44c6d34c298f77d3914d42004275c5cfec9ea44857d0adbd6d3bd4da2dd838ee

Analysis

max time kernel
67s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240611-es
resource tags

arch:x64arch:x86image:win10v2004-20240611-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
01-07-2024 19:32

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

macOS Transformation Pack 5.0.exe
Size

187.8MB
MD5

ba5a81bd7b82b3abcc0d9735e480f9e5
SHA1

fdaa6fbe4cb3b752cacb5af17c8ee9c30584cd91
SHA256

8feb8e32ced641e2b1c2d83eda71ec82b7cea57cbcd37a474533fe19e94d4389
SHA512

695ce1907ac002888fd4551364823aad0e1b0a5a934c7f68b03e42f27f8140bb17fb18777314d4196f2b57e1a15a6f6fc0678f1f3aa4801f56ea6adc6e061f22
SSDEEP

3145728:dasbziO5XorIO+3BRplcdzPE6vhmA098yjkKsgTde0QyiczISK/vYi7Gx/POCVez:wsb7o7+xRjczPE6JnKAc0/QLx/1u3r

Score

8^/10

adware defense_evasion discovery evasion execution exploit persistence privilege_escalation spyware stealer

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Possible privilege escalation attempt 12 IoCs

exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exe

pid	process
1700	icacls.exe
1268	icacls.exe
4100	icacls.exe
3968	icacls.exe
388	icacls.exe
3648	takeown.exe
1424	icacls.exe
1728	icacls.exe
3816	icacls.exe
904	icacls.exe
3272	icacls.exe
4768	takeown.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

macOS Transformation Pack 5.0.exeuxworker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	macOS Transformation Pack 5.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	uxworker.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

Processes:

UXSTYL~2.EXEUXSTYL~2.EXEmoveex.exemoveex.exemoveex.exemoveex.exemoveex.exemoveex.exemoveex.exemoveex.exemoveex.exeuxworker.exeRESHAC~1.EXEPEChecksum.exemoveex.exeRESHAC~1.EXEPEChecksum.exemoveex.exeRESHAC~1.EXEPEChecksum.exemoveex.exeRESHAC~1.EXEPEChecksum.exemoveex.exeRESHAC~1.EXEPEChecksum.exemoveex.exeRESHAC~1.EXEPEChecksum.exemoveex.exeRESHAC~1.EXEPEChecksum.exemoveex.exeRESHAC~1.EXEPEChecksum.exemoveex.exeRESHAC~1.EXEPEChecksum.exemoveex.exeRESHAC~1.EXEPEChecksum.exemoveex.exeRESHAC~1.EXEPEChecksum.exemoveex.exeRESHAC~1.EXEPEChecksum.exemoveex.exeRESHAC~1.EXEPEChecksum.exemoveex.exeRESHAC~1.EXEPEChecksum.exemoveex.exeRESHAC~1.EXEPEChecksum.exemoveex.exeRESHAC~1.EXEPEChecksum.exemoveex.exeRESHAC~1.EXEPEChecksum.exemoveex.exeRESHAC~1.EXE

pid	process
3592	UXSTYL~2.EXE
3416	UXSTYL~2.EXE
3496	moveex.exe
1656	moveex.exe
3612	moveex.exe
3088	moveex.exe
4512	moveex.exe
3940	moveex.exe
2888	moveex.exe
4776	moveex.exe
3824	moveex.exe
1212	uxworker.exe
4764	RESHAC~1.EXE
4016	PEChecksum.exe
2676	moveex.exe
4312	RESHAC~1.EXE
4080	PEChecksum.exe
4296	moveex.exe
3236	RESHAC~1.EXE
2924	PEChecksum.exe
4960	moveex.exe
3024	RESHAC~1.EXE
1144	PEChecksum.exe
3612	moveex.exe
4572	RESHAC~1.EXE
4000	PEChecksum.exe
3656	moveex.exe
4684	RESHAC~1.EXE
3432	PEChecksum.exe
3436	moveex.exe
2164	RESHAC~1.EXE
3788	PEChecksum.exe
1056	moveex.exe
4204	RESHAC~1.EXE
3512	PEChecksum.exe
2484	moveex.exe
3468	RESHAC~1.EXE
408	PEChecksum.exe
2656	moveex.exe
552	RESHAC~1.EXE
2924	PEChecksum.exe
4960	moveex.exe
1424	RESHAC~1.EXE
4292	PEChecksum.exe
5008	moveex.exe
3088	RESHAC~1.EXE
2908	PEChecksum.exe
740	moveex.exe
3012	RESHAC~1.EXE
1876	PEChecksum.exe
3708	moveex.exe
2968	RESHAC~1.EXE
4800	PEChecksum.exe
1728	moveex.exe
5004	RESHAC~1.EXE
3380	PEChecksum.exe
1056	moveex.exe
4916	RESHAC~1.EXE
4044	PEChecksum.exe
3452	moveex.exe
1332	RESHAC~1.EXE
4296	PEChecksum.exe
972	moveex.exe
3580	RESHAC~1.EXE

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

Processes:

macOS Transformation Pack 5.0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UnsignedThemes	macOS Transformation Pack 5.0.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UnsignedThemes\ = "Service"	macOS Transformation Pack 5.0.exe

Loads dropped DLL 7 IoCs

Processes:

macOS Transformation Pack 5.0.exeUXSTYL~2.EXEregsvr32.exeregsvr32.exeregsvr32.exeuxworker.exe

pid process

2988 macOS Transformation Pack 5.0.exe
3416 UXSTYL~2.EXE
2964 regsvr32.exe
4276 regsvr32.exe
3580 regsvr32.exe
1212 uxworker.exe
1212 uxworker.exe

pid	process
2988	macOS Transformation Pack 5.0.exe
3416	UXSTYL~2.EXE
2964	regsvr32.exe
4276	regsvr32.exe
3580	regsvr32.exe
1212	uxworker.exe
1212	uxworker.exe

Modifies file permissions 1 TTPs 12 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid	process
1268	icacls.exe
3272	icacls.exe
3968	icacls.exe
3648	takeown.exe
1424	icacls.exe
1700	icacls.exe
1728	icacls.exe
3816	icacls.exe
904	icacls.exe
4100	icacls.exe
4768	takeown.exe
388	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

macOS Transformation Pack 5.0.exeUXSTYL~2.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UX Launcher = "C:\\Program Files (x86)\\UX Pack\\uxlaunch.exe"	macOS Transformation Pack 5.0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{05560347-3a9b-4644-a8ed-8b64cc947189} = "\"C:\\ProgramData\\Package Cache\\{05560347-3a9b-4644-a8ed-8b64cc947189}\\UxStyle_Bundle.exe\" /quiet /uninstall /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\UxStyle_20240701193519.log\" /burn.runonce"	UXSTYL~2.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\NoInternetExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\NoInternetExplorer = "1"	regsvr32.exe

Drops file in System32 directory 8 IoCs

Processes:

macOS Transformation Pack 5.0.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\PEChecksum.exe	macOS Transformation Pack 5.0.exe
File created	C:\Windows\SysWOW64\~GLH00ae.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Windows\SysWOW64\PEChecksum.x64	macOS Transformation Pack 5.0.exe
File created	C:\Windows\SysWOW64\~GLH00ab.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Windows\SysWOW64\moveex.exe	macOS Transformation Pack 5.0.exe
File created	C:\Windows\SysWOW64\~GLH00ac.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Windows\SysWOW64\moveex.x64	macOS Transformation Pack 5.0.exe
File created	C:\Windows\SysWOW64\~GLH00ad.TMP	macOS Transformation Pack 5.0.exe

Drops file in Program Files directory 64 IoCs

Processes:

macOS Transformation Pack 5.0.exe

description	ioc	process
File created	C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerFolderDock\Icons\~GLH02bb.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Program Files (x86)\UX Pack\XWidget\Res\Template\weatherTemp\Default.png	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\RocketDock\Icons\~GLH0131.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerAppstab\Config.ini	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\TrueTransparency\skin\Yosemite\Maximized\~GLH01ba.TMP	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerRSS\~GLH02e0.TMP	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\YzShadow\~GLH03c3.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Program Files (x86)\UX Pack\XWidget\Res\Images\ThemePackage.ico	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Program Files (x86)\UX Pack\Resources\browseui.dll.res	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Program Files (x86)\UX Pack\ViFind\resources\orb.png	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\RocketDock\standalonestack2\images\~GLH0175.TMP	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\XWidget\Res\Strings\~GLH036e.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Program Files (x86)\UX Pack\Resources\batmeter.dll.res	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerFolderDock\main.xul	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\XLaunchpad\Update\~GLH025b.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Program Files (x86)\UX Pack\XWidget\Res\Template\weatherTemp\Icon\16.png	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerWeahter\icons\sun.png	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Program Files (x86)\UX Pack\TrueTransparency\skin\Yosemite\Maximized\top.png	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerAppstab\icons\~GLH027c.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Program Files (x86)\UX Pack\XLaunchpad\Res\Images\checkbutton.png	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerFolderDock\Icons\~GLH02ba.TMP	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\XWidget\Res\Template\DragDropTemp\~GLH0382.TMP	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\Resources\~GLH00c5.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Program Files (x86)\UX Pack\RocketDock\License.rtf	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\XWidget\Res\Template\weatherTemp\~GLH0399.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Program Files (x86)\UX Pack\VirtuaWin\icons\11.ico	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerRecycle\TRASHO.png	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerAppstab\icons\itunes.png	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerRSS\~GLH02dd.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerWeahter\icons\fog.png	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\RocketDock\Languages\~GLH0153.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Program Files (x86)\UX Pack\TrueTransparency\skin\Yosemite\Normal\right.png	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerAppstab\icons\DA.png	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\gdipp\~GLH00e9.TMP	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\XLaunchpad\Res\Images\~GLH0256.TMP	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\TrueTransparency\skin\Yosemite\Normal\~GLH01c5.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Program Files (x86)\UX Pack\TrueTransparency\skin\YosemiteBlack\Normal\top.png	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\ViFind\resources\~GLH01fb.TMP	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerAppstab\icons\~GLH028f.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Program Files (x86)\UX Pack\Resources\pnidui.dll.res	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\gdipp\FreeType\~GLH00ff.TMP	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\LeftSider\~GLH010c.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerGallaryView\main2.png	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerDirverdock\Icons\~GLH02af.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Program Files (x86)\UX Pack\XWidget\Res\Lib\foo_xdcplugins.dll	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerAppstab\icons\Pdvd.png	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerAppstab\icons\~GLH0293.TMP	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\XLaunchpad\Lang\~GLH0246.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerAppstab\icons\ICOFX.png	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\XWidget\Res\Images\weather_icons\~GLH0348.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Program Files (x86)\UX Pack\Resources\hexpatcher.exe	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\XLaunchpad\Res\~GLH0251.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerWeahter\icons\haze.png	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerAppstab\src\2.png	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerFolderDock\Icons\~GLH02b7.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerUptime\Default.png	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\XWidget\Res\Template\weatherTemp\Icon\~GLH03b7.TMP	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\TrueTransparency\lang\~GLH01ac.TMP	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\XWidget\AppData\Widgets\EkerSystem\~GLH02ec.TMP	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\XLaunchpad\AppData\Backup\~GLH0222.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Program Files (x86)\UX Pack\XLaunchpad\Lang\Korean.txt	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\XWidget\Update\~GLH03bf.TMP	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\RocketDock\Icons\~GLH0133.TMP	macOS Transformation Pack 5.0.exe
File created	C:\Program Files (x86)\UX Pack\RocketDock\Languages\~GLH0151.TMP	macOS Transformation Pack 5.0.exe

Drops file in Windows directory 64 IoCs

Processes:

macOS Transformation Pack 5.0.exeuxworker.exe

description	ioc	process
File created	C:\Windows\Media\Lion\~GLH001a.TMP	macOS Transformation Pack 5.0.exe
File created	C:\Windows\Web\Wallpaper\Yosemite\~GLH0054.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Windows\Web\Wallpaper\Yosemite\mojave_dynamic_7.jpg	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Windows\Fonts\HelveticaNeue-BoldItalic.ttf	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Windows\Cursors\El Capitan\Diagonal Resize 2.cur	macOS Transformation Pack 5.0.exe
File created	C:\Windows\Web\Wallpaper\Yosemite\~GLH0026.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Windows\Web\Wallpaper\Yosemite\Chroma-2.jpg	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Windows\Web\Wallpaper\Yosemite\Mt. Fuji.jpg	macOS Transformation Pack 5.0.exe
File created	C:\Windows\Web\Wallpaper\Yosemite\~GLH006f.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Windows\Cursors\El Capitan\Working In Background.ani	macOS Transformation Pack 5.0.exe
File created	C:\Windows\Media\Lion\~GLH0017.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Windows\Web\Wallpaper\Yosemite\Eagle & Waterfall.jpg	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Windows\UXBackup\~GLH000d.TMP	uxworker.exe
File created	C:\Windows\UXBackup\~GLH0016.TMP	uxworker.exe
File created	C:\Windows\Web\Wallpaper\Yosemite\~GLH0029.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Windows\Web\Wallpaper\Yosemite\Isles.jpg	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Windows\Fonts\HelveticaNeue-Medium.ttf	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Windows\UXBackup\cmd.exe	uxworker.exe
File opened for modification	C:\Windows\UXBackup\~GLH0009.TMP	uxworker.exe
File created	C:\Windows\UXBackup\~GLH0010.TMP	uxworker.exe
File opened for modification	C:\Windows\Web\Wallpaper\Yosemite\Abstract-3.jpg	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Windows\Web\Wallpaper\Yosemite\Desert-2.jpg	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Windows\Web\Wallpaper\Yosemite\mojave_dynamic_10.jpg	macOS Transformation Pack 5.0.exe
File created	C:\Windows\Web\Wallpaper\Yosemite\~GLH0071.TMP	macOS Transformation Pack 5.0.exe
File created	C:\Windows\UXBackup\~GLH0000.TMP	uxworker.exe
File created	C:\Windows\UXBackup\~GLH0014.TMP	uxworker.exe
File created	C:\Windows\Web\Wallpaper\Yosemite\~GLH003d.TMP	macOS Transformation Pack 5.0.exe
File created	C:\Windows\Resources\Themes\~GLH00db.TMP	macOS Transformation Pack 5.0.exe
File created	C:\Windows\Cursors\El Capitan\~GLH0012.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Windows\Web\Wallpaper\Yosemite\Yosemite 3.jpg	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Windows\UXBackup\~GLH0003.TMP	uxworker.exe
File opened for modification	C:\Windows\UXBackup\~GLH0010.TMP	uxworker.exe
File opened for modification	C:\Windows\UXBackup\~GLH0015.TMP	uxworker.exe
File opened for modification	C:\Windows\Web\Wallpaper\Yosemite\mojave_dynamic_1.jpg	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Windows\UXBackup\~GLH0000.TMP	uxworker.exe
File created	C:\Windows\UXBackup\~GLH000a.TMP	uxworker.exe
File opened for modification	C:\Windows\UxStyle_Core_Jul13_x86.msi	macOS Transformation Pack 5.0.exe
File created	C:\Windows\Cursors\El Capitan\~GLH0013.TMP	macOS Transformation Pack 5.0.exe
File created	C:\Windows\Web\Wallpaper\Yosemite\~GLH0038.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Windows\Web\Wallpaper\Yosemite\Flower-2.jpg	macOS Transformation Pack 5.0.exe
File created	C:\Windows\Web\Wallpaper\Yosemite\~GLH0051.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Windows\UXBackup\imagesp1.dll	uxworker.exe
File opened for modification	C:\Windows\Web\Wallpaper\Yosemite\Abstract.jpg	macOS Transformation Pack 5.0.exe
File created	C:\Windows\Web\Wallpaper\Yosemite\~GLH002f.TMP	macOS Transformation Pack 5.0.exe
File created	C:\Windows\Web\Wallpaper\Yosemite\~GLH004b.TMP	macOS Transformation Pack 5.0.exe
File created	C:\Windows\Web\Wallpaper\Yosemite\~GLH0070.TMP	macOS Transformation Pack 5.0.exe
File created	C:\Windows\Fonts\~GLH00e0.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Windows\Media\Lion\chime.wav	macOS Transformation Pack 5.0.exe
File created	C:\Windows\Web\Wallpaper\Yosemite\~GLH0022.TMP	macOS Transformation Pack 5.0.exe
File created	C:\Windows\Web\Wallpaper\Yosemite\~GLH0039.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Windows\Web\Wallpaper\Yosemite\mojave_dynamic_13.jpg	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Windows\Web\Wallpaper\Yosemite\Brushes.jpg	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Windows\Web\Wallpaper\Yosemite\Mountain Range.jpg	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Windows\UXBackup\batmeter.dll	uxworker.exe
File opened for modification	C:\Windows\Web\Wallpaper\Yosemite\Earth and Moon.jpg	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Windows\Web\Wallpaper\Yosemite\El Capitan 2.jpg	macOS Transformation Pack 5.0.exe
File created	C:\Windows\Web\Wallpaper\Yosemite\~GLH005b.TMP	macOS Transformation Pack 5.0.exe
File opened for modification	C:\Windows\Web\Wallpaper\Yosemite\mojave_dynamic_2.jpg	macOS Transformation Pack 5.0.exe
File created	C:\Windows\Web\Wallpaper\Yosemite\~GLH0063.TMP	macOS Transformation Pack 5.0.exe
File created	C:\Windows\UXBackup\~GLH0011.TMP	uxworker.exe
File opened for modification	C:\Windows\UXBackup\taskmgr.exe	uxworker.exe
File opened for modification	C:\Windows\Cursors\El Capitan\Vertical Resize.cur	macOS Transformation Pack 5.0.exe
File created	C:\Windows\Web\Wallpaper\Yosemite\~GLH0033.TMP	macOS Transformation Pack 5.0.exe
File created	C:\Windows\Web\Wallpaper\Yosemite\~GLH0077.TMP	macOS Transformation Pack 5.0.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

4000 sc.exe
4728 sc.exe
2620 sc.exe
4972 sc.exe
2212 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4000	sc.exe
4728	sc.exe
2620	sc.exe
4972	sc.exe
2212	sc.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000043e29724379355490000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000043e297240000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090043e29724000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d43e29724000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000043e2972400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Kills process with taskkill 18 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3824	taskkill.exe
1112	taskkill.exe
3240	taskkill.exe
3992	taskkill.exe
2000	taskkill.exe
3668	taskkill.exe
844	taskkill.exe
2080	taskkill.exe
4712	taskkill.exe
3652	taskkill.exe
4900	taskkill.exe
3352	taskkill.exe
1800	taskkill.exe
5084	taskkill.exe
3636	taskkill.exe
2340	taskkill.exe
3136	taskkill.exe
4604	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

macOS Transformation Pack 5.0.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	macOS Transformation Pack 5.0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\Resources\\Themes\\Aero\\Aero.msstyles"	macOS Transformation Pack 5.0.exe

Modifies registry class 15 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\DriveMask = "255"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\InprocServer32\ = "C:\\Program Files (x86)\\UX Pack\\OldNewExplorer\\OldNewExplorer64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\InprocServer32	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\DriveMask = "255"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\InprocServer32\ = "C:\\Program Files (x86)\\UX Pack\\OldNewExplorer\\OldNewExplorer32.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	regsvr32.exe

Suspicious behavior: AddClipboardFormatListener 24 IoCs

Processes:

RESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXE

pid	process
4764	RESHAC~1.EXE
4312	RESHAC~1.EXE
3236	RESHAC~1.EXE
3024	RESHAC~1.EXE
4572	RESHAC~1.EXE
4684	RESHAC~1.EXE
2164	RESHAC~1.EXE
4204	RESHAC~1.EXE
3468	RESHAC~1.EXE
552	RESHAC~1.EXE
1424	RESHAC~1.EXE
3088	RESHAC~1.EXE
3012	RESHAC~1.EXE
2968	RESHAC~1.EXE
5004	RESHAC~1.EXE
4916	RESHAC~1.EXE
1332	RESHAC~1.EXE
3580	RESHAC~1.EXE
2548	RESHAC~1.EXE
1188	RESHAC~1.EXE
3012	RESHAC~1.EXE
4020	RESHAC~1.EXE
1788	RESHAC~1.EXE
2016	RESHAC~1.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

uxworker.exe

pid process

1212 uxworker.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	5084	taskkill.exe
Token: SeDebugPrivilege	3668	taskkill.exe
Token: SeDebugPrivilege	3824	taskkill.exe
Token: SeDebugPrivilege	3136	taskkill.exe
Token: SeDebugPrivilege	844	taskkill.exe
Token: SeDebugPrivilege	1112	taskkill.exe
Token: SeDebugPrivilege	2080	taskkill.exe
Token: SeDebugPrivilege	4712	taskkill.exe
Token: SeDebugPrivilege	3636	taskkill.exe
Token: SeDebugPrivilege	3240	taskkill.exe
Token: SeDebugPrivilege	4604	taskkill.exe
Token: SeDebugPrivilege	3652	taskkill.exe
Token: SeDebugPrivilege	4900	taskkill.exe
Token: SeDebugPrivilege	3992	taskkill.exe
Token: SeDebugPrivilege	2340	taskkill.exe
Token: SeDebugPrivilege	3352	taskkill.exe
Token: SeShutdownPrivilege	3004	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3004	msiexec.exe
Token: SeSecurityPrivilege	2036	msiexec.exe
Token: SeCreateTokenPrivilege	3004	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3004	msiexec.exe
Token: SeLockMemoryPrivilege	3004	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3004	msiexec.exe
Token: SeMachineAccountPrivilege	3004	msiexec.exe
Token: SeTcbPrivilege	3004	msiexec.exe
Token: SeSecurityPrivilege	3004	msiexec.exe
Token: SeTakeOwnershipPrivilege	3004	msiexec.exe
Token: SeLoadDriverPrivilege	3004	msiexec.exe
Token: SeSystemProfilePrivilege	3004	msiexec.exe
Token: SeSystemtimePrivilege	3004	msiexec.exe
Token: SeProfSingleProcessPrivilege	3004	msiexec.exe
Token: SeIncBasePriorityPrivilege	3004	msiexec.exe
Token: SeCreatePagefilePrivilege	3004	msiexec.exe
Token: SeCreatePermanentPrivilege	3004	msiexec.exe
Token: SeBackupPrivilege	3004	msiexec.exe
Token: SeRestorePrivilege	3004	msiexec.exe
Token: SeShutdownPrivilege	3004	msiexec.exe
Token: SeDebugPrivilege	3004	msiexec.exe
Token: SeAuditPrivilege	3004	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3004	msiexec.exe
Token: SeChangeNotifyPrivilege	3004	msiexec.exe
Token: SeRemoteShutdownPrivilege	3004	msiexec.exe
Token: SeUndockPrivilege	3004	msiexec.exe
Token: SeSyncAgentPrivilege	3004	msiexec.exe
Token: SeEnableDelegationPrivilege	3004	msiexec.exe
Token: SeManageVolumePrivilege	3004	msiexec.exe
Token: SeImpersonatePrivilege	3004	msiexec.exe
Token: SeCreateGlobalPrivilege	3004	msiexec.exe
Token: SeBackupPrivilege	2220	vssvc.exe
Token: SeRestorePrivilege	2220	vssvc.exe
Token: SeAuditPrivilege	2220	vssvc.exe
Token: SeBackupPrivilege	2108	srtasks.exe
Token: SeRestorePrivilege	2108	srtasks.exe
Token: SeSecurityPrivilege	2108	srtasks.exe
Token: SeTakeOwnershipPrivilege	2108	srtasks.exe
Token: SeBackupPrivilege	2108	srtasks.exe
Token: SeRestorePrivilege	2108	srtasks.exe
Token: SeSecurityPrivilege	2108	srtasks.exe
Token: SeTakeOwnershipPrivilege	2108	srtasks.exe

Suspicious use of SetWindowsHookEx 25 IoCs

Processes:

uxworker.exeRESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXERESHAC~1.EXE

pid	process
1212	uxworker.exe
4764	RESHAC~1.EXE
4312	RESHAC~1.EXE
3236	RESHAC~1.EXE
3024	RESHAC~1.EXE
4572	RESHAC~1.EXE
4684	RESHAC~1.EXE
2164	RESHAC~1.EXE
4204	RESHAC~1.EXE
3468	RESHAC~1.EXE
552	RESHAC~1.EXE
1424	RESHAC~1.EXE
3088	RESHAC~1.EXE
3012	RESHAC~1.EXE
2968	RESHAC~1.EXE
5004	RESHAC~1.EXE
4916	RESHAC~1.EXE
1332	RESHAC~1.EXE
3580	RESHAC~1.EXE
2548	RESHAC~1.EXE
1188	RESHAC~1.EXE
3012	RESHAC~1.EXE
4020	RESHAC~1.EXE
1788	RESHAC~1.EXE
2016	RESHAC~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

macOS Transformation Pack 5.0.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2988 wrote to memory of 1876	2988	macOS Transformation Pack 5.0.exe	cmd.exe
PID 2988 wrote to memory of 1876	2988	macOS Transformation Pack 5.0.exe	cmd.exe
PID 1876 wrote to memory of 3648	1876	cmd.exe	takeown.exe
PID 1876 wrote to memory of 3648	1876	cmd.exe	takeown.exe
PID 2988 wrote to memory of 1704	2988	macOS Transformation Pack 5.0.exe	cmd.exe
PID 2988 wrote to memory of 1704	2988	macOS Transformation Pack 5.0.exe	cmd.exe
PID 1704 wrote to memory of 1424	1704	cmd.exe	icacls.exe
PID 1704 wrote to memory of 1424	1704	cmd.exe	icacls.exe
PID 2988 wrote to memory of 3764	2988	macOS Transformation Pack 5.0.exe	cmd.exe
PID 2988 wrote to memory of 3764	2988	macOS Transformation Pack 5.0.exe	cmd.exe
PID 3764 wrote to memory of 1700	3764	cmd.exe	icacls.exe
PID 3764 wrote to memory of 1700	3764	cmd.exe	icacls.exe
PID 2988 wrote to memory of 3236	2988	macOS Transformation Pack 5.0.exe	cmd.exe
PID 2988 wrote to memory of 3236	2988	macOS Transformation Pack 5.0.exe	cmd.exe
PID 3236 wrote to memory of 1728	3236	cmd.exe	icacls.exe
PID 3236 wrote to memory of 1728	3236	cmd.exe	icacls.exe
PID 2988 wrote to memory of 908	2988	macOS Transformation Pack 5.0.exe	cmd.exe
PID 2988 wrote to memory of 908	2988	macOS Transformation Pack 5.0.exe	cmd.exe
PID 908 wrote to memory of 1268	908	cmd.exe	icacls.exe
PID 908 wrote to memory of 1268	908	cmd.exe	icacls.exe
PID 2988 wrote to memory of 5008	2988	macOS Transformation Pack 5.0.exe	cmd.exe
PID 2988 wrote to memory of 5008	2988	macOS Transformation Pack 5.0.exe	cmd.exe
PID 5008 wrote to memory of 3816	5008	cmd.exe	icacls.exe
PID 5008 wrote to memory of 3816	5008	cmd.exe	icacls.exe
PID 2988 wrote to memory of 4288	2988	macOS Transformation Pack 5.0.exe	cmd.exe
PID 2988 wrote to memory of 4288	2988	macOS Transformation Pack 5.0.exe	cmd.exe
PID 4288 wrote to memory of 904	4288	cmd.exe	icacls.exe
PID 4288 wrote to memory of 904	4288	cmd.exe	icacls.exe
PID 2988 wrote to memory of 4568	2988	macOS Transformation Pack 5.0.exe	cmd.exe
PID 2988 wrote to memory of 4568	2988	macOS Transformation Pack 5.0.exe	cmd.exe
PID 4568 wrote to memory of 3272	4568	cmd.exe	icacls.exe
PID 4568 wrote to memory of 3272	4568	cmd.exe	icacls.exe
PID 2988 wrote to memory of 4068	2988	macOS Transformation Pack 5.0.exe	cmd.exe
PID 2988 wrote to memory of 4068	2988	macOS Transformation Pack 5.0.exe	cmd.exe
PID 4068 wrote to memory of 4100	4068	cmd.exe	icacls.exe
PID 4068 wrote to memory of 4100	4068	cmd.exe	icacls.exe
PID 2988 wrote to memory of 2000	2988	macOS Transformation Pack 5.0.exe	taskkill.exe
PID 2988 wrote to memory of 2000	2988	macOS Transformation Pack 5.0.exe	taskkill.exe
PID 2988 wrote to memory of 2000	2988	macOS Transformation Pack 5.0.exe	taskkill.exe
PID 2988 wrote to memory of 1800	2988	macOS Transformation Pack 5.0.exe	taskkill.exe
PID 2988 wrote to memory of 1800	2988	macOS Transformation Pack 5.0.exe	taskkill.exe
PID 2988 wrote to memory of 1800	2988	macOS Transformation Pack 5.0.exe	taskkill.exe
PID 2988 wrote to memory of 5084	2988	macOS Transformation Pack 5.0.exe	taskkill.exe
PID 2988 wrote to memory of 5084	2988	macOS Transformation Pack 5.0.exe	taskkill.exe
PID 2988 wrote to memory of 5084	2988	macOS Transformation Pack 5.0.exe	taskkill.exe
PID 2988 wrote to memory of 3668	2988	macOS Transformation Pack 5.0.exe	taskkill.exe
PID 2988 wrote to memory of 3668	2988	macOS Transformation Pack 5.0.exe	taskkill.exe
PID 2988 wrote to memory of 3668	2988	macOS Transformation Pack 5.0.exe	taskkill.exe
PID 2988 wrote to memory of 3824	2988	macOS Transformation Pack 5.0.exe	taskkill.exe
PID 2988 wrote to memory of 3824	2988	macOS Transformation Pack 5.0.exe	taskkill.exe
PID 2988 wrote to memory of 3824	2988	macOS Transformation Pack 5.0.exe	taskkill.exe
PID 2988 wrote to memory of 3136	2988	macOS Transformation Pack 5.0.exe	taskkill.exe
PID 2988 wrote to memory of 3136	2988	macOS Transformation Pack 5.0.exe	taskkill.exe
PID 2988 wrote to memory of 3136	2988	macOS Transformation Pack 5.0.exe	taskkill.exe
PID 2988 wrote to memory of 844	2988	macOS Transformation Pack 5.0.exe	taskkill.exe
PID 2988 wrote to memory of 844	2988	macOS Transformation Pack 5.0.exe	taskkill.exe
PID 2988 wrote to memory of 844	2988	macOS Transformation Pack 5.0.exe	taskkill.exe
PID 2988 wrote to memory of 1112	2988	macOS Transformation Pack 5.0.exe	taskkill.exe
PID 2988 wrote to memory of 1112	2988	macOS Transformation Pack 5.0.exe	taskkill.exe
PID 2988 wrote to memory of 1112	2988	macOS Transformation Pack 5.0.exe	taskkill.exe
PID 2988 wrote to memory of 2080	2988	macOS Transformation Pack 5.0.exe	taskkill.exe
PID 2988 wrote to memory of 2080	2988	macOS Transformation Pack 5.0.exe	taskkill.exe
PID 2988 wrote to memory of 2080	2988	macOS Transformation Pack 5.0.exe	taskkill.exe
PID 2988 wrote to memory of 4712	2988	macOS Transformation Pack 5.0.exe	taskkill.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe
"C:\Users\Admin\AppData\Local\Temp\macOS Transformation Pack 5.0.exe"
1⤵
- Checks computer location settings
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /a /c takeown.exe /f "C:\Windows\Resources\Themes" /r /d y
2⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\system32\takeown.exe
takeown.exe /f "C:\Windows\Resources\Themes" /r /d y
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3648

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /a /c icacls.exe "C:\Windows\Resources\Themes" /grant Administrators:(OI)(CI)F
2⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\system32\icacls.exe
icacls.exe "C:\Windows\Resources\Themes" /grant Administrators:(OI)(CI)F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1424

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /a /c icacls.exe "C:\Windows\Resources\Themes" /grant Administrators:F /T
2⤵
- Suspicious use of WriteProcessMemory
PID:3764

C:\Windows\system32\icacls.exe
icacls.exe "C:\Windows\Resources\Themes" /grant Administrators:F /T
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1700

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /a /c icacls.exe "C:\Windows\Resources\Themes" /grant Administrator:(OI)(CI)F
2⤵
- Suspicious use of WriteProcessMemory
PID:3236

C:\Windows\system32\icacls.exe
icacls.exe "C:\Windows\Resources\Themes" /grant Administrator:(OI)(CI)F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1728

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /a /c icacls.exe "C:\Windows\Resources\Themes" /grant Administrator:F /T
2⤵
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\system32\icacls.exe
icacls.exe "C:\Windows\Resources\Themes" /grant Administrator:F /T
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1268

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /a /c icacls.exe "C:\Windows\Resources\Themes" /grant Admin:(OI)(CI)F
2⤵
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\system32\icacls.exe
icacls.exe "C:\Windows\Resources\Themes" /grant Admin:(OI)(CI)F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3816

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /a /c icacls.exe "C:\Windows\Resources\Themes" /grant Admin:F /T
2⤵
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\system32\icacls.exe
icacls.exe "C:\Windows\Resources\Themes" /grant Admin:F /T
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:904

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /a /c icacls.exe "C:\Windows\Resources\Themes" /grant %USERNAME%:(OI)(CI)F
2⤵
- Suspicious use of WriteProcessMemory
PID:4568

C:\Windows\system32\icacls.exe
icacls.exe "C:\Windows\Resources\Themes" /grant Admin:(OI)(CI)F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3272

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /a /c icacls.exe "C:\Windows\Resources\Themes" /grant %USERNAME%:F /T
2⤵
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\system32\icacls.exe
icacls.exe "C:\Windows\Resources\Themes" /grant Admin:F /T
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4100

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "uxlaunch.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "RocketDock.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "StandaloneStack2.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "TrueTransparency.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "TrueTransparencyx64.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "TRUETR~1.EXE"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "TRUETR~2.EXE"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "VirtuaWin.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "WinList.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "leftsider.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "leftsider64.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "XLaunchPad.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3240

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "xwidget.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4604

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "YzShadow.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "ViFind.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "TaskBarHider.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "WinaeroGlass.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM "explorer.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /x{8E363055-15E5-4D8A-9C69-A0A9DE9A3337} /quiet
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\UXSTYL~2.EXE
"C:\Windows\UXSTYL~2.EXE" /uninstall /passive /quiet
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3592

C:\Windows\UXSTYL~2.EXE
"C:\Windows\UXSTYL~2.EXE" /uninstall /passive /quiet -burn.unelevated BurnPipe.{31E6B239-0F89-474F-8E55-B6353444DC55} {7394EE84-895B-4A6E-B09B-E9F0D5757102} 3592
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3416

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" delete uxstyle
2⤵
- Launches sc.exe
PID:4000

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" delete uxpatch
2⤵
- Launches sc.exe
PID:4728

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" delete unsignedthemes
2⤵
- Launches sc.exe
PID:2620

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\Fonts\HelveticaNeue-Light.ttf" "C:\Users\Admin\AppData\Local\Temp\tempcache"
2⤵
- Executes dropped EXE
PID:3496

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\Fonts\HelveticaNeue-LightItalic.ttf" "C:\Users\Admin\AppData\Local\Temp\tempcache"
2⤵
- Executes dropped EXE
PID:1656

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\Fonts\HelveticaNeue-Medium.ttf" "C:\Users\Admin\AppData\Local\Temp\tempcache"
2⤵
- Executes dropped EXE
PID:3612

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\Fonts\HelveticaNeue-UltraLight.ttf" "C:\Users\Admin\AppData\Local\Temp\tempcache"
2⤵
- Executes dropped EXE
PID:3088

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\Fonts\HelveticaNeue-UltraLightItalic.ttf" "C:\Users\Admin\AppData\Local\Temp\tempcache"
2⤵
- Executes dropped EXE
PID:4512

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\UX Pack\OldNewExplorer\OldNewExplorer32.dll"
2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2964

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\UX Pack\OldNewExplorer\OldNewExplorer64.dll"
2⤵
- Loads dropped DLL
PID:4276

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\UX Pack\OldNewExplorer\OldNewExplorer64.dll"
3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:3580

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\basebrd.dll" "C:\Windows\Branding\Basebrd\basebrd.dll"
2⤵
- Executes dropped EXE
PID:3940

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\ieframe.dll" "C:\Windows\system32\ieframe.dll"
2⤵
- Executes dropped EXE
PID:2888

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\iexplore.exe" "C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
- Executes dropped EXE
PID:4776

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\shellbrd.dll" "C:\Windows\Branding\Shellbrd\shellbrd.dll"
2⤵
- Executes dropped EXE
PID:3824

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Program Files (x86)\UX Pack" /r /d y
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4768

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\UX Pack" /grant %USERNAME%:(OI)(CI)F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3968

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Program Files (x86)\UX Pack" /grant %USERNAME%:F /T
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:388

C:\PROGRA~2\UXPACK~1\uxworker.exe
"C:\PROGRA~2\UXPACK~1\uxworker.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1212

C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "wmplayer.exe", "wmplayer.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\wmplayer.exe.res",,,
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4764

C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\wmplayer.exe.uxp"
3⤵
- Executes dropped EXE
PID:4016

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\wmplayer.exe.uxp" "C:\Program Files (x86)\windows media player\wmplayer.exe"
3⤵
- Executes dropped EXE
PID:2676

C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "regedit.exe", "regedit.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\regedit.exe.res",,,
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4312

C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\regedit.exe.uxp"
3⤵
- Executes dropped EXE
PID:4080

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\regedit.exe.uxp" "C:\Windows\regedit.exe"
3⤵
- Executes dropped EXE
PID:4296

C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "batmeter.dll", "batmeter.dll.uxp", "C:\Program Files (x86)\UX Pack\Resources\batmeter.dll.res",,,
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3236

C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\batmeter.dll.uxp"
3⤵
- Executes dropped EXE
PID:2924

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\batmeter.dll.uxp" "C:\Windows\system32\batmeter.dll"
3⤵
- Executes dropped EXE
PID:4960

C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "calc.exe", "calc.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\calc.exe.res",,,
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3024

C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\calc.exe.uxp"
3⤵
- Executes dropped EXE
PID:1144

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\calc.exe.uxp" "C:\Windows\system32\calc.exe"
3⤵
- Executes dropped EXE
PID:3612

C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "charmap.exe", "charmap.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\charmap.exe.res",,,
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4572

C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\charmap.exe.uxp"
3⤵
- Executes dropped EXE
PID:4000

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\charmap.exe.uxp" "C:\Windows\system32\charmap.exe"
3⤵
- Executes dropped EXE
PID:3656

C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "cmd.exe", "cmd.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\cmd.exe.res",,,
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4684

C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\cmd.exe.uxp"
3⤵
- Executes dropped EXE
PID:3432

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\cmd.exe.uxp" "C:\Windows\system32\cmd.exe"
3⤵
- Executes dropped EXE
PID:3436

C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "control.exe", "control.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\control.exe.res",,,
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2164

C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\control.exe.uxp"
3⤵
- Executes dropped EXE
PID:3788

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\control.exe.uxp" "C:\Windows\system32\control.exe"
3⤵
- Executes dropped EXE
PID:1056

C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "defrag.exe", "defrag.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\defrag.exe.res",,,
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4204

C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\defrag.exe.uxp"
3⤵
- Executes dropped EXE
PID:3512

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\defrag.exe.uxp" "C:\Windows\system32\defrag.exe"
3⤵
- Executes dropped EXE
PID:2484

C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "dpiscaling.exe", "dpiscaling.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\dpiscaling.exe.res",,,
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3468

C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\dpiscaling.exe.uxp"
3⤵
- Executes dropped EXE
PID:408

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\dpiscaling.exe.uxp" "C:\Windows\system32\dpiscaling.exe"
3⤵
- Executes dropped EXE
PID:2656

C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "fsquirt.exe", "fsquirt.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\fsquirt.exe.res",,,
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:552

C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\fsquirt.exe.uxp"
3⤵
- Executes dropped EXE
PID:2924

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\fsquirt.exe.uxp" "C:\Windows\system32\fsquirt.exe"
3⤵
- Executes dropped EXE
PID:4960

C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "imageres.dll", "imageres.dll.uxp", "C:\Program Files (x86)\UX Pack\Resources\imageres.dll.res",,,
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1424

C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\imageres.dll.uxp"
3⤵
- Executes dropped EXE
PID:4292

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\imageres.dll.uxp" "C:\Windows\system32\imageres.dll"
3⤵
- Executes dropped EXE
PID:5008

C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "imagesp1.dll", "imagesp1.dll.uxp", "C:\Program Files (x86)\UX Pack\Resources\imagesp1.dll.res",,,
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3088

C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\imagesp1.dll.uxp"
3⤵
- Executes dropped EXE
PID:2908

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\imagesp1.dll.uxp" "C:\Windows\system32\imagesp1.dll"
3⤵
- Executes dropped EXE
PID:740

C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "msconfig.exe", "msconfig.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\msconfig.exe.res",,,
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3012

C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\msconfig.exe.uxp"
3⤵
- Executes dropped EXE
PID:1876

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\msconfig.exe.uxp" "C:\Windows\system32\msconfig.exe"
3⤵
- Executes dropped EXE
PID:3708

C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "mspaint.exe", "mspaint.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\mspaint.exe.res",,,
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2968

C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\mspaint.exe.uxp"
3⤵
- Executes dropped EXE
PID:4800

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\mspaint.exe.uxp" "C:\Windows\system32\mspaint.exe"
3⤵
- Executes dropped EXE
PID:1728

C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "mydocs.dll", "mydocs.dll.uxp", "C:\Program Files (x86)\UX Pack\Resources\mydocs.dll.res",,,
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5004

C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\mydocs.dll.uxp"
3⤵
- Executes dropped EXE
PID:3380

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\mydocs.dll.uxp" "C:\Windows\system32\mydocs.dll"
3⤵
- Executes dropped EXE
PID:1056

C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "netshell.dll", "netshell.dll.uxp", "C:\Program Files (x86)\UX Pack\Resources\netshell.dll.res",,,
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4916

C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\netshell.dll.uxp"
3⤵
- Executes dropped EXE
PID:4044

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\netshell.dll.uxp" "C:\Windows\system32\netshell.dll"
3⤵
- Executes dropped EXE
PID:3452

C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "notepad.exe", "notepad.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\notepad.exe.res",,,
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1332

C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\notepad.exe.uxp"
3⤵
- Executes dropped EXE
PID:4296

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\notepad.exe.uxp" "C:\Windows\system32\notepad.exe"
3⤵
- Executes dropped EXE
PID:972

C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "pnidui.dll", "pnidui.dll.uxp", "C:\Program Files (x86)\UX Pack\Resources\pnidui.dll.res",,,
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3580

C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\pnidui.dll.uxp"
3⤵
PID:2568

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\pnidui.dll.uxp" "C:\Windows\system32\pnidui.dll"
3⤵
PID:2408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4960

C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "rstrui.exe", "rstrui.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\rstrui.exe.res",,,
3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2548

C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\rstrui.exe.uxp"
3⤵
PID:4292

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\rstrui.exe.uxp" "C:\Windows\system32\rstrui.exe"
3⤵
PID:4704

C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "sndvolsso.dll", "sndvolsso.dll.uxp", "C:\Program Files (x86)\UX Pack\Resources\sndvolsso.dll.res",,,
3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1188

C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\sndvolsso.dll.uxp"
3⤵
PID:2536

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\sndvolsso.dll.uxp" "C:\Windows\system32\sndvolsso.dll"
3⤵
PID:3652

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:740

C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "snippingtool.exe", "snippingtool.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\snippingtool.exe.res",,,
3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3012

C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\snippingtool.exe.uxp"
3⤵
PID:4980

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\snippingtool.exe.uxp" "C:\Windows\system32\snippingtool.exe"
3⤵
PID:4532

C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "stobject.dll", "stobject.dll.uxp", "C:\Program Files (x86)\UX Pack\Resources\stobject.dll.res",,,
3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4020

C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\stobject.dll.uxp"
3⤵
PID:3352

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\stobject.dll.uxp" "C:\Windows\system32\stobject.dll"
3⤵
PID:3676

C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "taskmgr.exe", "taskmgr.exe.uxp", "C:\Program Files (x86)\UX Pack\Resources\taskmgr.exe.res",,,
3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1788

C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\taskmgr.exe.uxp"
3⤵
PID:4688

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\taskmgr.exe.uxp" "C:\Windows\system32\taskmgr.exe"
3⤵
PID:4712

C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
"C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE" -modify "twinui.dll", "twinui.dll.uxp", "C:\Program Files (x86)\UX Pack\Resources\twinui.dll.res",,,
3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2016

C:\Windows\SysWOW64\PEChecksum.exe
"C:\Windows\System32\PEChecksum.exe" "C:\Windows\UXBackup\twinui.dll.uxp"
3⤵
PID:3884

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Windows\UXBackup\twinui.dll.uxp" "C:\Windows\system32\twinui.dll"
3⤵
PID:3772

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\IconCache.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:1616

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:3896

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:4336

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:3236

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:656

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:3540

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:4960

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:3024

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:4612

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:820

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:2908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:1188

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:4116

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:1776

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:3584

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:2620

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:3728

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:1600

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4800

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:624

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:4316

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:1852

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:1056

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:4204

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:1788

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:2016

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:5084

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:1332

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:5056

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:2776

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:4208

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:3196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3580

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:4424

C:\Windows\SysWOW64\moveex.exe
"C:\Windows\System32\moveex.exe" "C:\Users\Admin\AppData\Local\..\..\..\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db" "C:\Users\Admin\AppData\Local\Temp\tempcache"
3⤵
PID:4284

C:\PROGRA~2\UXPACK~1\uxlaunch.exe
"C:\PROGRA~2\UXPACK~1\uxlaunch.exe"
2⤵
PID:3712

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create gdipp_svc_32 binPath="C:\Program Files (x86)\UX Pack\gdipp\gdipp_svc_32.exe" start=auto DisplayName="gdipp Service (32-bit)"
3⤵
- Launches sc.exe
PID:4972

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create gdipp_svc_64 binPath="C:\Program Files (x86)\UX Pack\gdipp\gdipp_svc_64.exe" start=auto DisplayName="gdipp Service (64-bit)"
3⤵
- Launches sc.exe
PID:2212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3012

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
3⤵
PID:2708

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" themecpl.dll,OpenThemeAction C:\Windows\Resources\Themes\macOS.theme
3⤵
PID:3884

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Program Files (x86)\UX Pack\gdipp\gdipp_svc_32.exe
"C:\Program Files (x86)\UX Pack\gdipp\gdipp_svc_32.exe"
1⤵
PID:2700

C:\Program Files (x86)\UX Pack\gdipp\gdipp_hook_32.exe
"C:\Program Files (x86)\UX Pack\gdipp\gdipp_hook_32.exe"
2⤵
PID:4920

C:\Program Files (x86)\UX Pack\gdipp\gdipp_svc_64.exe
"C:\Program Files (x86)\UX Pack\gdipp\gdipp_svc_64.exe"
1⤵
PID:5100

C:\Program Files (x86)\UX Pack\gdipp\gdipp_hook_64.exe
"C:\Program Files (x86)\UX Pack\gdipp\gdipp_hook_64.exe"
2⤵
PID:4216

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4688

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3076

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4424

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1684

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1684 -s 4588
2⤵
PID:4208

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
1⤵
PID:4284

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4712

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc 0x4a0
1⤵
PID:1860

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4700

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2528

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1080

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4908

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:368

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2932

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4104

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4416

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4972

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4904

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3124

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3868855 /state1:0x41c64e6d
1⤵
PID:4732

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.EXE
Filesize
5.2MB

MD5
1126825f25c71afc621ec89d2b026240

SHA1
889adb9e5fc712f25097ebe401d57f52647e6a71

SHA256
4b255534d59e984e8b87827be6ef7efe1e218301ff9ec81f8b3d750bb0951a99

SHA512
c167e3caf92ef586c1428b417115a5bb605561a9d4e82cf59976f45ac2e7d8d17354a560bf99fb1366b477d440b4cb290042f997e167b2979c95505ceed83d90

Download Submit
C:\PROGRA~2\UXPACK~1\RESOUR~1\RESHAC~1.ini
Filesize
68B

MD5
0b4eb63594ed8710d1e917edf50e0d94

SHA1
256195febdf98923af3bbaec1c04a2dc9b7da82a

SHA256
1739b1d2b5a717e2e158d8b6758c4dec206e9aac6789eb85021c9313a557f70d

SHA512
3d4f9a4498c866edf99861097256e3cbe4c22ab8386faae564280cc48028493bb5af3b0c82503e0756948c9297ba6f7ad59aefb6e5ab39a3d6acf9f66ec3e779

Download Submit
C:\PROGRA~2\UXPACK~1\uxlaunch.exe
Filesize
512KB

MD5
ab10964cdb3af503d7fe9dd1c07ea9a6

SHA1
42f11e170ecbe41445ee87132af9b4c1d0f78278

SHA256
94c849878460c8279d187f9d3badcfe6f1638704c0c864811ddcea0a34349402

SHA512
ffa5876874e03516b3ee2a55b0e5fdbf243817b39007a73b3cb53509ff38836b8fb6406b101fec4d73b9cfd272dd427e467a0b169efbd31f77104354e09f56a4

Download Submit
C:\PROGRA~2\UXPACK~1\uxworker.exe
Filesize
453KB

MD5
e960c7b7854e40a25f4d9ff89d565324

SHA1
741509578c65bcd1e161119b229aa5031b287669

SHA256
0bfabc19f3ddf737e6985e0730fcc2ae1414f883a99369010993f9b438e7d86b

SHA512
1287810857544b68fc04771be6c4905bc6216d797801f41d001de1eff500c30e7dff97d7c015889e7a01efe8d21b7657764a909c78a295b374525853d9cb2899

Download Submit
C:\Program Files (x86)\UX Pack\OldNewExplorer\OldNewExplorer32.dll
Filesize
247KB

MD5
f315c162623f0710a41db517d7d51be7

SHA1
3ff0d1faa1f2a50e038430fda0a2b5c4cee5a838

SHA256
8c0514b777e04c58e9d274c5e8a0b8693925742e40d51b3db98e53b670658ded

SHA512
a5547c724db3060e0626a20a07301bcac40bc33ded28263dca60d6ec26b0e60da2ff0fadb4d9d51e707435b6ba97e04a6916fe52d720dde9f2d3ab28769fb6ff

Download Submit
C:\Program Files (x86)\UX Pack\OldNewExplorer\OldNewExplorer64.dll
Filesize
252KB

MD5
4d5892e1c196ede28a5ebc92319145c0

SHA1
182d6c0b70b1941ca9f823063b977e449fe7b6de

SHA256
1c237a4ee1859e0d18729f9a8abe647fede7ace8c5bd1e8cc891f8d486f70a74

SHA512
8d25d3342876704d580020bc3a4b138b238f93c1f531e57888e7f0cdd53a121ee881b72f336a191723c8d49bfe4f73eea1613d99b6eed835bb9a450c351dce05

Download Submit
C:\Program Files (x86)\UX Pack\Resources\ux.sif
Filesize
600B

MD5
4c810228f8e8d8b7e820461d3cac7cb6

SHA1
9dadf34c66eb89be7fa47c6b22614fca8c039721

SHA256
d78bd0d710e19cc5463fc7fdb5c04ef07a59176fcc977674a245f4c7a5a30862

SHA512
0ad692148e0e47f01e67e4aecb8ba6f184b6bcb6b7683056806aa69ebc31249d32534aad44fbe4d77f490c3755d6d341637009dc1bdfcacb993769ffda6714ea

Download Submit
C:\Program Files (x86)\UX Pack\TrueTransparency\skin\YosemiteBlack\Maximized\~GLH01d5.TMP
Filesize
4KB

MD5
8f2d30e5d4a4a4df99e0ca28fa691f4f

SHA1
568e82646f801fce717daed32adaa384a9067af1

SHA256
3da390ab39f78b6156145d66f9328eaa2924d8dabe4cbce5608bfa30cb588ea4

SHA512
b526921dba66cc95bc00467ceb32b2d10dbcec57eeb116944a083c2674a452eaac085b4e94e194199109b58ddf9813744c83474b24b2b44d5f3c631f24151e6f

Download Submit
C:\Program Files (x86)\UX Pack\TrueTransparency\skin\YosemiteBlack\Maximized\~GLH01d6.TMP
Filesize
2KB

MD5
51343f00bd870e3a7095adfc44204795

SHA1
e942565de31e86ba11931048f329ecf37c003abd

SHA256
f679e2a40a53f5d25245a343301099c7b439d31d2d0749b2f637f889b0040bbf

SHA512
b8d0ae38535fb37553d96a7472299c354d190992802c3a98aeff1612f4ccbe98b93f96c56edcf87c8245c7d13dce0ef1f490d775fad65606c72754e42935af13

Download Submit
C:\Program Files (x86)\UX Pack\TrueTransparency\skin\YosemiteBlack\Maximized\~GLH01d7.TMP
Filesize
4KB

MD5
1f52cf0eb7810215db55646bd5db9e49

SHA1
6f7c6697b495455b090a5a6334ca03ee50fa8b4b

SHA256
2cf10cbac31d71c43d21a8b678f1e82fab16d6b08980040e22e6a7f2dcb4358f

SHA512
cb0cb6168ef74f7fa5c9d67fb05ab433a94818c634def3911ef15156ea67e2852791d20a94a8900ba1c333fcfa8e5f8ae8d64be02b33acec2951811dedc875d0

Download Submit
C:\Program Files (x86)\UX Pack\TrueTransparency\skin\YosemiteBlack\Maximized\~GLH01d8.TMP
Filesize
4KB

MD5
8ce5686d188be4fcad9d03a007bc585c

SHA1
7b4b3d82a4a339948219c89a4f4c05e2de48fdce

SHA256
1e67e395f3c4fae21b6bcf2ebae3db8b10d84eae8c3a4067662624100994b8a0

SHA512
8dc0147c19933af8a094962d37a502f19d68df902260b4a6203009cd77bb23edeb5f0d30801860f6e5c0d71eac53be6d5fd260fcdf89912da78e4005c3dcd293

Download Submit
C:\Program Files (x86)\UX Pack\TrueTransparency\skin\YosemiteBlack\Maximized\~GLH01dd.TMP
Filesize
2KB

MD5
bf21a888d86e07b25d96bcab3d1b374f

SHA1
d21970822029ff93ed5604ada93e7b8ec58b9490

SHA256
7dc52242b6b494bca75c8be439db60c2991b28edc679b500abdcbccae70052ea

SHA512
414796d01e6228effd9954c21191833d7560e11d3121d0a1ea1617380fe7ee29e6fa331bc1356c44a41d213156b4cb2fd31a49676bc62be77ec5a44826b0b280

Download Submit
C:\Program Files (x86)\UX Pack\TrueTransparency\skin\Yosemite\Maximized\~GLH01b6.TMP
Filesize
946B

MD5
80eccfde72211709f905818d39b791e2

SHA1
d91df7c637bad848b52af14eb8f9701a02de73b2

SHA256
16f086eea1be163db35c10881e45efcc7bca6b82ba9f3a2c126b68fae777f6f6

SHA512
ce406b06e33e9221113d1a50894578117d353fab26c60a5f8569c76845a7997c5be59be59a5e3b3dcca837954334cc18b3a62d7fc7be1896ac034eb43d2bcad6

Download Submit
C:\Program Files (x86)\UX Pack\TrueTransparency\skin\Yosemite\Maximized\~GLH01c1.TMP
Filesize
2KB

MD5
104e364b7d04d42d7009012292355735

SHA1
0238962c3870629085bb5a6a46949dfde7989ade

SHA256
dde99bd79b25dcb0007651f5cb5cd1fce639448aee00ddafb3e8af184e0983af

SHA512
31c8dc3be1b21bf00c19f30ec6df5347cee0d9a9ea18d7c008fa79e812f01e32f50119de21cb3e9fb10f52b48558b3e136c76c1a2e3e0506b8ac0ebc9955c75a

Download Submit
C:\Program Files (x86)\UX Pack\TrueTransparency\skin\Yosemite\Normal\~GLH01c5.TMP
Filesize
4KB

MD5
d1b0d2029084ddc837d1d25d5077b247

SHA1
446be49d63a1bf53f90c9e47b22a9a3102cac42f

SHA256
7c2c41367a134a4a393b15669e7a64f5aa84e6ef29f1b0041d20e2b2755f61b3

SHA512
6021bf300b312e07fa6fd139afa7fde8036d1b49f1b0bb63590d1acfb414c8196a7165eede6836923b85074fbdf8574ade15cbcacc46d0565e2154b7c5c63ace

Download Submit
C:\Program Files (x86)\UX Pack\XWidget\Res\Images\weather_icons\~GLH0347.TMP
Filesize
6KB

MD5
f1e6db999483d4a4b9613beffa5c1795

SHA1
bcdd96ae8339a7d48a9ae281ce07d22f1c1f51d5

SHA256
117e339b4997c304a122be42509f78e9ea6031db6f96ae449062301fe0d00692

SHA512
adb863a46de62b2b53a41098ee772b52d22f477284e90655a3b9a5d4f85f9ba6f52ecbb5075b131f15c7fe20f6dac44f2ecf824bbc37a76fe61f4ce7b0072ed5

Download Submit
C:\Program Files (x86)\UX Pack\XWidget\Res\Images\weather_icons\~GLH0351.TMP
Filesize
5KB

MD5
8e469981a2e89d9366c6b9dbb88aadd8

SHA1
5c13bfd9cdcb0ba9c03a9391b9857a3b3d1908f0

SHA256
36d581152908c48be76deace7c2c4ca94f604ad8151ada0d9ab03d03f4f8b941

SHA512
97e2e073981264efbb1c0791493c6bfaa9011380cd8eeeb1f34d2ba738b0bf35348e6f61073a60910cf0e0e051b5e449ee92000e0f7fc346240b4c98f7188736

Download Submit
C:\Program Files (x86)\UX Pack\XWidget\Res\Images\weather_icons\~GLH0353.TMP
Filesize
6KB

MD5
845260156d2d87945247aaa8f51603d1

SHA1
e6648323e7fd362e9fd4b4f494f8105feaad75c6

SHA256
7977495fda73e75ca971d84606b771cd5d2c670a05798e0832ce16d1ea2cb24e

SHA512
2d371e0cf1ec4d557deb03b87a57730231462ee49cb01c4905a01ab03e96ec7e1175eee43692e8047d591c084b202ec615c0f8dd2aa940d5c5f5410bde8dc213

Download Submit
C:\Program Files (x86)\UX Pack\XWidget\Res\Template\weatherTemp\Icon\~GLH03a2.TMP
Filesize
11KB

MD5
cf30d2b2c170a5a98caa3a7215d83ae3

SHA1
abedd45bb623548605da0b2a93d0afaeb12f489b

SHA256
29cba7577d397dc14d0a1837fa779701c80dd029573d6df78619201915d478f0

SHA512
ea7303d2eabfffab9a97348a9f61f84ea33903b135a2d5936d53f43511a4d0b8363a3af7955a71e55174806ef34142cbec65dbb83ef5c3f1bc7052d633384921

Download Submit
C:\Program Files (x86)\UX Pack\XWidget\Res\Template\weatherTemp\Icon\~GLH03a6.TMP
Filesize
10KB

MD5
2677773a835efd1ad8fe6eb10e4c0835

SHA1
cde8a8dd51d8ad665298ffe5edbdc563dcaea4a2

SHA256
c0f902e9e3c01d6f0d1249bb9cb703432aedd55f363a2c6b6d5340ca75741e82

SHA512
2da6602e8926ead005521f1a18d5c789f4d5f7d2d05db0bf5b62fc29bd601a9e3da42121887647ab34333b9bb75f01d53805e5650700f8563980799c089dfee9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WSEA9K3C\microsoft.windows[1].xml
Filesize
97B

MD5
a10a5315af9b5ec3f167c7c4344ab6c6

SHA1
4e80fd779c1f21ecc2803b08447b0aafbf7eb04e

SHA256
378ae674b3bd38b758bfc3e454467425f2481eef9c527a912088e3b541e31bb0

SHA512
db214e86079aa7ce528a4846654428a2214f005859c0c5624417574cf299d6262c7046f0d2047484ac168ae155f6743679caf7556adbf96a83b554b7b26f2fed

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133643361794555688.txt
Filesize
75KB

MD5
c54fd3db88e1a5d551c540c3e5d2e453

SHA1
5666e545624a5bc40a64d7c758dc2a38f74f219e

SHA256
44d6f2a27c07ac5994c688bcd0c752dfe11000a55ca5705ce5f0d4d0c8b2a653

SHA512
f988ecb9a8be216a52caf91ee20a85f7a56043e56f056507ca40c587298ba9fb45831703b08653182bdcf13e0180c604df68bfc738d04fc4902372f4f243ee7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLC8388.tmp
Filesize
188KB

MD5
b285c45a315f4e85a94962151c5f2b09

SHA1
c0daee3a412678988fa1a9325c52cdca102e1711

SHA256
739105d5981cdb3040a184c28f7d7bfaf0eabf2529fa81f5697cb7c42ba0e784

SHA512
ed3ea4018fb1bd2859e8ebb74f0ab71f45096b687218ff748f6d581737385cc79b35940a2f6bbc2913d9ddec0902d168b5fd903729fce20ea83922bc4756d7b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{05560347-3a9b-4644-a8ed-8b64cc947189}\.ba1\uxstyle.png
Filesize
109KB

MD5
bfdfea91dc57ee32e2053438a10a17b5

SHA1
9f71f18160709dfb0bc40a5a39f4ec8e05295708

SHA256
33a93195de4e8a096968257084968ed5b96538cf6d83439daf2256f7f6ec0501

SHA512
bd0fead91b39dcffb28701df0b33fee67473eda2bfde7b83797ab292e0f67a633ea21369fc14a34bdc84f251d5a3c33caffdeeb0eb2e305783e7d84bdaf2d11a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{05560347-3a9b-4644-a8ed-8b64cc947189}\.ba1\wixstdba.dll
Filesize
135KB

MD5
3b693bc186b3beb4d424eaf7aca43e40

SHA1
24c095cf3b6c3cf3e8e6216679a952d70fe24ff3

SHA256
c7449b843802f8801b9e9fd80f1b98726f40552d36cd394897f468a7c25aa981

SHA512
488c97aa90a7a7651a92991ecbc669cd87bc5242267cd674f7cb9b6280277c8dbd6765ecb990c28771981eada874ed0882f2536ee9df627a7b675bb16f2588d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{05560347-3a9b-4644-a8ed-8b64cc947189}\.be\UxStyle_Bundle.exe
Filesize
560KB

MD5
665344f19578b9e060671be6ee4ad843

SHA1
2b5d354b12fb82fa584e6366236b7f7818f0e8a6

SHA256
77a583d1af2cd8856930d6552f85beae8b904b1fd76a1c184b508b79b00968d5

SHA512
2bec6f9e7cdaba459f53ac5a11de0fda05db0af4c031355e937581af38ad71843dd5a85d24ebfed66bebaa4494c7fa150d5d7d8d9eaac09dd0c76b8b59810b49

Download Submit
C:\Windows\Fonts\HelveticaNeue-Light.ttf
Filesize
110KB

MD5
18992d6df7890d39aebc935736407f8b

SHA1
2c3a9b805f1ec819085d912dd226e4d066ee7539

SHA256
6560538aaf5e999665a8187ab240760bff43e1242de3080d2b36dbff9a443c5d

SHA512
b8f557e337d64565ebfd339b8641c17e10a851436d9088cfd37f7c3d381b8c8b309813f61be8c5c57172bbc9d713c7b7918130d50ffa97756e63e1054286c6bc

Download Submit
C:\Windows\Fonts\HelveticaNeue-LightItalic.ttf
Filesize
111KB

MD5
131b37ad41c711b8efd54a5971d3e13d

SHA1
d28717ab4633f1f53d00eeafb6f3f0e18f3c2d35

SHA256
018ec9c815dabd99c507798173740cfa3b5643948c3d6669495963b684d0d3ce

SHA512
11b7269a6f1d7a2bdb1960fea3da870256dcf6dd1421bb0f7a1cbe7de262e6d3971022f916e0422b2c341e06b6ec30b0ac8e4b7f9785642fc4114ed754607eaf

Download Submit
C:\Windows\Fonts\HelveticaNeue-Medium.ttf
Filesize
121KB

MD5
df55d36889c5b42bcb2383fcb89b4e5e

SHA1
206e8bacd8c1e40593e26374e63b30924085ac47

SHA256
d67118097874ef8c274f3ec9027e75ff52a0944ed8d4699c29deae1b7f1927c2

SHA512
2ac973ce6a25ce4a12de3c2ae5796964996db76924fe19d6518fd3b4aab0f66cc18d2aa2978245346764f19bcd247e78e1523a806750b9e9f1b0f46ae0cb419d

Download Submit
C:\Windows\Fonts\HelveticaNeue-UltraLight.ttf
Filesize
106KB

MD5
fa9b7e324d3ad3595d18598b280f5be7

SHA1
f8c204202b038abed65514e76c8c2be5da74e228

SHA256
17e81c49f702f1628c7ec95cebc7e3b179180dfdb09f7344976283265cd6a27b

SHA512
c25a1775c7c6a46c9f8c4e22e9b029bdeb8074d1b6e2d0fe04bf54df1e2f2c13261ff34a074e6d28482ecc5d8bda7866dcbf66d2584703bbbfc5bc21d37d7bdc

Download Submit
C:\Windows\Fonts\HelveticaNeue-UltraLightItalic.ttf
Filesize
131KB

MD5
264e1e45fdb36f38f425b48e2b2b3679

SHA1
f642d7e4b2c41aa4301cc3f8fd24e792310182a6

SHA256
80eacd8b571f53bb3a3a3d1e81e6749e934112ab396fec46c6c1502fe6e69346

SHA512
e7783aa790478fe0c9e20110dad8a47907f2f4c2be97e53184970e85de4057305c9e27b368d8b23bfb3f484766cabed69b4095c5702ffc7a2ff5e87a71ca3d33

Download Submit
C:\Windows\SysWOW64\PEChecksum.exe
Filesize
15KB

MD5
82b36d39067c90e20114ae1f87c2bebb

SHA1
065312ffadd0dd1fc335ffc40174d5a88b35bc0c

SHA256
4126de3a04b9045165cda0eec285c59e6dadf63185f67a9163a4a9b49c72cfb3

SHA512
3391fb19d2a7a27c34ba526a86b8b775996561a6b35ce10604643be4da79877f24326ab0d30523248b0067c7a4ce679ff1c9d22fb89e540915938343b5f659df

Download Submit
C:\Windows\SysWOW64\moveex.exe
Filesize
74KB

MD5
b83967e8e83318c36a2d4ef76ebd1d3b

SHA1
34383aa2f25af0fa26bc796737b75ac2e6641b56

SHA256
54ad6a1348afc1be04b418b78c998ffa318bf6632e1f5a2c2ae53702201473f1

SHA512
d731c9c88c2815dcf8d313b2fc7d8f399fdd9c634b78d2817f2cc6a2afdc622bf52ad2e3de57acfa1e71991ed2cdc6f92688420d6c02c10d2223c6287dbe40e2

Download Submit
C:\Windows\UXSTYL~2.EXE
Filesize
2.1MB

MD5
d4139d7130117272e09637ef90f7f965

SHA1
2c3a57504be5eb936839e526bc5adb5a5ff97225

SHA256
79c5b2bf0894b11e923a5f033612931c723332b4232e88177b95c4694bd9b8ef

SHA512
4694c83de3377a589bc71718d75c2ab341b059167ffe0ec50820c90bb9fb1186c7a32a6fe976c1abc3e2140cb040dad877efe6cf68c3400165c3af0fa710c02e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/408-2104-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/552-2107-0x0000000000400000-0x0000000000958000-memory.dmp

Filesize
5.3MB

Download
memory/1144-2071-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1188-2147-0x0000000000400000-0x0000000000958000-memory.dmp

Filesize
5.3MB

Download
memory/1332-2135-0x0000000000400000-0x0000000000958000-memory.dmp

Filesize
5.3MB

Download
memory/1424-2111-0x0000000000400000-0x0000000000958000-memory.dmp

Filesize
5.3MB

Download
memory/1788-2159-0x0000000000400000-0x0000000000958000-memory.dmp

Filesize
5.3MB

Download
memory/1876-2120-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2016-2163-0x0000000000400000-0x0000000000958000-memory.dmp

Filesize
5.3MB

Download
memory/2164-2090-0x0000000000400000-0x0000000000958000-memory.dmp

Filesize
5.3MB

Download
memory/2536-2148-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2548-2143-0x0000000000400000-0x0000000000958000-memory.dmp

Filesize
5.3MB

Download
memory/2568-2140-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2908-2116-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2924-2063-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2924-2108-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2968-2123-0x0000000000400000-0x0000000000958000-memory.dmp

Filesize
5.3MB

Download
memory/3012-2119-0x0000000000400000-0x0000000000958000-memory.dmp

Filesize
5.3MB

Download
memory/3012-2151-0x0000000000400000-0x0000000000958000-memory.dmp

Filesize
5.3MB

Download
memory/3024-2069-0x0000000000400000-0x0000000000958000-memory.dmp

Filesize
5.3MB

Download
memory/3088-2115-0x0000000000400000-0x0000000000958000-memory.dmp

Filesize
5.3MB

Download
memory/3236-2061-0x0000000000400000-0x0000000000958000-memory.dmp

Filesize
5.3MB

Download
memory/3352-2156-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3380-2128-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3432-2085-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3468-2103-0x0000000000400000-0x0000000000958000-memory.dmp

Filesize
5.3MB

Download
memory/3512-2099-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3580-2139-0x0000000000400000-0x0000000000958000-memory.dmp

Filesize
5.3MB

Download
memory/3788-2092-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3884-2164-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4000-2078-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4016-2048-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4020-2155-0x0000000000400000-0x0000000000958000-memory.dmp

Filesize
5.3MB

Download
memory/4044-2132-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4080-2056-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4204-2097-0x0000000000400000-0x0000000000958000-memory.dmp

Filesize
5.3MB

Download
memory/4216-2231-0x00007FFC054B0000-0x00007FFC054B2000-memory.dmp

Filesize
8KB

Download
memory/4216-2222-0x00007FFC053B0000-0x00007FFC053C0000-memory.dmp

Filesize
64KB

Download
memory/4292-2144-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4292-2112-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4296-2136-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4312-2054-0x0000000000400000-0x0000000000958000-memory.dmp

Filesize
5.3MB

Download
memory/4572-2076-0x0000000000400000-0x0000000000958000-memory.dmp

Filesize
5.3MB

Download
memory/4684-2083-0x0000000000400000-0x0000000000958000-memory.dmp

Filesize
5.3MB

Download
memory/4688-2160-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4764-2045-0x0000000000400000-0x0000000000958000-memory.dmp

Filesize
5.3MB

Download
memory/4800-2124-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4916-2131-0x0000000000400000-0x0000000000958000-memory.dmp

Filesize
5.3MB

Download
memory/4980-2152-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5004-2127-0x0000000000400000-0x0000000000958000-memory.dmp

Filesize
5.3MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads