29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

Analysis

max time kernel
508s
max time network
362s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
26/08/2023, 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sys32.exe
Size

32KB
MD5

645dea8cf7d178cc06112c26d4bbab29
SHA1

1659167f8da3227af247f5bb95b1fdeb0925530a
SHA256

29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2
SHA512

a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41
SSDEEP

384:8LipZl447piqb/lUYf5uH3w59AMRG5qUIjFgOrjFymqAeO8W8xmNlzhuW6:dmiiqTfk2AMRGwlFgOrjsbmNlzEF

Score

8^/10

evasion spyware stealer

Malware Config

Signatures

Disables RegEdit via registry modification 4 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	sys32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	sys32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	sys32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	sys32.exe

Sets file to hidden 1 TTPs 64 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4740	attrib.exe
5344	attrib.exe
5040	attrib.exe
2740	attrib.exe
4896	attrib.exe
5080	attrib.exe
1180	attrib.exe
4220	attrib.exe
3052	attrib.exe
2632	attrib.exe
3144	attrib.exe
5320	attrib.exe
4660	attrib.exe
2212	attrib.exe
2820	attrib.exe
1752	attrib.exe
4696	attrib.exe
4128	attrib.exe
528	attrib.exe
2108	attrib.exe
4152	attrib.exe
2676	attrib.exe
4744	attrib.exe
920	attrib.exe
2448	attrib.exe
3084	attrib.exe
1004	attrib.exe
4444	attrib.exe
4832	attrib.exe
612	attrib.exe
2088	attrib.exe
2680	attrib.exe
1808	attrib.exe
3556	attrib.exe
4368	attrib.exe
4472	attrib.exe
2408	attrib.exe
1712	attrib.exe
3740	attrib.exe
4588	attrib.exe
976	attrib.exe
4024	attrib.exe
4728	attrib.exe
1716	attrib.exe
4160	attrib.exe
1728	attrib.exe
1176	attrib.exe
3456	attrib.exe
3732	attrib.exe
3068	attrib.exe
1596	attrib.exe
3348	attrib.exe
5644	attrib.exe
2992	attrib.exe
2244	attrib.exe
4832	attrib.exe
4344	attrib.exe
1992	attrib.exe
3208	attrib.exe
2676	attrib.exe
5620	attrib.exe
6076	attrib.exe
5448	attrib.exe
3348	attrib.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1988	sys32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1988	sys32.exe
2884	sys32.exe
2328	sys32.exe
2956	sys32.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2884	1988	sys32.exe	28
PID 1988 wrote to memory of 2884	1988	sys32.exe	28
PID 1988 wrote to memory of 2884	1988	sys32.exe	28
PID 1988 wrote to memory of 2884	1988	sys32.exe	28
PID 2884 wrote to memory of 2328	2884	sys32.exe	29
PID 2884 wrote to memory of 2328	2884	sys32.exe	29
PID 2884 wrote to memory of 2328	2884	sys32.exe	29
PID 2884 wrote to memory of 2328	2884	sys32.exe	29
PID 2328 wrote to memory of 2956	2328	sys32.exe	30
PID 2328 wrote to memory of 2956	2328	sys32.exe	30
PID 2328 wrote to memory of 2956	2328	sys32.exe	30
PID 2328 wrote to memory of 2956	2328	sys32.exe	30
PID 2884 wrote to memory of 2856	2884	sys32.exe	79
PID 2884 wrote to memory of 2856	2884	sys32.exe	79
PID 2884 wrote to memory of 2856	2884	sys32.exe	79
PID 2884 wrote to memory of 2856	2884	sys32.exe	79
PID 2884 wrote to memory of 2872	2884	sys32.exe	33
PID 2884 wrote to memory of 2872	2884	sys32.exe	33
PID 2884 wrote to memory of 2872	2884	sys32.exe	33
PID 2884 wrote to memory of 2872	2884	sys32.exe	33
PID 1988 wrote to memory of 2040	1988	sys32.exe	34
PID 1988 wrote to memory of 2040	1988	sys32.exe	34
PID 1988 wrote to memory of 2040	1988	sys32.exe	34
PID 1988 wrote to memory of 2040	1988	sys32.exe	34

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4088	attrib.exe
3428	attrib.exe
1548	attrib.exe
2528	attrib.exe
2288	attrib.exe
3952	attrib.exe
1108	attrib.exe
2676	attrib.exe
5740	attrib.exe
920	attrib.exe
3988	attrib.exe
4956	attrib.exe
612	attrib.exe
1888	attrib.exe
5232	attrib.exe
1340	attrib.exe
4032	attrib.exe
5224	attrib.exe
5772	attrib.exe
2632	attrib.exe
2624	attrib.exe
1400	attrib.exe
4024	attrib.exe
3104	attrib.exe
3308	attrib.exe
2364	attrib.exe
5368	attrib.exe
2780	attrib.exe
2192	attrib.exe
836	attrib.exe
3964	attrib.exe
2408	attrib.exe
3176	attrib.exe
3844	attrib.exe
5080	attrib.exe
4124	attrib.exe
2040	attrib.exe
1604	attrib.exe
2632	attrib.exe
4432	attrib.exe
2436	attrib.exe
1504	attrib.exe
2644	attrib.exe
2992	attrib.exe
3932	attrib.exe
5288	attrib.exe
3456	attrib.exe
3212	attrib.exe
3332	attrib.exe
5080	attrib.exe
3412	attrib.exe
3432	attrib.exe
1596	attrib.exe
4984	attrib.exe
3412	attrib.exe
2644	attrib.exe
1612	attrib.exe
4364	attrib.exe
2752	attrib.exe
1596	attrib.exe
3136	attrib.exe
4228	attrib.exe
4456	attrib.exe
3616	attrib.exe

C:\Users\Admin\AppData\Local\Temp\sys32.exe
"C:\Users\Admin\AppData\Local\Temp\sys32.exe"
1⤵
- Disables RegEdit via registry modification
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\sys32.exe
  "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
  2⤵
  - Disables RegEdit via registry modification
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\sys32.exe
    "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
    3⤵
    - Disables RegEdit via registry modification
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
      "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
      4⤵
      Disables RegEdit via registry modification
      Suspicious use of SetWindowsHookEx
      PID:2956
    - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        5⤵
        
        PID:2524
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        7⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        8⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        9⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        8⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        9⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        8⤵
        
        PID:6036
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        7⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        8⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        7⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        7⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        7⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        7⤵
        Sets file to hidden
        
        PID:5320
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        7⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        7⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        7⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        7⤵
        
        PID:3864
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        7⤵
        
        PID:3604
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:4076
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        6⤵
        
        PID:1564
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        6⤵
        
        PID:3592
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        6⤵
        
        PID:1484
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        6⤵
        
        PID:3048
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        6⤵
        
        PID:3468
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        6⤵
        
        PID:3920
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        6⤵
        Sets file to hidden
        
        PID:2108
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        6⤵
        
        PID:3668
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        6⤵
        
        PID:3732
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        6⤵
        Sets file to hidden
        
        PID:3556
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        6⤵
        
        PID:4220
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        6⤵
        
        PID:4516
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:4984
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
        6⤵
        
        PID:1864
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MSASCui.zrz"
        6⤵
        
        PID:4412
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\Journal.zrz"
        6⤵
        
        PID:4460
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\PDIALOG.zrz"
        6⤵
        Sets file to hidden
        
        PID:5620
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wab.zrz"
        6⤵
        
        PID:5240
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wabmig.zrz"
        6⤵
        
        PID:4048
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\WinMail.zrz"
        6⤵
        
        PID:2428
    - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        5⤵
        
        PID:2032
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        7⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        8⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        8⤵
        
        PID:5900
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        7⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        8⤵
        
        PID:5480
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        7⤵
        
        PID:3076
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:3692
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        6⤵
        
        PID:4888
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        6⤵
        Sets file to hidden
        
        PID:4660
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        6⤵
        Sets file to hidden
        
        PID:4832
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:5288
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        6⤵
        
        PID:5252
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        6⤵
        
        PID:3596
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\7-Zip\Uninstall.zrz"
        5⤵
        
        PID:828
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        5⤵
        Sets file to hidden
        
        PID:3068
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        5⤵
        
        PID:2540
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        5⤵
        
        PID:1736
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        5⤵
        
        PID:2348
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        5⤵
        
        PID:2492
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        5⤵
        Sets file to hidden
        
        PID:1728
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        5⤵
        Sets file to hidden
        
        PID:1176
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        5⤵
        
        PID:2708
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        5⤵
        
        PID:2152
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.zrz"
        5⤵
        
        PID:1276
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        5⤵
        
        PID:648
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        5⤵
        
        PID:1304
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        5⤵
        
        PID:2540
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        5⤵
        
        PID:2984
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\apt.zrz"
        5⤵
        
        PID:1516
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.zrz"
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2408
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\javac.zrz"
        5⤵
        
        PID:2464
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:1888
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jps.zrz"
        5⤵
        
        PID:156
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\klist.zrz"
        5⤵
        
        PID:1876
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\rmid.zrz"
        5⤵
        
        PID:592
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.zrz"
        5⤵
        
        PID:1612
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.zrz"
        5⤵
        
        PID:1720
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:920
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.zrz"
        5⤵
        
        PID:2284
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\Mahjong\Mahjong.zrz"
        5⤵
        
        PID:3596
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\Office14\MSOHTMED.zrz"
        5⤵
        
        PID:1940
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\pingsender.zrz"
        5⤵
        
        PID:3400
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
        5⤵
        
        PID:3772
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MSASCui.zrz"
        5⤵
        
        PID:4016
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\Journal.zrz"
        5⤵
        
        PID:3240
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\PDIALOG.zrz"
        5⤵
        
        PID:3760
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wab.zrz"
        5⤵
        
        PID:3108
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wabmig.zrz"
        5⤵
        
        PID:2992
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\WinMail.zrz"
        5⤵
        
        PID:4084
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\setup_wm.zrz"
        5⤵
        
        PID:612
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmlaunch.zrz"
        5⤵
        
        PID:3840
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpconfig.zrz"
        5⤵
        
        PID:3748
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPDMC.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:4088
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpenc.zrz"
        5⤵
        
        PID:4292
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmplayer.zrz"
        5⤵
        Sets file to hidden
        
        PID:4696
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnetwk.zrz"
        5⤵
        
        PID:5116
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnscfg.zrz"
        5⤵
        
        PID:4572
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmprph.zrz"
        5⤵
        
        PID:5096
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpshare.zrz"
        5⤵
        
        PID:4996
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPSideShowGadget.zrz"
        5⤵
        
        PID:4684
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows NT\Accessories\wordpad.zrz"
        5⤵
        
        PID:4508
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Photo Viewer\ImagingDevices.zrz"
        5⤵
        
        PID:5476
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Sidebar\sidebar.zrz"
        5⤵
        
        PID:4460
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DisconnectRegister.zrz"
        5⤵
        
        PID:4528
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\Admin\Desktop\EnterSkip.zrz"
      4⤵
      PID:2192
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.zrz"
      4⤵
      Views/modifies file attributes
      PID:2780
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\All Users\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.zrz"
      4⤵
      PID:2716
  - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
      "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
      4⤵
      PID:2368
    - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        5⤵
        
        PID:1780
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        7⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        8⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        9⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        8⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        7⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        8⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        7⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        7⤵
        Views/modifies file attributes
        
        PID:5368
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        7⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        7⤵
        Sets file to hidden
        
        PID:5040
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        7⤵
        
        PID:4436
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:3392
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:4124
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        6⤵
        Sets file to hidden
        
        PID:4128
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        6⤵
        
        PID:4772
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:3932
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        6⤵
        
        PID:3952
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        6⤵
        
        PID:3940
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        6⤵
        
        PID:5296
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        6⤵
        
        PID:6028
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        6⤵
        
        PID:5424
    - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        5⤵
        
        PID:2936
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        7⤵
        
        PID:3804
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        7⤵
        
        PID:5416
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:5520
    - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        5⤵
        
        PID:2452
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        7⤵
        
        PID:4092
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        7⤵
        
        PID:4316
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:5236
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:2192
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:1548
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        5⤵
        
        PID:2820
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        5⤵
        
        PID:828
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        5⤵
        
        PID:1340
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        5⤵
        
        PID:2820
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:2528
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        5⤵
        
        PID:1736
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        5⤵
        
        PID:1684
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        5⤵
        Sets file to hidden
        
        PID:2088
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        5⤵
        
        PID:1580
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        5⤵
        
        PID:1564
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        5⤵
        
        PID:1276
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\javah.zrz"
        5⤵
        
        PID:2436
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jhat.zrz"
        5⤵
        
        PID:1516
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.zrz"
        5⤵
        
        PID:2656
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\pack200.zrz"
        5⤵
        
        PID:2408
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.zrz"
        5⤵
        
        PID:368
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:836
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:2288
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.zrz"
        5⤵
        
        PID:2644
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\javacpl.zrz"
        5⤵
        Sets file to hidden
        
        PID:2244
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\javaws.zrz"
        5⤵
        
        PID:1164
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\keytool.zrz"
        5⤵
        Sets file to hidden
        
        PID:3084
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\klist.zrz"
        5⤵
        Sets file to hidden
        
        PID:3208
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\ktab.zrz"
        5⤵
        
        PID:3396
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\pack200.zrz"
        5⤵
        
        PID:3604
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\rmid.zrz"
        5⤵
        
        PID:3880
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\ssvagent.zrz"
        5⤵
        
        PID:4028
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:3844
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\firefox.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:3212
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\updater.zrz"
        5⤵
        
        PID:3732
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
        5⤵
        
        PID:3236
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MSASCui.zrz"
        5⤵
        
        PID:2396
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\Journal.zrz"
        5⤵
        
        PID:4020
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\PDIALOG.zrz"
        5⤵
        
        PID:3504
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wab.zrz"
        5⤵
        
        PID:3784
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wabmig.zrz"
        5⤵
        
        PID:3612
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\WinMail.zrz"
        5⤵
        
        PID:1940
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\setup_wm.zrz"
        5⤵
        
        PID:4344
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmlaunch.zrz"
        5⤵
        Sets file to hidden
        
        PID:4728
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpconfig.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:4456
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPDMC.zrz"
        5⤵
        
        PID:4980
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpenc.zrz"
        5⤵
        
        PID:3596
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmplayer.zrz"
        5⤵
        
        PID:5868
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnetwk.zrz"
        5⤵
        
        PID:5208
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnscfg.zrz"
        5⤵
        
        PID:1252
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmprph.zrz"
        5⤵
        
        PID:4588
  - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
      "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
      4⤵
      PID:2904
    - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        5⤵
        
        PID:2960
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        7⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        8⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        7⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        8⤵
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        7⤵
        
        PID:5956
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        7⤵
        
        PID:3000
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:2688
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        6⤵
        Sets file to hidden
        
        PID:4444
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        6⤵
        
        PID:5060
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        6⤵
        
        PID:4460
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        6⤵
        
        PID:5116
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        6⤵
        
        PID:3184
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:4956
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        6⤵
        
        PID:5652
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        6⤵
        
        PID:3084
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        6⤵
        
        PID:5692
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        6⤵
        Sets file to hidden
        
        PID:4220
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        6⤵
        Sets file to hidden
        
        PID:5448
    - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        5⤵
        
        PID:2728
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        7⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        8⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        7⤵
        
        PID:4944
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:3120
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:5952
    - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        5⤵
        
        PID:872
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        7⤵
        
        PID:3224
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        7⤵
        
        PID:5760
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:3860
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        5⤵
        
        PID:1052
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        5⤵
        Sets file to hidden
        
        PID:528
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        5⤵
        
        PID:1620
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        5⤵
        
        PID:1492
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        5⤵
        
        PID:2972
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        5⤵
        
        PID:2928
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        5⤵
        
        PID:1276
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        5⤵
        
        PID:2752
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        5⤵
        Sets file to hidden
        
        PID:1596
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        5⤵
        
        PID:948
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        5⤵
        
        PID:2944
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        5⤵
        
        PID:2472
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        5⤵
        
        PID:2148
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jdb.zrz"
        5⤵
        
        PID:268
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jstack.zrz"
        5⤵
        
        PID:976
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.zrz"
        5⤵
        
        PID:1612
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\servertool.zrz"
        5⤵
        
        PID:648
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.zrz"
        5⤵
        
        PID:1888
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.zrz"
        5⤵
        
        PID:2504
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.zrz"
        5⤵
        
        PID:2256
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.zrz"
        5⤵
        Sets file to hidden
        
        PID:1992
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.zrz"
        5⤵
        
        PID:3748
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\uninstall\helper.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:3308
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\VideoLAN\VLC\vlc-cache-gen.zrz"
        5⤵
        
        PID:3752
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
        5⤵
        Sets file to hidden
        
        PID:1752
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MSASCui.zrz"
        5⤵
        
        PID:3148
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\Journal.zrz"
        5⤵
        Sets file to hidden
        
        PID:3348
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\PDIALOG.zrz"
        5⤵
        
        PID:3996
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wab.zrz"
        5⤵
        
        PID:3304
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wabmig.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:3616
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\WinMail.zrz"
        5⤵
        
        PID:3108
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\setup_wm.zrz"
        5⤵
        
        PID:3580
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmlaunch.zrz"
        5⤵
        
        PID:612
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpconfig.zrz"
        5⤵
        
        PID:4412
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPDMC.zrz"
        5⤵
        Sets file to hidden
        
        PID:4896
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpenc.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:4228
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmplayer.zrz"
        5⤵
        
        PID:4856
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnetwk.zrz"
        5⤵
        
        PID:4412
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnscfg.zrz"
        5⤵
        
        PID:3464
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmprph.zrz"
        5⤵
        
        PID:4852
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpshare.zrz"
        5⤵
        
        PID:4496
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPSideShowGadget.zrz"
        5⤵
        
        PID:4208
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows NT\Accessories\wordpad.zrz"
        5⤵
        
        PID:5780
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Photo Viewer\ImagingDevices.zrz"
        5⤵
        Sets file to hidden
        
        PID:5644
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Sidebar\sidebar.zrz"
        5⤵
        
        PID:2392
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\7-Zip\7zFM.zrz"
      4⤵
      Sets file to hidden
      PID:3052
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\7-Zip\7zG.zrz"
      4⤵
      PID:2496
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
      4⤵
      PID:2300
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
      4⤵
      PID:2984
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
      4⤵
      PID:1792
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
      4⤵
      PID:1340
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
      4⤵
      PID:1224
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
      4⤵
      PID:2000
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
      4⤵
      PID:2180
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
      4⤵
      PID:1276
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.zrz"
      4⤵
      PID:2472
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.zrz"
      4⤵
      PID:528
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Google\Chrome\Application\chrome.zrz"
      4⤵
      PID:2984
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
      4⤵
      PID:1364
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
      4⤵
      Views/modifies file attributes
      PID:1596
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
      4⤵
      PID:528
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
      4⤵
      PID:1612
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\javaw.zrz"
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.zrz"
      4⤵
      PID:828
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.zrz"
      4⤵
      PID:1440
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\rmic.zrz"
      4⤵
      PID:2624
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.zrz"
      4⤵
      PID:752
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.zrz"
      4⤵
      PID:2764
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.zrz"
      4⤵
      PID:2376
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.zrz"
      4⤵
      PID:2896
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\unpack200.zrz"
      4⤵
      PID:3204
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\Chess\Chess.zrz"
      4⤵
      PID:3476
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\Purble Place\PurblePlace.zrz"
      4⤵
      Views/modifies file attributes
      PID:3104
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\plugin-container.zrz"
      4⤵
      PID:3448
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
      4⤵
      Sets file to hidden
      PID:3740
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MSASCui.zrz"
      4⤵
      PID:1176
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\Journal.zrz"
      4⤵
      PID:1440
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\PDIALOG.zrz"
      4⤵
      Sets file to hidden
      PID:3732
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wab.zrz"
      4⤵
      PID:3192
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wabmig.zrz"
      4⤵
      PID:3168
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\WinMail.zrz"
      4⤵
      PID:4724
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\setup_wm.zrz"
      4⤵
      PID:4144
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmlaunch.zrz"
      4⤵
      Sets file to hidden
      PID:4472
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpconfig.zrz"
      4⤵
      PID:4104
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPDMC.zrz"
      4⤵
      PID:4440
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpenc.zrz"
      4⤵
      PID:5320
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmplayer.zrz"
      4⤵
      PID:4552
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnetwk.zrz"
      4⤵
      Views/modifies file attributes
      PID:3412
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\Admin\AppData\Local\Temp\3852212418\zmstage.zrz"
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\Admin\AppData\Local\Temp\ose00000.zrz"
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.zrz"
    3⤵
    PID:2160
- - C:\Users\Admin\AppData\Local\Temp\sys32.exe
    "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
    3⤵
    PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
      "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
      4⤵
      PID:1744
    - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        5⤵
        
        PID:876
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        7⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        8⤵
        
        PID:6008
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        7⤵
        
        PID:4980
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:5680
    - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        5⤵
        
        PID:3044
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:4904
    - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        5⤵
        
        PID:3128
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        5⤵
        
        PID:4472
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        5⤵
        
        PID:4968
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        5⤵
        
        PID:4876
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        5⤵
        
        PID:4860
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        5⤵
        
        PID:2268
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        5⤵
        
        PID:4348
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        5⤵
        
        PID:5368
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        5⤵
        
        PID:6084
  - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
      "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
      4⤵
      PID:2316
  - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
      "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
      4⤵
      PID:1204
    - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        5⤵
        
        PID:1092
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        7⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        8⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        7⤵
        
        PID:3900
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        7⤵
        
        PID:4408
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:4248
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        6⤵
        
        PID:804
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        6⤵
        
        PID:5312
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        6⤵
        
        PID:5876
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        6⤵
        
        PID:1652
    - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        5⤵
        
        PID:1880
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:1940
    - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        5⤵
        
        PID:3232
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        5⤵
        Sets file to hidden
        
        PID:2676
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        5⤵
        Sets file to hidden
        
        PID:4744
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        5⤵
        Sets file to hidden
        
        PID:4344
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        5⤵
        Sets file to hidden
        
        PID:4588
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:5232
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:5740
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        5⤵
        
        PID:5720
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        5⤵
        
        PID:5036
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
      4⤵
      PID:2824
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
      4⤵
      Sets file to hidden
      PID:2212
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
      4⤵
      PID:2556
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
      4⤵
      PID:2560
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
      4⤵
      PID:1792
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
      4⤵
      PID:2112
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
      4⤵
      PID:1304
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
      4⤵
      PID:2180
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.zrz"
      4⤵
      Views/modifies file attributes
      PID:2632
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
      4⤵
      PID:2180
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
      4⤵
      PID:1400
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
      4⤵
      PID:1612
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
      4⤵
      PID:1612
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.zrz"
      4⤵
      PID:2644
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.zrz"
      4⤵
      PID:2616
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\javap.zrz"
      4⤵
      PID:2056
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.zrz"
      4⤵
      PID:1340
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\ktab.zrz"
      4⤵
      PID:3044
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.zrz"
      4⤵
      PID:2404
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.zrz"
      4⤵
      PID:592
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.zrz"
      4⤵
      Views/modifies file attributes
      PID:1340
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.zrz"
      4⤵
      PID:2580
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.zrz"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:4024
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\minidump-analyzer.zrz"
      4⤵
      PID:3860
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
      4⤵
      PID:1612
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MSASCui.zrz"
      4⤵
      Views/modifies file attributes
      PID:3332
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\Journal.zrz"
      4⤵
      PID:3620
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\PDIALOG.zrz"
      4⤵
      Sets file to hidden
      PID:1180
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wab.zrz"
      4⤵
      PID:3880
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wabmig.zrz"
      4⤵
      PID:1248
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\WinMail.zrz"
      4⤵
      PID:2992
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\setup_wm.zrz"
      4⤵
      PID:3556
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmlaunch.zrz"
      4⤵
      PID:612
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpconfig.zrz"
      4⤵
      Views/modifies file attributes
      PID:1612
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPDMC.zrz"
      4⤵
      PID:4552
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpenc.zrz"
      4⤵
      PID:5020
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmplayer.zrz"
      4⤵
      Sets file to hidden
      PID:4368
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnetwk.zrz"
      4⤵
      PID:4896
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnscfg.zrz"
      4⤵
      PID:4944
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmprph.zrz"
      4⤵
      Views/modifies file attributes
      PID:5224
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpshare.zrz"
      4⤵
      PID:3768
- - C:\Users\Admin\AppData\Local\Temp\sys32.exe
    "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
    3⤵
    - Sets file to hidden
    PID:2740
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2632
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.zrz"
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Google\Chrome\Application\chrome_proxy.zrz"
    3⤵
    - Views/modifies file attributes
    PID:2752
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
    3⤵
    - Views/modifies file attributes
    PID:2624
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
    3⤵
    - Sets file to hidden
    PID:1716
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jar.zrz"
    3⤵
    - Sets file to hidden
    PID:1712
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.zrz"
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.zrz"
    3⤵
    PID:836
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.zrz"
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\kinit.zrz"
    3⤵
    PID:928
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.zrz"
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.zrz"
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.zrz"
    3⤵
    - Views/modifies file attributes
    PID:2644
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.zrz"
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\FreeCell\FreeCell.zrz"
    3⤵
    PID:3516
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\Solitaire\Solitaire.zrz"
    3⤵
    PID:3932
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\maintenanceservice.zrz"
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\VideoLAN\VLC\vlc.zrz"
    3⤵
    PID:3568
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
    3⤵
    - Sets file to hidden
    PID:1004
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MSASCui.zrz"
    3⤵
    PID:3212
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\Journal.zrz"
    3⤵
    PID:3840
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\PDIALOG.zrz"
    3⤵
    PID:4044
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wab.zrz"
    3⤵
    - Views/modifies file attributes
    PID:2436
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wabmig.zrz"
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\WinMail.zrz"
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\setup_wm.zrz"
    3⤵
    PID:3148
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmlaunch.zrz"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:5080
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpconfig.zrz"
    3⤵
    - Views/modifies file attributes
    PID:4432
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPDMC.zrz"
    3⤵
    PID:5000
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpenc.zrz"
    3⤵
    PID:4828
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmplayer.zrz"
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnetwk.zrz"
    3⤵
    PID:1252
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnscfg.zrz"
    3⤵
    PID:4896
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmprph.zrz"
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpshare.zrz"
    3⤵
    - Views/modifies file attributes
    PID:5772
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPSideShowGadget.zrz"
    3⤵
    - Views/modifies file attributes
    PID:3964
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\Admin\AppData\Local\Temp\sys32.zrz"
  2⤵
  - Views/modifies file attributes
  PID:2040
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\All Users\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.zrz"
  2⤵
  PID:2396
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\All Users\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.zrz"
  2⤵
  PID:1196
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\All Users\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.zrz"
  2⤵
  PID:2868
- C:\Users\Admin\AppData\Local\Temp\sys32.exe
  "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
  2⤵
  PID:2264
- - C:\Users\Admin\AppData\Local\Temp\sys32.exe
    "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
    3⤵
    PID:768
  - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
      "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
      4⤵
      PID:2732
    - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        5⤵
        
        PID:1792
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:4640
    - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        5⤵
        
        PID:4060
  - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
      "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
      4⤵
      PID:1296
    - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        5⤵
        
        PID:1276
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:5600
    - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        5⤵
        
        PID:5168
  - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
      "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
      4⤵
      PID:844
    - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        5⤵
        
        PID:4292
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
      4⤵
      PID:1648
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
      4⤵
      PID:1440
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
      4⤵
      PID:2364
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
      4⤵
      PID:2392
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
      4⤵
      Views/modifies file attributes
      PID:3176
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
      4⤵
      PID:3340
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
      4⤵
      PID:3564
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
      4⤵
      PID:3764
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
      4⤵
      PID:3960
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
      4⤵
      PID:3112
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
      4⤵
      PID:3240
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
      4⤵
      PID:3356
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
      4⤵
      PID:3700
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\default-browser-agent.zrz"
      4⤵
      PID:2688
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
      4⤵
      Sets file to hidden
      PID:1808
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MSASCui.zrz"
      4⤵
      Views/modifies file attributes
      PID:1596
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\Journal.zrz"
      4⤵
      PID:2360
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\PDIALOG.zrz"
      4⤵
      PID:3136
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wab.zrz"
      4⤵
      Views/modifies file attributes
      PID:2644
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wabmig.zrz"
      4⤵
      Views/modifies file attributes
      PID:2676
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\WinMail.zrz"
      4⤵
      Sets file to hidden
      PID:4740
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\setup_wm.zrz"
      4⤵
      PID:4464
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmlaunch.zrz"
      4⤵
      PID:4888
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpconfig.zrz"
      4⤵
      PID:4532
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPDMC.zrz"
      4⤵
      PID:5464
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpenc.zrz"
      4⤵
      PID:5920
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmplayer.zrz"
      4⤵
      PID:5148
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnetwk.zrz"
      4⤵
      PID:4172
- - C:\Users\Admin\AppData\Local\Temp\sys32.exe
    "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
    3⤵
    PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
      "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
      4⤵
      PID:1544
    - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        5⤵
        
        PID:4036
  - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
      "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
      4⤵
      PID:3420
  - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
      "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
      4⤵
      PID:4548
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
      4⤵
      PID:5264
- - C:\Users\Admin\AppData\Local\Temp\sys32.exe
    "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
    3⤵
    PID:1592
  - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
      "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
      4⤵
      PID:440
    - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        5⤵
        
        PID:4068
  - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
      "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
      4⤵
      PID:3380
    - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        5⤵
        
        PID:3544
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
    3⤵
    - Views/modifies file attributes
    PID:1604
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
    3⤵
    PID:364
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
    3⤵
    PID:1340
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
    3⤵
    PID:528
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
    3⤵
    - Views/modifies file attributes
    PID:1400
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.zrz"
    3⤵
    - Sets file to hidden
    PID:2992
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.zrz"
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jmc.zrz"
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jstat.zrz"
    3⤵
    - Sets file to hidden
    PID:920
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\orbd.zrz"
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\serialver.zrz"
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.zrz"
    3⤵
    - Sets file to hidden
    PID:976
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.zrz"
    3⤵
    PID:1252
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.zrz"
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\jabswitch.zrz"
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\java-rmi.zrz"
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\java.zrz"
    3⤵
    - Sets file to hidden
    PID:2448
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\javaw.zrz"
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\jp2launcher.zrz"
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\kinit.zrz"
    3⤵
    PID:3252
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\orbd.zrz"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3456
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\policytool.zrz"
    3⤵
    PID:3652
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\rmiregistry.zrz"
    3⤵
    PID:3844
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\servertool.zrz"
    3⤵
    PID:3992
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\tnameserv.zrz"
    3⤵
    PID:3140
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.zrz"
    3⤵
    PID:3860
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\crashreporter.zrz"
    3⤵
    PID:3136
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\private_browsing.zrz"
    3⤵
    PID:3516
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
    3⤵
    - Views/modifies file attributes
    PID:3988
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MSASCui.zrz"
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\Journal.zrz"
    3⤵
    PID:3516
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\PDIALOG.zrz"
    3⤵
    - Views/modifies file attributes
    PID:3428
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wab.zrz"
    3⤵
    - Views/modifies file attributes
    PID:2364
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wabmig.zrz"
    3⤵
    PID:4084
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\WinMail.zrz"
    3⤵
    PID:3748
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\setup_wm.zrz"
    3⤵
    PID:3148
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmlaunch.zrz"
    3⤵
    PID:4112
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpconfig.zrz"
    3⤵
    PID:4816
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPDMC.zrz"
    3⤵
    PID:4140
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpenc.zrz"
    3⤵
    PID:4704
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmplayer.zrz"
    3⤵
    PID:4372
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnetwk.zrz"
    3⤵
    PID:4132
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnscfg.zrz"
    3⤵
    PID:4832
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmprph.zrz"
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpshare.zrz"
    3⤵
    - Sets file to hidden
    PID:6076
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPSideShowGadget.zrz"
    3⤵
    PID:4480
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows NT\Accessories\wordpad.zrz"
    3⤵
    PID:5836
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Photo Viewer\ImagingDevices.zrz"
    3⤵
    - Sets file to hidden
    PID:5344
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Sidebar\sidebar.zrz"
    3⤵
    PID:4516
- C:\Users\Admin\AppData\Local\Temp\sys32.exe
  "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
  2⤵
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\sys32.exe
    "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
    3⤵
    PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
      "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
      4⤵
      PID:1380
    - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        5⤵
        
        PID:1608
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:5088
    - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        5⤵
        
        PID:4020
  - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
      "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
      4⤵
      PID:2740
    - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        5⤵
        
        PID:2944
      - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        6⤵
        
        PID:4916
    - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        5⤵
        
        PID:4192
  - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
      "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
      4⤵
      PID:648
    - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
        5⤵
        
        PID:4628
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
      4⤵
      PID:2396
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
      4⤵
      PID:2208
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
      4⤵
      PID:2568
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
      4⤵
      Views/modifies file attributes
      PID:3136
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
      4⤵
      PID:3284
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
      4⤵
      PID:3512
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
      4⤵
      PID:3732
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
      4⤵
      PID:3924
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
      4⤵
      PID:4084
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
      4⤵
      Sets file to hidden
      PID:3348
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
      4⤵
      PID:3796
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
      4⤵
      PID:3088
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
      4⤵
      Views/modifies file attributes
      PID:2992
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
      4⤵
      Sets file to hidden
      PID:3144
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MSASCui.zrz"
      4⤵
      Views/modifies file attributes
      PID:3432
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\Journal.zrz"
      4⤵
      PID:4004
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\PDIALOG.zrz"
      4⤵
      PID:3288
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wab.zrz"
      4⤵
      PID:3588
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wabmig.zrz"
      4⤵
      PID:4044
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\WinMail.zrz"
      4⤵
      Views/modifies file attributes
      PID:1108
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\setup_wm.zrz"
      4⤵
      PID:2896
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmlaunch.zrz"
      4⤵
      PID:3556
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpconfig.zrz"
      4⤵
      Sets file to hidden
      PID:2676
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPDMC.zrz"
      4⤵
      PID:4380
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpenc.zrz"
      4⤵
      Sets file to hidden
      PID:4832
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmplayer.zrz"
      4⤵
      Sets file to hidden
      PID:4152
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnetwk.zrz"
      4⤵
      Views/modifies file attributes
      PID:5080
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnscfg.zrz"
      4⤵
      PID:4792
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmprph.zrz"
      4⤵
      PID:4700
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpshare.zrz"
      4⤵
      PID:4668
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPSideShowGadget.zrz"
      4⤵
      PID:5376
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows NT\Accessories\wordpad.zrz"
      4⤵
      PID:6092
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Photo Viewer\ImagingDevices.zrz"
      4⤵
      PID:4200
- - C:\Users\Admin\AppData\Local\Temp\sys32.exe
    "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
    3⤵
    PID:2060
  - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
      "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
      4⤵
      PID:3840
- - C:\Users\Admin\AppData\Local\Temp\sys32.exe
    "C:\Users\Admin\AppData\Local\Temp\sys32.exe" 0
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
    3⤵
    - Sets file to hidden
    PID:4160
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
    3⤵
    PID:4444
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
    3⤵
    PID:4904
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
    3⤵
    PID:4660
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
    3⤵
    PID:4496
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
    3⤵
    PID:4168
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
    3⤵
    PID:3860
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
    3⤵
    PID:5556
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
    3⤵
    PID:3928
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
    3⤵
    PID:4496
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
    3⤵
    PID:4384
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\7-Zip\7z.zrz"
  2⤵
  PID:2140
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
  2⤵
  PID:2840
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
  2⤵
  PID:3024
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
  2⤵
  PID:368
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
  2⤵
  - Sets file to hidden
  PID:2820
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
  2⤵
  PID:1548
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
  2⤵
  PID:2972
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
  2⤵
  - Views/modifies file attributes
  PID:1504
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
  2⤵
  PID:2684
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.zrz"
  2⤵
  PID:2684
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.zrz"
  2⤵
  PID:1404
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
  2⤵
  PID:1276
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.zrz"
  2⤵
  PID:668
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
  2⤵
  PID:2684
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
  2⤵
  PID:1364
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:612
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
  2⤵
  PID:1564
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.zrz"
  2⤵
  PID:1176
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\idlj.zrz"
  2⤵
  PID:1888
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\java.zrz"
  2⤵
  PID:2376
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\javaws.zrz"
  2⤵
  PID:920
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jmap.zrz"
  2⤵
  PID:1612
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\keytool.zrz"
  2⤵
  - Sets file to hidden
  PID:2680
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\policytool.zrz"
  2⤵
  PID:2944
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\xjc.zrz"
  2⤵
  PID:1880
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.zrz"
  2⤵
  PID:648
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.zrz"
  2⤵
  PID:2652
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\Hearts\Hearts.zrz"
  2⤵
  PID:3592
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.zrz"
  2⤵
  PID:3956
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\maintenanceservice_installer.zrz"
  2⤵
  PID:3304
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\VideoLAN\VLC\uninstall.zrz"
  2⤵
  PID:3596
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
  2⤵
  - Views/modifies file attributes
  PID:3952
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MSASCui.zrz"
  2⤵
  PID:1248
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\Journal.zrz"
  2⤵
  PID:3500
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\PDIALOG.zrz"
  2⤵
  PID:3896
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wab.zrz"
  2⤵
  PID:3192
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wabmig.zrz"
  2⤵
  - Views/modifies file attributes
  PID:3412
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\WinMail.zrz"
  2⤵
  PID:3764
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\setup_wm.zrz"
  2⤵
  PID:3208
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmlaunch.zrz"
  2⤵
  PID:3512
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpconfig.zrz"
  2⤵
  - Views/modifies file attributes
  PID:4032
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPDMC.zrz"
  2⤵
  PID:4084
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpenc.zrz"
  2⤵
  PID:3592
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmplayer.zrz"
  2⤵
  PID:4260
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnetwk.zrz"
  2⤵
  PID:4652
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnscfg.zrz"
  2⤵
  PID:4720
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmprph.zrz"
  2⤵
  PID:4168
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpshare.zrz"
  2⤵
  - Views/modifies file attributes
  PID:4364
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\WMPSideShowGadget.zrz"
  2⤵
  PID:4460
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows NT\Accessories\wordpad.zrz"
  2⤵
  PID:5700
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Photo Viewer\ImagingDevices.zrz"
  2⤵
  PID:5356

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:1800

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x144
1⤵
PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7zFM.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
\Users\Admin\AppData\Local\Temp\sys32.exe

Filesize
32KB

MD5
645dea8cf7d178cc06112c26d4bbab29

SHA1
1659167f8da3227af247f5bb95b1fdeb0925530a

SHA256
29a748c5a873bc89967fd8302c1e44db892c7b5473dbf7119a58717c511acce2

SHA512
a1e28baf1acf0022b2202308dbe2f83e217057013b869c59c7e0c1bf0aead6545c60cb5ae9ba1397935744b701f3df80746b5edaed428b4ab079b87a9d66cf41

Download Submit
memory/1988-60-0x0000000004D90000-0x000000000584A000-memory.dmp

Filesize
10.7MB

Download
memory/1988-162-0x0000000004D90000-0x000000000584A000-memory.dmp

Filesize
10.7MB

Download
memory/2264-191-0x0000000004F80000-0x0000000005A3A000-memory.dmp

Filesize
10.7MB

Download
memory/2264-164-0x0000000004F80000-0x0000000005A3A000-memory.dmp

Filesize
10.7MB

Download
memory/2328-51-0x0000000004D70000-0x000000000582A000-memory.dmp

Filesize
10.7MB

Download
memory/2328-177-0x0000000004C70000-0x000000000572A000-memory.dmp

Filesize
10.7MB

Download
memory/2328-163-0x0000000004D70000-0x000000000582A000-memory.dmp

Filesize
10.7MB

Download
memory/2336-64-0x0000000005160000-0x0000000005C1A000-memory.dmp

Filesize
10.7MB

Download
memory/2336-167-0x0000000005160000-0x0000000005C1A000-memory.dmp

Filesize
10.7MB

Download
memory/2368-179-0x0000000004E00000-0x00000000058BA000-memory.dmp

Filesize
10.7MB

Download
memory/2368-174-0x0000000004E00000-0x00000000058BA000-memory.dmp

Filesize
10.7MB

Download
memory/2884-159-0x0000000004F00000-0x00000000059BA000-memory.dmp

Filesize
10.7MB

Download
memory/2884-63-0x0000000004F00000-0x00000000059BA000-memory.dmp

Filesize
10.7MB

Download
memory/2904-169-0x00000000051D0000-0x0000000005C8A000-memory.dmp

Filesize
10.7MB

Download
memory/2904-199-0x00000000051D0000-0x0000000005C8A000-memory.dmp

Filesize
10.7MB

Download
memory/2956-161-0x0000000004DC0000-0x000000000587A000-memory.dmp

Filesize
10.7MB

Download
memory/2956-50-0x0000000004DC0000-0x000000000587A000-memory.dmp

Filesize
10.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads