -nobanner
4⤵
- Executes dropped EXE
PID:60

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:3168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe""
2⤵
PID:3120

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe" /E /G Admin:F /C
3⤵
PID:2132

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe"
3⤵
- Modifies file permissions
PID:4664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "GoogleUpdateSetup.exe" -nobanner
3⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "GoogleUpdateSetup.exe" -nobanner
4⤵
- Executes dropped EXE
PID:2216

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
2⤵
PID:4360

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
3⤵
PID:296

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
3⤵
PID:300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "Workflow.Targets" -nobanner
3⤵
PID:4412

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "Workflow.Targets" -nobanner
4⤵
- Executes dropped EXE
PID:4572

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:4240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe""
2⤵
PID:3696

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
3⤵
PID:3972

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
3⤵
- Modifies file permissions
PID:4252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "ImagingDevices.exe" -nobanner
3⤵
PID:3812

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "ImagingDevices.exe" -nobanner
4⤵
- Executes dropped EXE
PID:3012

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:3668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files (x86)\Windows Mail\WinMail.exe""
2⤵
PID:1284

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Mail\WinMail.exe" /E /G Admin:F /C
3⤵
PID:2632

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Mail\WinMail.exe"
3⤵
- Modifies file permissions
PID:5128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "WinMail.exe" -nobanner
3⤵
PID:5144

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "WinMail.exe" -nobanner
4⤵
- Executes dropped EXE
PID:5156

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:5176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin""
2⤵
PID:5196

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin" /E /G Admin:F /C
3⤵
PID:5240

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin"
3⤵
- Modifies file permissions
PID:5256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "KnownGameList.bin" -nobanner
3⤵
PID:5272

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "KnownGameList.bin" -nobanner
4⤵
- Executes dropped EXE
PID:5284

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:5304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H""
2⤵
PID:5320

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H" /E /G Admin:F /C
3⤵
PID:5364

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H"
3⤵
- Modifies file permissions
PID:5380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "Identity-H" -nobanner
3⤵
PID:5396

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "Identity-H" -nobanner
4⤵
- Executes dropped EXE
PID:5408

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:5424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
2⤵
PID:5440

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
3⤵
PID:5484

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
3⤵
- Modifies file permissions
PID:5500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "ImagingDevices.exe.mui" -nobanner
3⤵
PID:5516

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "ImagingDevices.exe.mui" -nobanner
4⤵
- Executes dropped EXE
PID:5528

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:5544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
2⤵
PID:5560

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
3⤵
PID:5604

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
3⤵
- Modifies file permissions
PID:5620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "PhotoAcq.dll.mui" -nobanner
3⤵
PID:5636

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "PhotoAcq.dll.mui" -nobanner
4⤵
- Executes dropped EXE
PID:5648

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui""
2⤵
PID:5680

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
3⤵
PID:5724

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui"
3⤵
- Modifies file permissions
PID:5740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "WinMail.exe.mui" -nobanner
3⤵
PID:5756

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "WinMail.exe.mui" -nobanner
4⤵
PID:5768

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui""
2⤵
PID:5800

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
3⤵
PID:5844

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui"
3⤵
- Modifies file permissions
PID:5860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "msoeres.dll.mui" -nobanner
3⤵
PID:5876

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "msoeres.dll.mui" -nobanner
4⤵
PID:5888

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin""
2⤵
PID:5920

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin" /E /G Admin:F /C
3⤵
PID:5964

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin"
3⤵
- Modifies file permissions
PID:5980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "TileCache_100_0_Data.bin" -nobanner
3⤵
PID:5996

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "TileCache_100_0_Data.bin" -nobanner
4⤵
PID:6008

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.app.json""
2⤵
PID:6040

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.app.json" /E /G Admin:F /C
3⤵
PID:6084

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.app.json"
3⤵
- Modifies file permissions
PID:6100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "utc.app.json" -nobanner
3⤵
PID:6120

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "utc.app.json" -nobanner
4⤵
PID:6132

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""
2⤵
PID:5136

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd" /E /G Admin:F /C
3⤵
PID:2888

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd"
3⤵
- Modifies file permissions
PID:288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
3⤵
PID:4004

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
4⤵
PID:5244

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat""
2⤵
PID:5288

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
3⤵
PID:5216

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat"
3⤵
- Modifies file permissions
PID:5332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "settings.dat" -nobanner
3⤵
PID:5392

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "settings.dat" -nobanner
4⤵
PID:5420

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat""
2⤵
PID:5360

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
3⤵
PID:5492

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat"
3⤵
- Modifies file permissions
PID:5504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "settings.dat" -nobanner
3⤵
PID:5524

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "settings.dat" -nobanner
4⤵
PID:5552

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.jfm""
2⤵
PID:5472

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.jfm" /E /G Admin:F /C
3⤵
PID:5660

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.jfm"
3⤵
- Modifies file permissions
PID:5676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "vedatamodel.jfm" -nobanner
3⤵
PID:5584

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "vedatamodel.jfm" -nobanner
4⤵
PID:5564

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1""
2⤵
PID:5728

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1" /E /G Admin:F /C
3⤵
PID:5788

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1"
3⤵
- Modifies file permissions
PID:5716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "OfficeIntegrator.ps1" -nobanner
3⤵
PID:5696

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "OfficeIntegrator.ps1" -nobanner
4⤵
PID:5856

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
2⤵
PID:5896

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
3⤵
PID:5820

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
3⤵
- Modifies file permissions
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "watermark.png" -nobanner
3⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "watermark.png" -nobanner
4⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Diagnosis\osver.txt""
2⤵
PID:5988

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\Diagnosis\osver.txt" /E /G Admin:F /C
3⤵
PID:5960

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\Diagnosis\osver.txt"
3⤵
- Modifies file permissions
PID:5936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "osver.txt" -nobanner
3⤵
PID:6052

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "osver.txt" -nobanner
4⤵
PID:6088

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs""
2⤵
PID:6128

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs" /E /G Admin:F /C
3⤵
PID:6072

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs"
3⤵
- Modifies file permissions
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "edbres00002.jrs" -nobanner
3⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "edbres00002.jrs" -nobanner
4⤵
PID:5268

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Diagnosis\parse.dat""
2⤵
PID:5188

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\Diagnosis\parse.dat" /E /G Admin:F /C
3⤵
PID:5228

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\Diagnosis\parse.dat"
3⤵
- Modifies file permissions
PID:5404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "parse.dat" -nobanner
3⤵
PID:5428

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "parse.dat" -nobanner
4⤵
PID:5220

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm""
2⤵
PID:5276

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm" /E /G Admin:F /C
3⤵
PID:5556

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm"
3⤵
PID:5468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "SmsInterceptStore.jfm" -nobanner
3⤵
PID:5452

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "SmsInterceptStore.jfm" -nobanner
4⤵
PID:5328

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json""
2⤵
PID:5672

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json" /E /G Admin:F /C
3⤵
PID:5632

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json"
3⤵
- Modifies file permissions
PID:5616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "telemetry.ASM-WindowsDefault.json" -nobanner
3⤵
PID:5704

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "telemetry.ASM-WindowsDefault.json" -nobanner
4⤵
PID:5684

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat""
2⤵
PID:5892

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat" /E /G Admin:F /C
3⤵
PID:5916

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat"
3⤵
- Modifies file permissions
PID:5816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "StorageHealthModel.dat" -nobanner
3⤵
PID:4756

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "StorageHealthModel.dat" -nobanner
4⤵
PID:232

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1""
2⤵
PID:5836

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1" /E /G Admin:F /C
3⤵
PID:5948

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1"
3⤵
- Modifies file permissions
PID:6104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner
3⤵
PID:5124

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner
4⤵
PID:5944

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:6004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files (x86)\Windows Mail\wabmig.exe""
2⤵
PID:5140

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Mail\wabmig.exe" /E /G Admin:F /C
3⤵
PID:4916

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Mail\wabmig.exe"
3⤵
- Modifies file permissions
PID:6060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "wabmig.exe" -nobanner
3⤵
PID:6124

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "wabmig.exe" -nobanner
4⤵
PID:4504

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
2⤵
PID:5384

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
3⤵
PID:5160

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
3⤵
- Modifies file permissions
PID:5164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
3⤵
PID:5520

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
4⤵
PID:5496

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Program Files (x86)\Windows Mail\wab.exe""
2⤵
PID:5644

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Mail\wab.exe" /E /G Admin:F /C
3⤵
PID:6112

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Mail\wab.exe"
3⤵
PID:5612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "wab.exe" -nobanner
3⤵
PID:5700

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "wab.exe" -nobanner
4⤵
PID:5712

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
2⤵
PID:5692

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
3⤵
PID:4772

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
3⤵
- Modifies file permissions
PID:5992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "overlay.png" -nobanner
3⤵
PID:5824

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "overlay.png" -nobanner
4⤵
PID:5780

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json""
2⤵
PID:5828

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json" /E /G Admin:F /C
3⤵
PID:6136

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json"
3⤵
- Modifies file permissions
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "utc.tracing.json" -nobanner
3⤵
PID:5940

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "utc.tracing.json" -nobanner
4⤵
PID:5908

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.jfm""
2⤵
PID:5416

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.jfm" /E /G Admin:F /C
3⤵
PID:5248

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.jfm"
3⤵
- Modifies file permissions
PID:980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "qmgr.jfm" -nobanner
3⤵
PID:5316

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "qmgr.jfm" -nobanner
4⤵
PID:5512

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
2⤵
PID:5600

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
3⤵
PID:5480

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
3⤵
- Modifies file permissions
PID:5448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "background.png" -nobanner
3⤵
PID:5688

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "background.png" -nobanner
4⤵
PID:5872

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl""
2⤵
PID:5536

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl" /E /G Admin:F /C
3⤵
PID:4764

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl"
3⤵
- Modifies file permissions
PID:5744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "AutoLogger-Diagtrack-Listener.etl" -nobanner
3⤵
PID:5760

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "AutoLogger-Diagtrack-Listener.etl" -nobanner
4⤵
PID:5832

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs""
2⤵
PID:6032

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs" /E /G Admin:F /C
3⤵
PID:6080

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs"
3⤵
- Modifies file permissions
PID:6036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "edbres00001.jrs" -nobanner
3⤵
PID:6092

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "edbres00001.jrs" -nobanner
4⤵
PID:4728

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin""
2⤵
PID:5344

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin" /E /G Admin:F /C
3⤵
PID:5184

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin"
3⤵
- Modifies file permissions
PID:5372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "TileCache_100_0_Header.bin" -nobanner
3⤵
PID:5456

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "TileCache_100_0_Header.bin" -nobanner
4⤵
PID:5708

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.edb""
2⤵
PID:5532

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.edb" /E /G Admin:F /C
3⤵
PID:5752

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.edb"
3⤵
- Modifies file permissions
PID:5772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "vedatamodel.edb" -nobanner
3⤵
PID:5792

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "vedatamodel.edb" -nobanner
4⤵
PID:5596

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
2⤵
PID:4376

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
3⤵
PID:6068

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
3⤵
- Modifies file permissions
PID:6028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "background.png" -nobanner
3⤵
PID:5884

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "background.png" -nobanner
4⤵
PID:5880

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd""
2⤵
PID:5388

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd" /E /G Admin:F /C
3⤵
PID:5900

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd"
3⤵
- Modifies file permissions
PID:5336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
3⤵
PID:5368

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
4⤵
PID:5436

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
2⤵
PID:4996

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
3⤵
PID:5508

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
3⤵
- Modifies file permissions
PID:5236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "device.png" -nobanner
3⤵
PID:6140

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "device.png" -nobanner
4⤵
PID:5200

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json""
2⤵
PID:6064

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json" /E /G Admin:F /C
3⤵
PID:5488

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json"
3⤵
- Modifies file permissions
PID:5252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "utc.cert.json" -nobanner
3⤵
PID:5804

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "utc.cert.json" -nobanner
4⤵
PID:5444

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd""
2⤵
PID:5264

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd" /E /G Admin:F /C
3⤵
PID:6016

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd"
3⤵
- Modifies file permissions
PID:6048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
3⤵
PID:5292

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
4⤵
PID:5224

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
2⤵
PID:5984

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
3⤵
PID:5864

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
3⤵
- Modifies file permissions
PID:6096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "superbar.png" -nobanner
3⤵
PID:5460

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "superbar.png" -nobanner
4⤵
PID:6076

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edb.chk""
2⤵
PID:3280

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edb.chk" /E /G Admin:F /C
3⤵
PID:4768

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edb.chk"
3⤵
- Modifies file permissions
PID:5432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e905pXEL.exe -accepteula "edb.chk" -nobanner
3⤵
PID:5548

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula "edb.chk" -nobanner
4⤵
PID:6116

C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
e905pXEL.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:5300

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\fWONOKas.bat"
1⤵
PID:1576

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:4908

C:\Windows\System32\Wbem\WMIC.exe
wmic SHADOWCOPY DELETE
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No
2⤵
- Modifies boot configuration data using bcdedit
PID:3140

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Modifies boot configuration data using bcdedit
PID:3148

C:\Windows\system32\schtasks.exe
SCHTASKS /Delete /TN DSHCA /F
2⤵
PID:2960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Public\Desktop\JDPR_README.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NWGesn9z.exe
MD5
2c52f3918b636736bdf0022c64115b26

SHA1
88cf55ae8c77ed23219e7c8fe794afa93301ad6d

SHA256
224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914

SHA512
551f22bc10ceb1af2d6f8da6a27ec842176a14108383a2d46a37f4ee3bdfda0b08732aa5549e4a07d3dc337f1ebb07ca1852eb7b0ed9320fe5117b2d5cb62495

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWGesn9z.exe
MD5
2c52f3918b636736bdf0022c64115b26

SHA1
88cf55ae8c77ed23219e7c8fe794afa93301ad6d

SHA256
224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914

SHA512
551f22bc10ceb1af2d6f8da6a27ec842176a14108383a2d46a37f4ee3bdfda0b08732aa5549e4a07d3dc337f1ebb07ca1852eb7b0ed9320fe5117b2d5cb62495

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL64.exe
MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e905pXEL64.exe
MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zmawqXJM.bat
MD5
b93bc6c4d82aed057c9a121a34e70e87

SHA1
842ca66ab42619df9eb14e929f8a2f004502cd15

SHA256
40974726baa318dc8a125e34154dd542dbc84ac2f01fd8471fa8378c52fc245e

SHA512
b66efb95b0faf517d2eb8dfc7aab627158eb2080f324a1e95fe8e0c2e5cde4c057eecc504d7358bc199f16e0f570c585431f198b31530d62096e1d96f8fc8a33

Download Submit
C:\Users\Admin\AppData\Roaming\fWONOKas.bat
MD5
63a4dafcb85736a27355f0dc350d1d43

SHA1
55bb430719cecb4af5b0decea6855607b037f2a9

SHA256
1bcd4f75f905419172635fd1f623be87066b5c64eb23e5b883011c3b9098c66a

SHA512
d234295dd5f4b642d2c50c3a11974a40cfc84de6c8344330c48850a37ae20a5c3c8807e0c8017c53915ca1f497e5d90691424fcaeef37aa5cc0c9fa075a9407c

Download Submit
C:\Users\Admin\AppData\Roaming\zJlayFkZ.vbs
MD5
8dc35a2bdd45f50761ff6e6e73ace33f

SHA1
c9b1b2e747f63be5769f2d4f8f16fac271c102eb

SHA256
dcded735388aca5e03dc0300e78b156f97df6412815b31dcbc41e28c735fad3d

SHA512
613ce3970cdd0115724bb33ef94b046c470b315131b86aa1ba13096393854e41b7be458d8b9b49e3a1b7eaace7d675ceccd08936b4417b66202f45e70d1fffa6

Download Submit
memory/188-16-0x0000000000000000-mapping.dmp

Download
memory/204-46-0x0000000000000000-mapping.dmp

Download
memory/212-80-0x0000000000000000-mapping.dmp

Download
memory/224-77-0x0000000000000000-mapping.dmp

Download
memory/228-14-0x0000000000000000-mapping.dmp

Download
memory/532-74-0x0000000000000000-mapping.dmp

Download
memory/672-18-0x0000000000000000-mapping.dmp

Download
memory/708-19-0x0000000000000000-mapping.dmp

Download
memory/1012-63-0x0000000000000000-mapping.dmp

Download
memory/2060-59-0x0000000000000000-mapping.dmp

Download
memory/2096-50-0x0000000000000000-mapping.dmp

Download
memory/2120-65-0x0000000000000000-mapping.dmp

Download
memory/2148-20-0x0000000000000000-mapping.dmp

Download
memory/2248-48-0x0000000000000000-mapping.dmp

Download
memory/2528-21-0x0000000000000000-mapping.dmp

Download
memory/2584-67-0x0000000000000000-mapping.dmp

Download
memory/2816-2-0x0000000000000000-mapping.dmp

Download
memory/2836-58-0x0000000000000000-mapping.dmp

Download
memory/2932-66-0x0000000000000000-mapping.dmp

Download
memory/2956-38-0x0000000000000000-mapping.dmp

Download
memory/2960-71-0x0000000000000000-mapping.dmp

Download
memory/3068-26-0x0000000000000000-mapping.dmp

Download
memory/3092-37-0x0000000000000000-mapping.dmp

Download
memory/3124-22-0x0000000000000000-mapping.dmp

Download
memory/3132-61-0x0000000000000000-mapping.dmp

Download
memory/3140-55-0x0000000000000000-mapping.dmp

Download
memory/3148-57-0x0000000000000000-mapping.dmp

Download
memory/3160-83-0x0000000000000000-mapping.dmp

Download
memory/3240-39-0x0000000000000000-mapping.dmp

Download
memory/3308-69-0x0000000000000000-mapping.dmp

Download
memory/3544-27-0x0000000000000000-mapping.dmp

Download
memory/3652-28-0x0000000000000000-mapping.dmp

Download
memory/3700-3-0x0000000000000000-mapping.dmp

Download
memory/3716-60-0x0000000000000000-mapping.dmp

Download
memory/3984-6-0x0000000000000000-mapping.dmp

Download
memory/3988-75-0x0000000000000000-mapping.dmp

Download
memory/4068-7-0x0000000000000000-mapping.dmp

Download
memory/4076-32-0x0000000000000000-mapping.dmp

Download
memory/4080-31-0x0000000000000000-mapping.dmp

Download
memory/4136-56-0x0000000000000000-mapping.dmp

Download
memory/4232-36-0x0000000000000000-mapping.dmp

Download
memory/4336-34-0x0000000000000000-mapping.dmp

Download
memory/4340-40-0x0000000000000000-mapping.dmp

Download
memory/4348-42-0x0000000000000000-mapping.dmp

Download
memory/4408-68-0x0000000000000000-mapping.dmp

Download
memory/4424-47-0x0000000000000000-mapping.dmp

Download
memory/4440-8-0x0000000000000000-mapping.dmp

Download
memory/4496-76-0x0000000000000000-mapping.dmp

Download
memory/4516-17-0x0000000000000000-mapping.dmp

Download
memory/4552-44-0x0000000000000000-mapping.dmp

Download
memory/4560-78-0x0000000000000000-mapping.dmp

Download
memory/4564-86-0x0000000000000000-mapping.dmp

Download
memory/4576-9-0x0000000000000000-mapping.dmp

Download
memory/4584-11-0x0000000000000000-mapping.dmp

Download
memory/4600-54-0x0000000000000000-mapping.dmp

Download
memory/4604-12-0x0000000000000000-mapping.dmp

Download
memory/4608-85-0x0000000000000000-mapping.dmp

Download
memory/4640-45-0x0000000000000000-mapping.dmp

Download
memory/4736-23-0x0000000000000000-mapping.dmp

Download
memory/4744-82-0x0000000000000000-mapping.dmp

Download
memory/4760-13-0x0000000000000000-mapping.dmp

Download
memory/4908-53-0x0000000000000000-mapping.dmp

Download
memory/4908-84-0x0000000000000000-mapping.dmp

Download
memory/4976-72-0x0000000000000000-mapping.dmp

Download
memory/5624-130-0x00007FFA3D590000-0x00007FFA3D5A0000-memory.dmp

Filesize
64KB

Download
memory/5624-131-0x00007FFA3D590000-0x00007FFA3D5A0000-memory.dmp

Filesize
64KB

Download
memory/5624-132-0x00007FFA3D590000-0x00007FFA3D5A0000-memory.dmp

Filesize
64KB

Download
memory/5624-133-0x00007FFA5B650000-0x00007FFA5BC87000-memory.dmp

Filesize
6.2MB

Download
memory/5624-134-0x00007FFA3D590000-0x00007FFA3D5A0000-memory.dmp

Filesize
64KB

Download