4a9f8c31e05a8fc5cf9d844a256d14fc4c1b8b2027f32d895fc00067ea285796

Analysis

max time kernel
102s
max time network
364s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
21-10-2023 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sihost.exe
Size

32KB
MD5

ccf9970a30773d65b345eae8d931f84d
SHA1

6553f5dc06ae80377d639575818d6c09569675c0
SHA256

4a9f8c31e05a8fc5cf9d844a256d14fc4c1b8b2027f32d895fc00067ea285796
SHA512

a99c82a8ad89be0b3493eed05044e8fb05afdc0e80c967c6163a5571229872df0bc50e1fd16844f272dac36abc034cb1528311fd2a0c807957003f94ec1c5d8e
SSDEEP

384:8LipZl447piqb/lUYf5uH3w59AMRG5qUIjFgOrjFymqAeO8W8RNlz8G:dmiiqTfk2AMRGwlFgOrjs7Nlz8G

Score

8^/10

evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 64 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
3096	Process not Found
4048	Process not Found
4560	Process not Found
3396	Process not Found
2404	attrib.exe
1160	Process not Found
3700	Process not Found
3492	Process not Found
4592	Process not Found
4848	Process not Found
4284	Process not Found
3460	Process not Found
1088	attrib.exe
1556	attrib.exe
3796	Process not Found
4372	Process not Found
1564	Process not Found
4268	Process not Found
3812	Process not Found
2768	attrib.exe
4048	Process not Found
1640	Process not Found
2896	Process not Found
2172	attrib.exe
1816	attrib.exe
3724	Process not Found
4324	Process not Found
2020	Process not Found
3780	Process not Found
4192	Process not Found
3156	Process not Found
3604	Process not Found
1664	Process not Found
2676	attrib.exe
1292	attrib.exe
3196	Process not Found
1152	Process not Found
2084	Process not Found
3832	Process not Found
4248	Process not Found
3744	Process not Found
560	Process not Found
3552	Process not Found
1160	Process not Found
3704	Process not Found
5116	Process not Found
4660	Process not Found
3140	Process not Found
2824	Process not Found
3412	Process not Found
4868	Process not Found
2744	attrib.exe
2300	Process not Found
2436	Process not Found
1648	attrib.exe
4992	Process not Found
1544	attrib.exe
3620	Process not Found
1620	Process not Found
5072	Process not Found
5064	Process not Found
4592	Process not Found
1292	attrib.exe
872	attrib.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\iexplore.exe	sihost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	sihost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	sihost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	sihost.exe
File created	C:\Program Files\Internet Explorer\iexplore.exe	sihost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.zrz	conhost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	sihost.exe
File created	C:\Program Files\DVD Maker\DVDMaker.exe	sihost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	sihost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	sihost.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe	sihost.exe
File created	C:\Program Files\Internet Explorer\ielowutil.exe	sihost.exe
File created	C:\Program Files\DVD Maker\DVDMaker.exe	sihost.exe
File created	C:\Program Files\Internet Explorer\iexplore.exe	sihost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.zrz	attrib.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	sihost.exe
File created	C:\Program Files\DVD Maker\DVDMaker.exe	sihost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	sihost.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.zrz	Process not Found
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.zrz	Process not Found
File created	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	sihost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.zrz	Process not Found
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	sihost.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe	sihost.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.zrz	Process not Found
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	sihost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	sihost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.zrz	Process not Found
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	sihost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.zrz	Process not Found
File created	C:\Program Files\Java\jre7\bin\tnameserv.exe	sihost.exe
File created	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	sihost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	sihost.exe
File created	C:\Program Files\DVD Maker\DVDMaker.exe	sihost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	sihost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	sihost.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.zrz	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.zrz	cmd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.zrz	Process not Found
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	sihost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.zrz	Process not Found
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	sihost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	sihost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.zrz	cmd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	sihost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	sihost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	sihost.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	sihost.exe
File created	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	sihost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.zrz	attrib.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.zrz	conhost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	sihost.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe	sihost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	sihost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.zrz	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.zrz	conhost.exe
File created	C:\Program Files\7-Zip\7zFM.exe	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.zrz	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 64 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2360	Process not Found
1752	ipconfig.exe
2088	ipconfig.exe
3940	Process not Found
1120	Process not Found
1120	ipconfig.exe
1556	ipconfig.exe
844	Process not Found
3212	Process not Found
4548	Process not Found
2832	ipconfig.exe
1620	ipconfig.exe
4548	Process not Found
2640	ipconfig.exe
2100	ipconfig.exe
3300	Process not Found
4228	Process not Found
864	ipconfig.exe
1576	Process not Found
4092	Process not Found
2472	Process not Found
4792	Process not Found
1992	Process not Found
2072	ipconfig.exe
4636	Process not Found
4944	Process not Found
680	ipconfig.exe
968	ipconfig.exe
3504	Process not Found
1608	Process not Found
3160	Process not Found
972	Process not Found
4376	Process not Found
1296	Process not Found
3024	ipconfig.exe
2464	ipconfig.exe
1732	Process not Found
3212	Process not Found
2364	Process not Found
1648	Process not Found
4008	Process not Found
4488	Process not Found
1648	ipconfig.exe
1440	ipconfig.exe
188	Process not Found
3796	Process not Found
2280	Process not Found
2760	ipconfig.exe
4832	Process not Found
4520	Process not Found
1936	Process not Found
3776	Process not Found
4068	Process not Found
864	Process not Found
2456	ipconfig.exe
2248	ipconfig.exe
2716	Process not Found
1316	ipconfig.exe
624	ipconfig.exe
3504	Process not Found
2040	Process not Found
2620	Process not Found
872	Process not Found
4860	Process not Found

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2104	sihost.exe
520	sihost.exe
1824	sihost.exe
2960	sihost.exe
1280	sihost.exe
2196	sihost.exe
2892	sihost.exe
840	sihost.exe
3036	sihost.exe
2440	sihost.exe
1140	sihost.exe
2948	sihost.exe
752	sihost.exe
2144	sihost.exe
240	sihost.exe
2116	sihost.exe
1500	sihost.exe
1568	sihost.exe
1916	sihost.exe
1056	sihost.exe
2228	sihost.exe
2132	sihost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2784	2104	sihost.exe	28
PID 2104 wrote to memory of 2784	2104	sihost.exe	28
PID 2104 wrote to memory of 2784	2104	sihost.exe	28
PID 2104 wrote to memory of 2784	2104	sihost.exe	28
PID 2104 wrote to memory of 2288	2104	sihost.exe	30
PID 2104 wrote to memory of 2288	2104	sihost.exe	30
PID 2104 wrote to memory of 2288	2104	sihost.exe	30
PID 2104 wrote to memory of 2288	2104	sihost.exe	30
PID 2104 wrote to memory of 2564	2104	sihost.exe	32
PID 2104 wrote to memory of 2564	2104	sihost.exe	32
PID 2104 wrote to memory of 2564	2104	sihost.exe	32
PID 2104 wrote to memory of 2564	2104	sihost.exe	32
PID 2564 wrote to memory of 2880	2564	cmd.exe	34
PID 2564 wrote to memory of 2880	2564	cmd.exe	34
PID 2564 wrote to memory of 2880	2564	cmd.exe	34
PID 2564 wrote to memory of 2880	2564	cmd.exe	34
PID 2104 wrote to memory of 2568	2104	sihost.exe	35
PID 2104 wrote to memory of 2568	2104	sihost.exe	35
PID 2104 wrote to memory of 2568	2104	sihost.exe	35
PID 2104 wrote to memory of 2568	2104	sihost.exe	35
PID 2104 wrote to memory of 2864	2104	sihost.exe	37
PID 2104 wrote to memory of 2864	2104	sihost.exe	37
PID 2104 wrote to memory of 2864	2104	sihost.exe	37
PID 2104 wrote to memory of 2864	2104	sihost.exe	37
PID 2104 wrote to memory of 2848	2104	sihost.exe	39
PID 2104 wrote to memory of 2848	2104	sihost.exe	39
PID 2104 wrote to memory of 2848	2104	sihost.exe	39
PID 2104 wrote to memory of 2848	2104	sihost.exe	39
PID 2104 wrote to memory of 2736	2104	sihost.exe	41
PID 2104 wrote to memory of 2736	2104	sihost.exe	41
PID 2104 wrote to memory of 2736	2104	sihost.exe	41
PID 2104 wrote to memory of 2736	2104	sihost.exe	41
PID 2104 wrote to memory of 2388	2104	sihost.exe	43
PID 2104 wrote to memory of 2388	2104	sihost.exe	43
PID 2104 wrote to memory of 2388	2104	sihost.exe	43
PID 2104 wrote to memory of 2388	2104	sihost.exe	43
PID 2388 wrote to memory of 2456	2388	cmd.exe	45
PID 2388 wrote to memory of 2456	2388	cmd.exe	45
PID 2388 wrote to memory of 2456	2388	cmd.exe	45
PID 2388 wrote to memory of 2456	2388	cmd.exe	45
PID 2104 wrote to memory of 2944	2104	sihost.exe	47
PID 2104 wrote to memory of 2944	2104	sihost.exe	47
PID 2104 wrote to memory of 2944	2104	sihost.exe	47
PID 2104 wrote to memory of 2944	2104	sihost.exe	47
PID 2104 wrote to memory of 520	2104	sihost.exe	48
PID 2104 wrote to memory of 520	2104	sihost.exe	48
PID 2104 wrote to memory of 520	2104	sihost.exe	48
PID 2104 wrote to memory of 520	2104	sihost.exe	48
PID 520 wrote to memory of 464	520	sihost.exe	49
PID 520 wrote to memory of 464	520	sihost.exe	49
PID 520 wrote to memory of 464	520	sihost.exe	49
PID 520 wrote to memory of 464	520	sihost.exe	49
PID 2104 wrote to memory of 2416	2104	sihost.exe	51
PID 2104 wrote to memory of 2416	2104	sihost.exe	51
PID 2104 wrote to memory of 2416	2104	sihost.exe	51
PID 2104 wrote to memory of 2416	2104	sihost.exe	51
PID 520 wrote to memory of 332	520	sihost.exe	54
PID 520 wrote to memory of 332	520	sihost.exe	54
PID 520 wrote to memory of 332	520	sihost.exe	54
PID 520 wrote to memory of 332	520	sihost.exe	54
PID 2104 wrote to memory of 948	2104	sihost.exe	53
PID 2104 wrote to memory of 948	2104	sihost.exe	53
PID 2104 wrote to memory of 948	2104	sihost.exe	53
PID 2104 wrote to memory of 948	2104	sihost.exe	53

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
856	attrib.exe
2676	attrib.exe
1088	Process not Found
4632	Process not Found
2496	Process not Found
2068	Process not Found
1664	attrib.exe
2672	Process not Found
4100	Process not Found
3888	Process not Found
4980	Process not Found
2768	attrib.exe
2556	attrib.exe
1292	Process not Found
3664	Process not Found
1016	Process not Found
2420	attrib.exe
2076	Process not Found
3720	Process not Found
5092	Process not Found
2216	Process not Found
1440	Process not Found
3020	Process not Found
1324	Process not Found
3084	Process not Found
2312	Process not Found
3920	Process not Found
3372	Process not Found
4272	Process not Found
4548	Process not Found
4684	Process not Found
2188	Process not Found
956	attrib.exe
3796	Process not Found
2360	Process not Found
4304	Process not Found
560	Process not Found
4604	Process not Found
4924	Process not Found
1660	attrib.exe
4676	Process not Found
5048	Process not Found
1120	Process not Found
580	Process not Found
3708	Process not Found
3948	Process not Found
4480	Process not Found
3200	Process not Found
4500	Process not Found
3440	Process not Found
2240	Process not Found
1684	Process not Found
3324	Process not Found
3168	Process not Found
2700	Process not Found
3520	Process not Found
3396	Process not Found
4216	Process not Found
3632	Process not Found
1664	Process not Found
3636	Process not Found
3324	Process not Found
3444	Process not Found
5048	Process not Found

C:\Users\Admin\AppData\Local\Temp\sihost.exe
"C:\Users\Admin\AppData\Local\Temp\sihost.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
  2⤵
  PID:2784
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo \\\/// >> "C:\Log.crypt2"
  2⤵
  PID:2288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Tree "D:" >> "C:\Log.crypt2"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\tree.com
    Tree "D:"
    3⤵
    PID:2880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo \\\/// >> "C:\Log.crypt2"
  2⤵
  PID:2568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo \\\/// >> "C:\Log.crypt2"
  2⤵
  PID:2864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo \\\/// >> "C:\Log.crypt2"
  2⤵
  PID:2848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo \\\/// >> "C:\Log.crypt2"
  2⤵
  PID:2736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ipconfig /all >> "C:\Log.crypt2"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:2456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo \\\/// >> "C:\Log.crypt2"
  2⤵
  PID:2944
- C:\Users\Admin\AppData\Local\Temp\sihost.exe
  "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
    3⤵
    PID:464
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\Log.crypt2"
    3⤵
    PID:332
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c Tree "D:" >> "C:\Log.crypt2"
    3⤵
    PID:2656
  - - C:\Windows\SysWOW64\tree.com
      Tree "D:"
      4⤵
      PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\Log.crypt2"
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\Log.crypt2"
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\Log.crypt2"
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\Log.crypt2"
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ipconfig /all >> "C:\Log.crypt2"
    3⤵
    PID:1952
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\Log.crypt2"
    3⤵
    PID:2340
- - C:\Users\Admin\AppData\Local\Temp\sihost.exe
    "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:1824
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
      4⤵
      PID:2888
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\Log.crypt2"
      4⤵
      PID:2276
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c Tree "D:" >> "C:\Log.crypt2"
      4⤵
      PID:2248
    - - C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        5⤵
        
        PID:596
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\Log.crypt2"
      4⤵
      PID:396
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\Log.crypt2"
      4⤵
      PID:1752
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\Log.crypt2"
      4⤵
      PID:1728
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\Log.crypt2"
      4⤵
      PID:2256
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ipconfig /all >> "C:\Log.crypt2"
      4⤵
      PID:3004
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:2760
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\Log.crypt2"
      4⤵
      PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\sihost.exe
      "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
      4⤵
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:2960
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        5⤵
        
        PID:2348
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        5⤵
        
        PID:1040
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        5⤵
        
        PID:1936
      - C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        6⤵
        
        PID:1980
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        5⤵
        
        PID:1544
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        5⤵
        
        PID:1956
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        5⤵
        
        PID:1984
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        5⤵
        
        PID:1660
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        5⤵
        
        PID:616
      - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        6⤵
        Gathers network information
        
        PID:1648
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        5⤵
        
        PID:1264
    - - C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        5⤵
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1280
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        6⤵
        
        PID:2132
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        6⤵
        
        PID:2008
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        6⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        7⤵
        
        PID:1580
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        6⤵
        
        PID:2364
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        6⤵
        
        PID:1620
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        6⤵
        
        PID:3052
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        6⤵
        
        PID:1016
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        6⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:2832
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        6⤵
        
        PID:2652
      - C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        6⤵
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        7⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        7⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        7⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        8⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        7⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        7⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        7⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        7⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        7⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        8⤵
        Gathers network information
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        7⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        7⤵
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        8⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        8⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        8⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        9⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        8⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        8⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        8⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        8⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        8⤵
        
        PID:996
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        9⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        8⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        8⤵
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        9⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        9⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        9⤵
        
        PID:624
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        10⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        9⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        9⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        9⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        9⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        10⤵
        Gathers network information
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        9⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        9⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        9⤵
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        10⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        10⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        10⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        11⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        10⤵
        
        PID:660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        10⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        10⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        10⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        10⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        11⤵
        Gathers network information
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        10⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        10⤵
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        11⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        11⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        11⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        12⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        11⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        11⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        11⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        11⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        11⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        12⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        11⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        11⤵
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        12⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        12⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        12⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        13⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        12⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        12⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        12⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        12⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        12⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        13⤵
        Gathers network information
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        12⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        12⤵
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        13⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        13⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        13⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        14⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        13⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        13⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        13⤵
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        13⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        13⤵
        
        PID:616
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        14⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        13⤵
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        13⤵
        Suspicious use of SetWindowsHookEx
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        14⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        14⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        14⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        15⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        14⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        14⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        14⤵
        
        PID:240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        14⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        14⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        15⤵
        Gathers network information
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        14⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        14⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        15⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        15⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        15⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        16⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        15⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        15⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        15⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        15⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        15⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        16⤵
        Gathers network information
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        15⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        15⤵
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        16⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        16⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        16⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        17⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        16⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        16⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        16⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        16⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        16⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        17⤵
        Gathers network information
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        16⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        16⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        17⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        17⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        17⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        18⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        17⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        17⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        17⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        17⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        17⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        18⤵
        Gathers network information
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        17⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        17⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        18⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        18⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        18⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        19⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        18⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        18⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        18⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        18⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        18⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        19⤵
        Gathers network information
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        18⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        18⤵
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        19⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        19⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        19⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        20⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        19⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        19⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        19⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        19⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        19⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        20⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        19⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        19⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        20⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        20⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        20⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        21⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        20⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        20⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        20⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        20⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        20⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        21⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        20⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        20⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        21⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        21⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        21⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        22⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        21⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        21⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        21⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        21⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        21⤵
        
        PID:848
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        22⤵
        Gathers network information
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        21⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        21⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        22⤵
        
        PID:156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        22⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        22⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        23⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        22⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        22⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        22⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        22⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        22⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        23⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        22⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        22⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        23⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        23⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        23⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        24⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        23⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        23⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        23⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        23⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        23⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        24⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        23⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        23⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        24⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        24⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        24⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        25⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        24⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        24⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        24⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        24⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        24⤵
        
        PID:552
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        25⤵
        Gathers network information
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        24⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        24⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        25⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        25⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        25⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        26⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        25⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        25⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        25⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        25⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        25⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        26⤵
        Gathers network information
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        25⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        25⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        26⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        26⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        26⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        27⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        26⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        26⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        26⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        26⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        26⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        27⤵
        Gathers network information
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        26⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        26⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        27⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        27⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        27⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        28⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        27⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        27⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        27⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        27⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        27⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        28⤵
        Gathers network information
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        27⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        27⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        28⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        28⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        28⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        29⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        28⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        28⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        28⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        28⤵
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        28⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        29⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        28⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        28⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        29⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        29⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        29⤵
        
        PID:956
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        30⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        29⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        29⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        29⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        29⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        29⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        30⤵
        Gathers network information
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        29⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        29⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        30⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        30⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        30⤵
        
        PID:972
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        31⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        30⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        30⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        30⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        30⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        30⤵
        Drops file in Program Files directory
        
        PID:2600
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        31⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        30⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        30⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        31⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        31⤵
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        31⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        32⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        31⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        31⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        31⤵
        Drops file in Program Files directory
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        31⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        31⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        32⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        31⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        31⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        32⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        32⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        32⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        33⤵
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        32⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        32⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        32⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        32⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        32⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        33⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        32⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        32⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        33⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        33⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        33⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        34⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        33⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        33⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        33⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        33⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        33⤵
        Drops file in Program Files directory
        
        PID:1816
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        34⤵
        Gathers network information
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        33⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        33⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        34⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        34⤵
        
        PID:560
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        32⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        32⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        32⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        32⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        32⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        32⤵
        
        PID:844
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        32⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        32⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        31⤵
        
        PID:972
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        31⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        31⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        31⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        30⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        30⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        30⤵
        
        PID:680
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        30⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        29⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        29⤵
        
        PID:956
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        29⤵
        
        PID:680
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        29⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        29⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        29⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        29⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        29⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        28⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        28⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        28⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        28⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        28⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        28⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        28⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        28⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        28⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        27⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        27⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        27⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        27⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        27⤵
        Sets file to hidden
        
        PID:1556
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        27⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        27⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        27⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        27⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        27⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        27⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        27⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        27⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        26⤵
        Views/modifies file attributes
        
        PID:956
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        26⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        26⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        26⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        26⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        26⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        26⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        26⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        26⤵
        
        PID:648
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        26⤵
        
        PID:836
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        26⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        26⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        26⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        25⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        25⤵
        
        PID:156
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        25⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        25⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        25⤵
        
        PID:936
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        25⤵
        
        PID:856
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        25⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        25⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        25⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        25⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        25⤵
        
        PID:436
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        25⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        25⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        24⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        24⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        24⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        24⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        24⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        24⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        24⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        24⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        24⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        24⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        24⤵
        
        PID:996
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        24⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        24⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        23⤵
        Drops file in Program Files directory
        
        PID:1644
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        23⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        23⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        23⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        23⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        23⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        23⤵
        Sets file to hidden
        
        PID:1544
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        23⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        23⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        22⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        22⤵
        
        PID:916
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        22⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        22⤵
        
        PID:764
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        22⤵
        Sets file to hidden
        
        PID:2744
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        22⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        22⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        22⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        22⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        22⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        22⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        22⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        22⤵
        
        PID:856
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        21⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        21⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        21⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        21⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        21⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        21⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        21⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        21⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        21⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        21⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        21⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        21⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        21⤵
        
        PID:616
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        20⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        20⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        20⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        20⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        20⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        20⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        20⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        20⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        20⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        20⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        20⤵
        
        PID:268
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        20⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        20⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        19⤵
        Views/modifies file attributes
        
        PID:2556
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        19⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        19⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        19⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        19⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        19⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        19⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        19⤵
        
        PID:936
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        19⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        19⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        19⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        19⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        19⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        18⤵
        
        PID:808
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        18⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        18⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        18⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        18⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        18⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        18⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        18⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        18⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        18⤵
        
        PID:944
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        18⤵
        
        PID:396
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        18⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        18⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        17⤵
        
        PID:936
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        17⤵
        Sets file to hidden
        
        PID:872
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        17⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        17⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        17⤵
        Views/modifies file attributes
        
        PID:2676
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        17⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        17⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        17⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        17⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        17⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        17⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        17⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        17⤵
        
        PID:844
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        16⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        16⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        16⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        16⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        16⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        16⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        16⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        16⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        16⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        16⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        16⤵
        
        PID:996
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        16⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        16⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
        16⤵
        
        PID:616
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MSASCui.zrz"
        16⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\Journal.zrz"
        16⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        15⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        15⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        15⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        15⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        15⤵
        
        PID:972
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        15⤵
        
        PID:564
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        15⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        15⤵
        
        PID:872
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        15⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        15⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        15⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        15⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        15⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
        15⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MSASCui.zrz"
        15⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        14⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        14⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        14⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        14⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        14⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        14⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        14⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        14⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        14⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        14⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        14⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        14⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        14⤵
        
        PID:996
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
        14⤵
        
        PID:552
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MSASCui.zrz"
        14⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        13⤵
        
        PID:552
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        13⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        13⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        13⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        13⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        13⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        13⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        13⤵
        
        PID:332
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        13⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        13⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        13⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        13⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        13⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
        13⤵
        
        PID:596
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        12⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        12⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        12⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        12⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        12⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        12⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        12⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        12⤵
        
        PID:936
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        12⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        12⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        12⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        12⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        12⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
        12⤵
        Sets file to hidden
        
        PID:1292
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        11⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        11⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        11⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        11⤵
        
        PID:752
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        11⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        11⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        11⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        11⤵
        Sets file to hidden
        
        PID:1816
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        11⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        11⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        11⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        11⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        11⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        10⤵
        
        PID:836
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        10⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        10⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        10⤵
        
        PID:752
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        10⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        10⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        10⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        10⤵
        Sets file to hidden
        
        PID:2404
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        10⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        10⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        10⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        10⤵
        
        PID:524
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        10⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.zrz"
        10⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.zrz"
        10⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.zrz"
        10⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
        10⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MSASCui.zrz"
        10⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\Journal.zrz"
        10⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\PDIALOG.zrz"
        10⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wab.zrz"
        10⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wabmig.zrz"
        10⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        9⤵
        
        PID:756
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        9⤵
        
        PID:648
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        9⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        9⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        9⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        9⤵
        Views/modifies file attributes
        
        PID:1664
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        9⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        9⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        9⤵
        
        PID:964
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        9⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        9⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        9⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        9⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.zrz"
        9⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.zrz"
        9⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\pack200.zrz"
        9⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\servertool.zrz"
        9⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\xjc.zrz"
        9⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.zrz"
        9⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.zrz"
        9⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.zrz"
        9⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.zrz"
        9⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.zrz"
        9⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\maintenanceservice_installer.zrz"
        9⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\private_browsing.zrz"
        9⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\updater.zrz"
        9⤵
        
        PID:864
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\VideoLAN\VLC\uninstall.zrz"
        9⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\VideoLAN\VLC\vlc-cache-gen.zrz"
        9⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\VideoLAN\VLC\vlc.zrz"
        9⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
        9⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MSASCui.zrz"
        9⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\Journal.zrz"
        9⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\PDIALOG.zrz"
        9⤵
        
        PID:596
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wab.zrz"
        9⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wabmig.zrz"
        9⤵
        
        PID:972
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\WinMail.zrz"
        9⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        8⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        8⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        8⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        8⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        8⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        8⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        8⤵
        Sets file to hidden
        
        PID:1088
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        8⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        8⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        8⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        8⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        8⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        8⤵
        
        PID:884
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.zrz"
        8⤵
        
        PID:764
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.zrz"
        8⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.zrz"
        8⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.zrz"
        8⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\FreeCell\FreeCell.zrz"
        8⤵
        
        PID:616
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.zrz"
        8⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.zrz"
        8⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\Purble Place\PurblePlace.zrz"
        8⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\Office14\MSOHTMED.zrz"
        8⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\uninstall\helper.zrz"
        8⤵
        
        PID:908
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\firefox.zrz"
        8⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
        8⤵
        Sets file to hidden
        
        PID:1648
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MSASCui.zrz"
        8⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\Journal.zrz"
        8⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\PDIALOG.zrz"
        8⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wab.zrz"
        8⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wabmig.zrz"
        8⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\WinMail.zrz"
        8⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        7⤵
        Views/modifies file attributes
        
        PID:856
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        7⤵
        Views/modifies file attributes
        
        PID:2420
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        7⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        7⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        7⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        7⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        7⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        7⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        7⤵
        
        PID:872
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        7⤵
        
        PID:948
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        7⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        7⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        7⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.zrz"
        7⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.zrz"
        7⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
        7⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MSASCui.zrz"
        7⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\Journal.zrz"
        7⤵
        
        PID:1316
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        6⤵
        
        PID:1792
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        6⤵
        
        PID:1156
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        6⤵
        
        PID:1560
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        6⤵
        
        PID:1724
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        6⤵
        
        PID:1056
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        6⤵
        
        PID:1456
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        6⤵
        
        PID:1120
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        6⤵
        
        PID:1488
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        6⤵
        
        PID:2304
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        6⤵
        
        PID:1348
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        6⤵
        
        PID:2460
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        6⤵
        
        PID:676
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        6⤵
        
        PID:2768
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jmc.zrz"
        6⤵
        
        PID:2352
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.zrz"
        6⤵
        
        PID:2304
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\klist.zrz"
        6⤵
        
        PID:1560
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\serialver.zrz"
        6⤵
        
        PID:1544
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.zrz"
        6⤵
        
        PID:964
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.zrz"
        6⤵
        
        PID:2548
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.zrz"
        6⤵
        
        PID:972
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\java-rmi.zrz"
        6⤵
        
        PID:1712
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\javacpl.zrz"
        6⤵
        
        PID:2972
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\javaws.zrz"
        6⤵
        
        PID:2744
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\kinit.zrz"
        6⤵
        
        PID:2424
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\klist.zrz"
        6⤵
        
        PID:2000
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\pack200.zrz"
        6⤵
        
        PID:1552
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\policytool.zrz"
        6⤵
        
        PID:396
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\tnameserv.zrz"
        6⤵
        
        PID:1640
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\ssvagent.zrz"
        6⤵
        
        PID:1308
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\rmiregistry.zrz"
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2768
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\crashreporter.zrz"
        6⤵
        
        PID:2608
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\default-browser-agent.zrz"
        6⤵
        
        PID:2348
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\maintenanceservice.zrz"
        6⤵
        
        PID:1300
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\minidump-analyzer.zrz"
        6⤵
        
        PID:1612
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\pingsender.zrz"
        6⤵
        
        PID:1552
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\plugin-container.zrz"
        6⤵
        
        PID:2772
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
        6⤵
        
        PID:1640
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MSASCui.zrz"
        6⤵
        
        PID:1604
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\Journal.zrz"
        6⤵
        
        PID:2236
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\PDIALOG.zrz"
        6⤵
        
        PID:1604
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wab.zrz"
        6⤵
        
        PID:2456
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
        5⤵
        
        PID:1296
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
        5⤵
        
        PID:1656
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
        5⤵
        
        PID:2228
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
        5⤵
        
        PID:2276
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
        5⤵
        
        PID:1416
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
        5⤵
        
        PID:396
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
        5⤵
        
        PID:1640
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        5⤵
        
        PID:2096
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
        5⤵
        
        PID:2872
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.zrz"
        5⤵
        
        PID:1560
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        5⤵
        
        PID:2948
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        5⤵
        
        PID:2000
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        5⤵
        
        PID:876
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        5⤵
        
        PID:2600
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.zrz"
        5⤵
        
        PID:1980
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.zrz"
        5⤵
        
        PID:1616
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\java.zrz"
        5⤵
        
        PID:1612
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\javaw.zrz"
        5⤵
        
        PID:2232
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\javaws.zrz"
        5⤵
        
        PID:624
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jmap.zrz"
        5⤵
        
        PID:680
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jps.zrz"
        5⤵
        Sets file to hidden
        Drops file in Program Files directory
        
        PID:2172
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jstack.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:1660
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jstat.zrz"
        5⤵
        
        PID:2636
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\kinit.zrz"
        5⤵
        
        PID:2820
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\orbd.zrz"
        5⤵
        
        PID:1568
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.zrz"
        5⤵
        Sets file to hidden
        
        PID:1292
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.zrz"
        5⤵
        
        PID:2112
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.zrz"
        5⤵
        
        PID:2332
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\Solitaire\Solitaire.zrz"
        5⤵
        
        PID:1556
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.zrz"
        5⤵
        
        PID:1776
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
        5⤵
        
        PID:2464
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MSASCui.zrz"
        5⤵
        
        PID:964
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\Journal.zrz"
        5⤵
        
        PID:2532
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Journal\PDIALOG.zrz"
        5⤵
        
        PID:1620
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wab.zrz"
        5⤵
        
        PID:2956
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wabmig.zrz"
        5⤵
        
        PID:1092
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\WinMail.zrz"
        5⤵
        
        PID:2656
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
      4⤵
      PID:2488
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
      4⤵
      PID:2944
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
      4⤵
      PID:2000
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
      4⤵
      PID:748
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
      4⤵
      PID:1920
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
      4⤵
      PID:1732
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
      4⤵
      PID:560
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
      4⤵
      PID:2820
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
      4⤵
      PID:320
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Google\Chrome\Application\chrome.zrz"
      4⤵
      PID:1316
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Google\Chrome\Application\chrome_proxy.zrz"
      4⤵
      PID:2464
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
      4⤵
      PID:2420
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
      4⤵
      PID:1720
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
      4⤵
      PID:2452
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
      4⤵
      PID:2772
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.zrz"
      4⤵
      PID:808
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.zrz"
      4⤵
      PID:240
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jar.zrz"
      4⤵
      PID:2212
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\javah.zrz"
      4⤵
      PID:2880
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\javaws.zrz"
      4⤵
      PID:2608
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.zrz"
      4⤵
      PID:2584
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.zrz"
      4⤵
      PID:2600
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.zrz"
      4⤵
      PID:2552
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\policytool.zrz"
      4⤵
      PID:2848
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\rmid.zrz"
      4⤵
      PID:2924
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.zrz"
      4⤵
      PID:2408
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.zrz"
      4⤵
      PID:2184
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.zrz"
      4⤵
      PID:2096
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\jabswitch.zrz"
      4⤵
      PID:844
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\java.zrz"
      4⤵
      PID:1920
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\javaw.zrz"
      4⤵
      PID:2648
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\jp2launcher.zrz"
      4⤵
      PID:3020
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\keytool.zrz"
      4⤵
      PID:624
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\ktab.zrz"
      4⤵
      PID:2584
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\orbd.zrz"
      4⤵
      PID:1044
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\rmid.zrz"
      4⤵
      PID:616
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\unpack200.zrz"
      4⤵
      PID:1416
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre7\bin\servertool.zrz"
      4⤵
      PID:2692
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\Chess\Chess.zrz"
      4⤵
      PID:2784
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\Hearts\Hearts.zrz"
      4⤵
      PID:2828
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\Mahjong\Mahjong.zrz"
      4⤵
      PID:1416
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.zrz"
      4⤵
      PID:2376
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.zrz"
      4⤵
      PID:1096
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
      4⤵
      PID:2248
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MSASCui.zrz"
      4⤵
      PID:2496
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
    3⤵
    PID:320
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
    3⤵
    PID:844
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.zrz"
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.zrz"
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.zrz"
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.zrz"
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
    3⤵
    - Sets file to hidden
    PID:2676
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\idlj.zrz"
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.zrz"
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\javac.zrz"
    3⤵
    PID:1356
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\javap.zrz"
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jdb.zrz"
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.zrz"
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\rmic.zrz"
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.zrz"
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.zrz"
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.zrz"
    3⤵
    PID:2732
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.zrz"
  2⤵
  PID:2416
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.zrz"
  2⤵
  PID:948
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.zrz"
  2⤵
  PID:808
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.zrz"
  2⤵
  PID:1792
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\7-Zip\7z.zrz"
  2⤵
  PID:916
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\7-Zip\7zFM.zrz"
  2⤵
  PID:1652
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\7-Zip\7zG.zrz"
  2⤵
  - Drops file in Program Files directory
  PID:2148
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\7-Zip\Uninstall.zrz"
  2⤵
  PID:2272
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.zrz"
  2⤵
  PID:1324
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.zrz"
  2⤵
  PID:1916
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.zrz"
  2⤵
  PID:756
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.zrz"
  2⤵
  PID:1632
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\mip.zrz"
  2⤵
  PID:552
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.zrz"
  2⤵
  PID:1200
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.zrz"
  2⤵
  PID:1300
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
  2⤵
  PID:2232
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.zrz"
  2⤵
  PID:2440
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\DVD Maker\DVDMaker.zrz"
  2⤵
  PID:2072
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.zrz"
  2⤵
  PID:2244
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.zrz"
  2⤵
  PID:2732
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
  2⤵
  PID:2608
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
  2⤵
  PID:660
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
  2⤵
  PID:1920
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
  2⤵
  PID:1148
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\apt.zrz"
  2⤵
  PID:2652
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.zrz"
  2⤵
  PID:1628
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.zrz"
  2⤵
  PID:2436
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\jhat.zrz"
  2⤵
  PID:2676
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\keytool.zrz"
  2⤵
  PID:2416
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\ktab.zrz"
  2⤵
  PID:2796
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.zrz"
  2⤵
  PID:2560
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.zrz"
  2⤵
  PID:2668
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.zrz"
  2⤵
  PID:1624
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.zrz"
  2⤵
  PID:2724
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Defender\MpCmdRun.zrz"
  2⤵
  PID:3068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-261110700720300598-383553847-1136153854612381823-440463531197087574-102986686"
1⤵
PID:1820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-168259505-1366298300142820527911750457462116182243-1989325766126229912-175916422"
1⤵
PID:2440

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-474487911-1510267287-9082482971438227545-12842118831919325514-763331614-1404296243"
1⤵
PID:1984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "563176634-1563758341-4425821-2751292-415367977-697767508-1849249120-797919166"
1⤵
PID:1660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "696903075-1387699883-4328829531191386906-1766684622119992351-1574604481460718304"
1⤵
PID:1640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5575062384508631891444791168-765489120-7034699160693321518939887811556350699"
1⤵
PID:2672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1331460591-1244744532-52217378307542961502736217704822824-2112856386778307717"
1⤵
PID:2276

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-140702881319325595671345722035-79066428-1538234788324644659424988027-363835025"
1⤵
PID:2420

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1533544812879648106-10522823432111010572-154601754621204433291212124227-1447982242"
1⤵
PID:1440

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "948160288-1510227543-6966126561047813365902860100-11418739371687708946228525100"
1⤵
PID:2912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7628780086568418181253782751417390086-454050621662774213790590135-901003765"
1⤵
PID:1320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1370293149243355841-4182625461208502167374735620-6606337751818395968942273754"
1⤵
PID:1356

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "213242683215866205-332918449-303590852-358138151-65158488-1650222156-617584148"
1⤵
PID:2072

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14300818581123950303744981937-2409793731677739198-2016145614-309163283-1992530276"
1⤵
PID:1720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "775632170339827754-528826971587772167-1591900348-2603342754366161144565207"
1⤵
PID:1560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14705217801163255666117542223716122801910837471-15826863921849985681781165829"
1⤵
- Drops file in Program Files directory
PID:2584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "572897259-18976796361109044567031283441889277697183792438422956443-1078459458"
1⤵
PID:2872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1346440295-1013565206-325612883-2113941202-1173780029-629820509-590468698363046353"
1⤵
PID:1592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "113997349212197093445185168529701202466523689-20510334561201846212914913600"
1⤵
PID:916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1760463316944046652740041702-1715715337842748869-7105024432122464515-1130830100"
1⤵
PID:2280

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-535757575-673638316-209961898663623677-255718487-1694854789174583737-476797541"
1⤵
PID:2740

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "362774483-198214433610367317182841700691932063927-108161409-1676061255-2121216468"
1⤵
PID:2452

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12481142015563145331424372396-229990128-1242535877-780729438-6464696131036043728"
1⤵
PID:2380

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1232330934-2015308846-1421337335-577115507487379316-1871620316-21147094392020115697"
1⤵
PID:856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1842145943442549548489360859963213570130685322-302300312-1716693792-1712863020"
1⤵
PID:2608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2006964306-137010369-485997566-1616072926-1094940307-1900025464131822584-1518914528"
1⤵
PID:2352

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-816438808-979798800123452903-1947241562-1836375730-3587927671486323712045813938"
1⤵
PID:2676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1842508718-768920728-539934790-119158686169245198-1254173956-1786669100-638037760"
1⤵
PID:2436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-897585502-13759308901590002530-593829595-9159483987409610131431060733-1657046087"
1⤵
PID:2832

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1728752282-15831798691958553336-16651674132047263796-706411370-1035405811-1011546292"
1⤵
PID:2808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1572156694-1764954529-421436679-1005735498-83911017-1835061958919544759764943274"
1⤵
PID:604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6442213231547029117-12572335291442249374-288242981-841843009-148163728724957684"
1⤵
PID:1344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-853721475745919111208104404-16582778251631359361-1505712631339874035-393143687"
1⤵
PID:1336

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9893864191575095211578031871132649816511677612971632477164666384511-1447511814"
1⤵
PID:1960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10337137001798128701937927516-464600165-6593592071363333749-1733989563-1234078801"
1⤵
PID:2008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1805995554-1305217746-40964758194282915813819234141355055358-561484851961491871"
1⤵
PID:968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1476275432-1683887136-21515371-856738754-15392196491427353447-436741538-1344779622"
1⤵
PID:996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-894820661186458039-1602405661127278538629435968302612907-1600242830-157620737"
1⤵
PID:2712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "356668928399988082-145219531101595654321798241-541317751-756867476-1251161807"
1⤵
PID:1856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1579031715-1590898799380684021380667739-1102003016-1068426064-1722674448-1436970526"
1⤵
PID:2576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4959468518313116461047623737-2013611264-944087981-952776354-17996448071076746212"
1⤵
PID:1120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1470100541-371107069-17560758471741397982-5293806055383049101288709358-993483394"
1⤵
- Drops file in Program Files directory
PID:1336

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1943124561032244307-298660381762079351-548898856-1821977081891176936778703612"
1⤵
PID:2756

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1646261428-2928021871118762118-1164073795-20761846891073833301-477175383-178069116"
1⤵
PID:884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1701228584-1351091982-480917501-43669041576412887-20520682971453545692080041867"
1⤵
PID:1148

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11003255396230851301801407356634786491847744427194885427029508066-1460424387"
1⤵
PID:2368

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-230691103-1448068756-701883101-154128364614557985031939999444-8662640891986076900"
1⤵
PID:676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1485484909-670688388-1225823765-14465648081937796862-355442821-932535220-791467752"
1⤵
PID:2420

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-116856688816043540592042671757-1298529536155560470-150737253-14124621591745397115"
1⤵
PID:2584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1419057419-4363566571787754547-420145534817919910-279621187-660744615906918191"
1⤵
PID:396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1242347194-8804450311476785929-39288856511619221091811662824492265086-355090645"
1⤵
PID:1680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1967674094-387434852-1119862875606037855-1894299491-586763090-15183436091535959315"
1⤵
PID:2732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1351005202833997617-733103947915013448-415243145-576769535230045106923883298"
1⤵
PID:1716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1160206917-1822575212-6112263371364466336-36898851-20302270262133148658-416731274"
1⤵
PID:2700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1994554976-553507309-19424783591402600714-1143211412-71035573371575689-398034428"
1⤵
PID:2840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-979788188-1388553760-1428032983159268596418933100931234217192-3835740661382579384"
1⤵
PID:876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "754699961467835893-3464686371575546268-197855943-107744259414583334661321630309"
1⤵
PID:1444

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17438024321496698389-1497892213-20405065721307782650819350748-13403816931667041671"
1⤵
PID:2380

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-187604861293554043-1992060326-6088275591065437924568201498-69779156417665619"
1⤵
PID:1768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1636160687-205227331123776899-311295351-6186716801141823015-2134244009-1118605221"
1⤵
PID:1868

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1195114416415168778695878371730322207280530011615852195-2001093091-289712973"
1⤵
- Drops file in Program Files directory
PID:1996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15730443381183707448-7741871858363000-1490991568318825442-985475986-1298803756"
1⤵
PID:944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1882654564-1862783760-1718399759-1080329037-718289609-685894289-1967803736-421433700"
1⤵
PID:1616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1706655250-371321293-208691958310937106541732932899-1058182787-1370066408903075224"
1⤵
PID:1920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-417856997-14376414701495408774-2093825917911077717-1899972947-41858088-1038126000"
1⤵
PID:2792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1642437736630376322152081771554821420-131447693177070870914075947441781268733"
1⤵
PID:2804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "187148516318470715332033200478259886345-355622044207914973110362158511889424146"
1⤵
PID:1980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7425399909168258501193864222-846862356-543724064-8202588501429256204943773667"
1⤵
PID:2276

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "524356656-243684227-850993811836695506-825426196-1738696347-38193606-80790789"
1⤵
PID:648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1314193864-11774246622422087481271809048-2017162242-629905117-201300082356904563"
1⤵
PID:1156

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "210725482572529245219120962452017805851482872966-12007038892079443917324649157"
1⤵
PID:2528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1275084527-1085327896-8639960522140315017-14812718931568898535-860506242-630341957"
1⤵
PID:1096

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1782080017-949288357-1495313827-19049951945309296901626072312-462918378-1321268587"
1⤵
PID:2552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "21071260031798420024-10280049227202717701017784340-269204457-6323478061337994364"
1⤵
PID:1088

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20618660461287417236-13792577481789023326-849586925562611591-12856595161579783231"
1⤵
PID:1120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "527400190-686532616-115381062537442729419403003461836958763401151525-551622350"
1⤵
PID:836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "841547671-1379872180114417961486425759-1515701144-9222759391961077472-1181303990"
1⤵
PID:2972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "182605900217523734850559164213523125751023827822-917205063-37808137-1189964856"
1⤵
PID:1964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1977782531652951727902390163-1244056968-452915641-12501022818427186381562259735"
1⤵
PID:1096

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1373323040-1473828749-1460920755-4373800221731700701630984625-4023258371251577618"
1⤵
PID:2888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7860921751562895436-21264201681973696482-1185091556-235892460-1784648661-1381711796"
1⤵
PID:3020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1415917153431185273-99955948411923417063471318981556870586-604796539-1884174317"
1⤵
PID:1668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1945147401-2110263195-8188570281852502143151995476217881253171532471224-1212103437"
1⤵
PID:936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1375936951479763845111172508-1923517299109737484420315364939979874941755678235"
1⤵
PID:1560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1043858355-30805414-298358113-70109935897208361-1571456752023693612-1508105140"
1⤵
PID:1620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1163265428563650122-2043833111698568326-3163679412141772448-181235992017463899"
1⤵
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Log.crypt2

Filesize
81B

MD5
54e3c3eb73a41b48821ab380611e252f

SHA1
c2c5ca8a8ec5cbe7c6725fcc055f9a749ae7652d

SHA256
8ce427319462a1625eea87e98f690620cbb51702d115456732371766548ca735

SHA512
a30a0748375e7a59b8ea46a7971a2d566973c5aced537e0c82ee873559a100ac86fbc646e5487ecab422808195ad132e70606a94a7edd8804605f12a2cf42511

Download Submit
C:\Log.crypt2

Filesize
81B

MD5
54e3c3eb73a41b48821ab380611e252f

SHA1
c2c5ca8a8ec5cbe7c6725fcc055f9a749ae7652d

SHA256
8ce427319462a1625eea87e98f690620cbb51702d115456732371766548ca735

SHA512
a30a0748375e7a59b8ea46a7971a2d566973c5aced537e0c82ee873559a100ac86fbc646e5487ecab422808195ad132e70606a94a7edd8804605f12a2cf42511

Download Submit
C:\Log.crypt2

Filesize
90B

MD5
ddbb20eb84b3e55f91442c36f6a85904

SHA1
0168e36f735b5664d62dd125a475c07e1cf830ba

SHA256
e1f2595748cb97e0eb982f093be9cd9e6830e875a2c3d1d0d9baecbccfd9b5b2

SHA512
ef377abacda49a18b117dc298318052e1da92f18169a670f1bf57458af74663e288ae3aba6ec0d12a122fb698be00d4067b0f4a44e1b6012d8a3266256cdf0b7

Download Submit
C:\Log.crypt2

Filesize
90B

MD5
ddbb20eb84b3e55f91442c36f6a85904

SHA1
0168e36f735b5664d62dd125a475c07e1cf830ba

SHA256
e1f2595748cb97e0eb982f093be9cd9e6830e875a2c3d1d0d9baecbccfd9b5b2

SHA512
ef377abacda49a18b117dc298318052e1da92f18169a670f1bf57458af74663e288ae3aba6ec0d12a122fb698be00d4067b0f4a44e1b6012d8a3266256cdf0b7

Download Submit
C:\Log.crypt2

Filesize
99B

MD5
12586f308624c261d9ff40f6c7be6293

SHA1
f41a739b38ef9712f42869b68da3a3da091ae0f5

SHA256
28ccd38dcc7e2e1c32ba54d98a4f4dc7fc19918de7e3efd8694bccee78430ed4

SHA512
cfe2e384f6fe52c6700defc2bb39d6cd857ee3638fd3eabd8716554efdf156d13e95f82208ee101e465a626141af61bcd4ac160b12be77284545ace816572d64

Download Submit
C:\Log.crypt2

Filesize
99B

MD5
12586f308624c261d9ff40f6c7be6293

SHA1
f41a739b38ef9712f42869b68da3a3da091ae0f5

SHA256
28ccd38dcc7e2e1c32ba54d98a4f4dc7fc19918de7e3efd8694bccee78430ed4

SHA512
cfe2e384f6fe52c6700defc2bb39d6cd857ee3638fd3eabd8716554efdf156d13e95f82208ee101e465a626141af61bcd4ac160b12be77284545ace816572d64

Download Submit
C:\Log.crypt2

Filesize
90B

MD5
ddbb20eb84b3e55f91442c36f6a85904

SHA1
0168e36f735b5664d62dd125a475c07e1cf830ba

SHA256
e1f2595748cb97e0eb982f093be9cd9e6830e875a2c3d1d0d9baecbccfd9b5b2

SHA512
ef377abacda49a18b117dc298318052e1da92f18169a670f1bf57458af74663e288ae3aba6ec0d12a122fb698be00d4067b0f4a44e1b6012d8a3266256cdf0b7

Download Submit
C:\Log.crypt2

Filesize
99B

MD5
12586f308624c261d9ff40f6c7be6293

SHA1
f41a739b38ef9712f42869b68da3a3da091ae0f5

SHA256
28ccd38dcc7e2e1c32ba54d98a4f4dc7fc19918de7e3efd8694bccee78430ed4

SHA512
cfe2e384f6fe52c6700defc2bb39d6cd857ee3638fd3eabd8716554efdf156d13e95f82208ee101e465a626141af61bcd4ac160b12be77284545ace816572d64

Download Submit
C:\Log.crypt2

Filesize
1KB

MD5
08eb812f8e9c9f4af910ba1bf30f3b79

SHA1
e89e9ee83388483e50451ef602c446c630876f4d

SHA256
5510af0a8c4be555404a1dde3d2a83c2d717a4a543305d1babeb2bf352f7341f

SHA512
ee4da6b3d06547b08b96bf17e43f5cd4fee610741400cdd54158e2acca8b8660bba5ec6368468af58b8817778ef9b5df9109c6d32c49a47cc27837ee93884244

Download Submit
C:\Log.crypt2

Filesize
1KB

MD5
7b10e080cdfe653df6ac89eca77d34d4

SHA1
58b8568c650077942ea5ac0c73c103d4ef37f571

SHA256
38c2645599da4acbcc74c03f6d2408b3f9d894089a03c37974698d197b6ef08b

SHA512
37191c088e8b62e83d6e0d55b0b02f2e316bbacb91550288eeafe211cc8b90c5e2692893dca1aa85a0d9d35ea18b3806f8716faf158575565abb9eac99a3fdcb

Download Submit
C:\Log.crypt2

Filesize
1KB

MD5
7b10e080cdfe653df6ac89eca77d34d4

SHA1
58b8568c650077942ea5ac0c73c103d4ef37f571

SHA256
38c2645599da4acbcc74c03f6d2408b3f9d894089a03c37974698d197b6ef08b

SHA512
37191c088e8b62e83d6e0d55b0b02f2e316bbacb91550288eeafe211cc8b90c5e2692893dca1aa85a0d9d35ea18b3806f8716faf158575565abb9eac99a3fdcb

Download Submit
C:\Log.crypt2

Filesize
25B

MD5
eba81de3310ef96a5f9324d38e1db4e3

SHA1
a60a2601a01ee6b72c792c8e8fe07c7698a6cf7d

SHA256
deb53e56badfa2c969aadfdb8b53f76e422f8a989191dbd3d90187a90afbe953

SHA512
e651a3223ccac9a7ef960fe35e22222c03aa0e0ed8bfff29d3866961ae2ef66fb706a35ec32c0e1e68b746946d110ba778b139344bf0a7532abc47bb6a4bee9a

Download Submit
C:\Log.crypt2

Filesize
34B

MD5
b70a87553ecc9bfc6fb913cdd27f119d

SHA1
57ccf4d5f48c5ed13085ad00d419028d901c1ea4

SHA256
394b37acaf41ae63cfc829291ae6b48909210c21f4f271c84e831afc894018f6

SHA512
92eddbcc02baf5adb0011b88e2e31f94d58f5055abf8e6adf512e008b99cad1c4f1a306901a0cdc2bfa944fc33f36110ac07e01e165915713a16e7a671cfe4f9

Download Submit
C:\Log.crypt2

Filesize
34B

MD5
b70a87553ecc9bfc6fb913cdd27f119d

SHA1
57ccf4d5f48c5ed13085ad00d419028d901c1ea4

SHA256
394b37acaf41ae63cfc829291ae6b48909210c21f4f271c84e831afc894018f6

SHA512
92eddbcc02baf5adb0011b88e2e31f94d58f5055abf8e6adf512e008b99cad1c4f1a306901a0cdc2bfa944fc33f36110ac07e01e165915713a16e7a671cfe4f9

Download Submit
C:\Log.crypt2

Filesize
72B

MD5
c540878e3d2f2403184fb6e1782aff1a

SHA1
5fbfeb1c5e4697c10d0de8c8f2c0e7eee6e23002

SHA256
ad54a1baa4a577f1c8ee997d016269184176abf81218b39d94ce78854cea6eb8

SHA512
ab41d8a6123be5c662e9a95c9c8011c2441702cdd47ab2068b8dd64f0f9efbd1a06e7e54cea3a76da5ec82edfc95ae68c043aa212a397fc0c16db32e5259ff8d

Download Submit
C:\Log.crypt2

Filesize
81B

MD5
54e3c3eb73a41b48821ab380611e252f

SHA1
c2c5ca8a8ec5cbe7c6725fcc055f9a749ae7652d

SHA256
8ce427319462a1625eea87e98f690620cbb51702d115456732371766548ca735

SHA512
a30a0748375e7a59b8ea46a7971a2d566973c5aced537e0c82ee873559a100ac86fbc646e5487ecab422808195ad132e70606a94a7edd8804605f12a2cf42511

Download Submit
C:\Log.crypt2

Filesize
81B

MD5
54e3c3eb73a41b48821ab380611e252f

SHA1
c2c5ca8a8ec5cbe7c6725fcc055f9a749ae7652d

SHA256
8ce427319462a1625eea87e98f690620cbb51702d115456732371766548ca735

SHA512
a30a0748375e7a59b8ea46a7971a2d566973c5aced537e0c82ee873559a100ac86fbc646e5487ecab422808195ad132e70606a94a7edd8804605f12a2cf42511

Download Submit
C:\Log.crypt2

Filesize
99B

MD5
12586f308624c261d9ff40f6c7be6293

SHA1
f41a739b38ef9712f42869b68da3a3da091ae0f5

SHA256
28ccd38dcc7e2e1c32ba54d98a4f4dc7fc19918de7e3efd8694bccee78430ed4

SHA512
cfe2e384f6fe52c6700defc2bb39d6cd857ee3638fd3eabd8716554efdf156d13e95f82208ee101e465a626141af61bcd4ac160b12be77284545ace816572d64

Download Submit
C:\Log.crypt2

Filesize
99B

MD5
12586f308624c261d9ff40f6c7be6293

SHA1
f41a739b38ef9712f42869b68da3a3da091ae0f5

SHA256
28ccd38dcc7e2e1c32ba54d98a4f4dc7fc19918de7e3efd8694bccee78430ed4

SHA512
cfe2e384f6fe52c6700defc2bb39d6cd857ee3638fd3eabd8716554efdf156d13e95f82208ee101e465a626141af61bcd4ac160b12be77284545ace816572d64

Download Submit
C:\Log.crypt2

Filesize
99B

MD5
12586f308624c261d9ff40f6c7be6293

SHA1
f41a739b38ef9712f42869b68da3a3da091ae0f5

SHA256
28ccd38dcc7e2e1c32ba54d98a4f4dc7fc19918de7e3efd8694bccee78430ed4

SHA512
cfe2e384f6fe52c6700defc2bb39d6cd857ee3638fd3eabd8716554efdf156d13e95f82208ee101e465a626141af61bcd4ac160b12be77284545ace816572d64

Download Submit
C:\Log.crypt2

Filesize
1KB

MD5
7b10e080cdfe653df6ac89eca77d34d4

SHA1
58b8568c650077942ea5ac0c73c103d4ef37f571

SHA256
38c2645599da4acbcc74c03f6d2408b3f9d894089a03c37974698d197b6ef08b

SHA512
37191c088e8b62e83d6e0d55b0b02f2e316bbacb91550288eeafe211cc8b90c5e2692893dca1aa85a0d9d35ea18b3806f8716faf158575565abb9eac99a3fdcb

Download Submit
C:\Log.crypt2

Filesize
25B

MD5
eba81de3310ef96a5f9324d38e1db4e3

SHA1
a60a2601a01ee6b72c792c8e8fe07c7698a6cf7d

SHA256
deb53e56badfa2c969aadfdb8b53f76e422f8a989191dbd3d90187a90afbe953

SHA512
e651a3223ccac9a7ef960fe35e22222c03aa0e0ed8bfff29d3866961ae2ef66fb706a35ec32c0e1e68b746946d110ba778b139344bf0a7532abc47bb6a4bee9a

Download Submit
C:\Log.crypt2

Filesize
34B

MD5
b70a87553ecc9bfc6fb913cdd27f119d

SHA1
57ccf4d5f48c5ed13085ad00d419028d901c1ea4

SHA256
394b37acaf41ae63cfc829291ae6b48909210c21f4f271c84e831afc894018f6

SHA512
92eddbcc02baf5adb0011b88e2e31f94d58f5055abf8e6adf512e008b99cad1c4f1a306901a0cdc2bfa944fc33f36110ac07e01e165915713a16e7a671cfe4f9

Download Submit
C:\Log.crypt2

Filesize
63B

MD5
77e7ee3e56cdb1765ad870c263799223

SHA1
0a79bd1cf63e2a8db19d0ffed4f2fb12204d2db9

SHA256
fbb58532a50639f216486fb59ec1e11ba92ee2704e0c32d9d6577f9ba3a254fd

SHA512
5e91836b0d69eee5e756fefb48767f5e3a08d34be062ac470aedf6f0504f25ab82e98de531b8083f0e4ad5dccfc8d18e9cddaf64d6c4cb8d1b2d8450e93d9e6a

Download Submit
C:\Log.crypt2

Filesize
99B

MD5
12586f308624c261d9ff40f6c7be6293

SHA1
f41a739b38ef9712f42869b68da3a3da091ae0f5

SHA256
28ccd38dcc7e2e1c32ba54d98a4f4dc7fc19918de7e3efd8694bccee78430ed4

SHA512
cfe2e384f6fe52c6700defc2bb39d6cd857ee3638fd3eabd8716554efdf156d13e95f82208ee101e465a626141af61bcd4ac160b12be77284545ace816572d64

Download Submit
C:\Log.crypt2

Filesize
72B

MD5
c540878e3d2f2403184fb6e1782aff1a

SHA1
5fbfeb1c5e4697c10d0de8c8f2c0e7eee6e23002

SHA256
ad54a1baa4a577f1c8ee997d016269184176abf81218b39d94ce78854cea6eb8

SHA512
ab41d8a6123be5c662e9a95c9c8011c2441702cdd47ab2068b8dd64f0f9efbd1a06e7e54cea3a76da5ec82edfc95ae68c043aa212a397fc0c16db32e5259ff8d

Download Submit
C:\Log.crypt2

Filesize
81B

MD5
54e3c3eb73a41b48821ab380611e252f

SHA1
c2c5ca8a8ec5cbe7c6725fcc055f9a749ae7652d

SHA256
8ce427319462a1625eea87e98f690620cbb51702d115456732371766548ca735

SHA512
a30a0748375e7a59b8ea46a7971a2d566973c5aced537e0c82ee873559a100ac86fbc646e5487ecab422808195ad132e70606a94a7edd8804605f12a2cf42511

Download Submit
C:\Log.crypt2

Filesize
90B

MD5
ddbb20eb84b3e55f91442c36f6a85904

SHA1
0168e36f735b5664d62dd125a475c07e1cf830ba

SHA256
e1f2595748cb97e0eb982f093be9cd9e6830e875a2c3d1d0d9baecbccfd9b5b2

SHA512
ef377abacda49a18b117dc298318052e1da92f18169a670f1bf57458af74663e288ae3aba6ec0d12a122fb698be00d4067b0f4a44e1b6012d8a3266256cdf0b7

Download Submit
C:\Log.crypt2

Filesize
99B

MD5
12586f308624c261d9ff40f6c7be6293

SHA1
f41a739b38ef9712f42869b68da3a3da091ae0f5

SHA256
28ccd38dcc7e2e1c32ba54d98a4f4dc7fc19918de7e3efd8694bccee78430ed4

SHA512
cfe2e384f6fe52c6700defc2bb39d6cd857ee3638fd3eabd8716554efdf156d13e95f82208ee101e465a626141af61bcd4ac160b12be77284545ace816572d64

Download Submit
C:\Log.crypt2

Filesize
99B

MD5
12586f308624c261d9ff40f6c7be6293

SHA1
f41a739b38ef9712f42869b68da3a3da091ae0f5

SHA256
28ccd38dcc7e2e1c32ba54d98a4f4dc7fc19918de7e3efd8694bccee78430ed4

SHA512
cfe2e384f6fe52c6700defc2bb39d6cd857ee3638fd3eabd8716554efdf156d13e95f82208ee101e465a626141af61bcd4ac160b12be77284545ace816572d64

Download Submit
C:\Log.crypt2

Filesize
1KB

MD5
7b10e080cdfe653df6ac89eca77d34d4

SHA1
58b8568c650077942ea5ac0c73c103d4ef37f571

SHA256
38c2645599da4acbcc74c03f6d2408b3f9d894089a03c37974698d197b6ef08b

SHA512
37191c088e8b62e83d6e0d55b0b02f2e316bbacb91550288eeafe211cc8b90c5e2692893dca1aa85a0d9d35ea18b3806f8716faf158575565abb9eac99a3fdcb

Download Submit
C:\Log.crypt2

Filesize
25B

MD5
eba81de3310ef96a5f9324d38e1db4e3

SHA1
a60a2601a01ee6b72c792c8e8fe07c7698a6cf7d

SHA256
deb53e56badfa2c969aadfdb8b53f76e422f8a989191dbd3d90187a90afbe953

SHA512
e651a3223ccac9a7ef960fe35e22222c03aa0e0ed8bfff29d3866961ae2ef66fb706a35ec32c0e1e68b746946d110ba778b139344bf0a7532abc47bb6a4bee9a

Download Submit
C:\Log.crypt2

Filesize
34B

MD5
b70a87553ecc9bfc6fb913cdd27f119d

SHA1
57ccf4d5f48c5ed13085ad00d419028d901c1ea4

SHA256
394b37acaf41ae63cfc829291ae6b48909210c21f4f271c84e831afc894018f6

SHA512
92eddbcc02baf5adb0011b88e2e31f94d58f5055abf8e6adf512e008b99cad1c4f1a306901a0cdc2bfa944fc33f36110ac07e01e165915713a16e7a671cfe4f9

Download Submit
C:\Log.crypt2

Filesize
1KB

MD5
08eb812f8e9c9f4af910ba1bf30f3b79

SHA1
e89e9ee83388483e50451ef602c446c630876f4d

SHA256
5510af0a8c4be555404a1dde3d2a83c2d717a4a543305d1babeb2bf352f7341f

SHA512
ee4da6b3d06547b08b96bf17e43f5cd4fee610741400cdd54158e2acca8b8660bba5ec6368468af58b8817778ef9b5df9109c6d32c49a47cc27837ee93884244

Download Submit
C:\Log.crypt2

Filesize
25B

MD5
eba81de3310ef96a5f9324d38e1db4e3

SHA1
a60a2601a01ee6b72c792c8e8fe07c7698a6cf7d

SHA256
deb53e56badfa2c969aadfdb8b53f76e422f8a989191dbd3d90187a90afbe953

SHA512
e651a3223ccac9a7ef960fe35e22222c03aa0e0ed8bfff29d3866961ae2ef66fb706a35ec32c0e1e68b746946d110ba778b139344bf0a7532abc47bb6a4bee9a

Download Submit
C:\Log.crypt2

Filesize
34B

MD5
b70a87553ecc9bfc6fb913cdd27f119d

SHA1
57ccf4d5f48c5ed13085ad00d419028d901c1ea4

SHA256
394b37acaf41ae63cfc829291ae6b48909210c21f4f271c84e831afc894018f6

SHA512
92eddbcc02baf5adb0011b88e2e31f94d58f5055abf8e6adf512e008b99cad1c4f1a306901a0cdc2bfa944fc33f36110ac07e01e165915713a16e7a671cfe4f9

Download Submit
C:\Log.crypt2

Filesize
34B

MD5
b70a87553ecc9bfc6fb913cdd27f119d

SHA1
57ccf4d5f48c5ed13085ad00d419028d901c1ea4

SHA256
394b37acaf41ae63cfc829291ae6b48909210c21f4f271c84e831afc894018f6

SHA512
92eddbcc02baf5adb0011b88e2e31f94d58f5055abf8e6adf512e008b99cad1c4f1a306901a0cdc2bfa944fc33f36110ac07e01e165915713a16e7a671cfe4f9

Download Submit
C:\Log.crypt2

Filesize
63B

MD5
77e7ee3e56cdb1765ad870c263799223

SHA1
0a79bd1cf63e2a8db19d0ffed4f2fb12204d2db9

SHA256
fbb58532a50639f216486fb59ec1e11ba92ee2704e0c32d9d6577f9ba3a254fd

SHA512
5e91836b0d69eee5e756fefb48767f5e3a08d34be062ac470aedf6f0504f25ab82e98de531b8083f0e4ad5dccfc8d18e9cddaf64d6c4cb8d1b2d8450e93d9e6a

Download Submit
C:\Log.crypt2

Filesize
34B

MD5
b70a87553ecc9bfc6fb913cdd27f119d

SHA1
57ccf4d5f48c5ed13085ad00d419028d901c1ea4

SHA256
394b37acaf41ae63cfc829291ae6b48909210c21f4f271c84e831afc894018f6

SHA512
92eddbcc02baf5adb0011b88e2e31f94d58f5055abf8e6adf512e008b99cad1c4f1a306901a0cdc2bfa944fc33f36110ac07e01e165915713a16e7a671cfe4f9

Download Submit
C:\Log.crypt2

Filesize
81B

MD5
54e3c3eb73a41b48821ab380611e252f

SHA1
c2c5ca8a8ec5cbe7c6725fcc055f9a749ae7652d

SHA256
8ce427319462a1625eea87e98f690620cbb51702d115456732371766548ca735

SHA512
a30a0748375e7a59b8ea46a7971a2d566973c5aced537e0c82ee873559a100ac86fbc646e5487ecab422808195ad132e70606a94a7edd8804605f12a2cf42511

Download Submit
C:\Log.crypt2

Filesize
90B

MD5
ddbb20eb84b3e55f91442c36f6a85904

SHA1
0168e36f735b5664d62dd125a475c07e1cf830ba

SHA256
e1f2595748cb97e0eb982f093be9cd9e6830e875a2c3d1d0d9baecbccfd9b5b2

SHA512
ef377abacda49a18b117dc298318052e1da92f18169a670f1bf57458af74663e288ae3aba6ec0d12a122fb698be00d4067b0f4a44e1b6012d8a3266256cdf0b7

Download Submit
C:\Log.crypt2

Filesize
99B

MD5
12586f308624c261d9ff40f6c7be6293

SHA1
f41a739b38ef9712f42869b68da3a3da091ae0f5

SHA256
28ccd38dcc7e2e1c32ba54d98a4f4dc7fc19918de7e3efd8694bccee78430ed4

SHA512
cfe2e384f6fe52c6700defc2bb39d6cd857ee3638fd3eabd8716554efdf156d13e95f82208ee101e465a626141af61bcd4ac160b12be77284545ace816572d64

Download Submit
C:\Log.crypt2

Filesize
99B

MD5
12586f308624c261d9ff40f6c7be6293

SHA1
f41a739b38ef9712f42869b68da3a3da091ae0f5

SHA256
28ccd38dcc7e2e1c32ba54d98a4f4dc7fc19918de7e3efd8694bccee78430ed4

SHA512
cfe2e384f6fe52c6700defc2bb39d6cd857ee3638fd3eabd8716554efdf156d13e95f82208ee101e465a626141af61bcd4ac160b12be77284545ace816572d64

Download Submit
C:\Log.crypt2

Filesize
1KB

MD5
7b10e080cdfe653df6ac89eca77d34d4

SHA1
58b8568c650077942ea5ac0c73c103d4ef37f571

SHA256
38c2645599da4acbcc74c03f6d2408b3f9d894089a03c37974698d197b6ef08b

SHA512
37191c088e8b62e83d6e0d55b0b02f2e316bbacb91550288eeafe211cc8b90c5e2692893dca1aa85a0d9d35ea18b3806f8716faf158575565abb9eac99a3fdcb

Download Submit
C:\Log.crypt2

Filesize
25B

MD5
eba81de3310ef96a5f9324d38e1db4e3

SHA1
a60a2601a01ee6b72c792c8e8fe07c7698a6cf7d

SHA256
deb53e56badfa2c969aadfdb8b53f76e422f8a989191dbd3d90187a90afbe953

SHA512
e651a3223ccac9a7ef960fe35e22222c03aa0e0ed8bfff29d3866961ae2ef66fb706a35ec32c0e1e68b746946d110ba778b139344bf0a7532abc47bb6a4bee9a

Download Submit
C:\Log.crypt2

Filesize
34B

MD5
b70a87553ecc9bfc6fb913cdd27f119d

SHA1
57ccf4d5f48c5ed13085ad00d419028d901c1ea4

SHA256
394b37acaf41ae63cfc829291ae6b48909210c21f4f271c84e831afc894018f6

SHA512
92eddbcc02baf5adb0011b88e2e31f94d58f5055abf8e6adf512e008b99cad1c4f1a306901a0cdc2bfa944fc33f36110ac07e01e165915713a16e7a671cfe4f9

Download Submit
C:\Log.crypt2

Filesize
34B

MD5
b70a87553ecc9bfc6fb913cdd27f119d

SHA1
57ccf4d5f48c5ed13085ad00d419028d901c1ea4

SHA256
394b37acaf41ae63cfc829291ae6b48909210c21f4f271c84e831afc894018f6

SHA512
92eddbcc02baf5adb0011b88e2e31f94d58f5055abf8e6adf512e008b99cad1c4f1a306901a0cdc2bfa944fc33f36110ac07e01e165915713a16e7a671cfe4f9

Download Submit
C:\Log.crypt2

Filesize
34B

MD5
b70a87553ecc9bfc6fb913cdd27f119d

SHA1
57ccf4d5f48c5ed13085ad00d419028d901c1ea4

SHA256
394b37acaf41ae63cfc829291ae6b48909210c21f4f271c84e831afc894018f6

SHA512
92eddbcc02baf5adb0011b88e2e31f94d58f5055abf8e6adf512e008b99cad1c4f1a306901a0cdc2bfa944fc33f36110ac07e01e165915713a16e7a671cfe4f9

Download Submit
C:\Log.crypt2

Filesize
72B

MD5
c540878e3d2f2403184fb6e1782aff1a

SHA1
5fbfeb1c5e4697c10d0de8c8f2c0e7eee6e23002

SHA256
ad54a1baa4a577f1c8ee997d016269184176abf81218b39d94ce78854cea6eb8

SHA512
ab41d8a6123be5c662e9a95c9c8011c2441702cdd47ab2068b8dd64f0f9efbd1a06e7e54cea3a76da5ec82edfc95ae68c043aa212a397fc0c16db32e5259ff8d

Download Submit
C:\Log.crypt2

Filesize
81B

MD5
54e3c3eb73a41b48821ab380611e252f

SHA1
c2c5ca8a8ec5cbe7c6725fcc055f9a749ae7652d

SHA256
8ce427319462a1625eea87e98f690620cbb51702d115456732371766548ca735

SHA512
a30a0748375e7a59b8ea46a7971a2d566973c5aced537e0c82ee873559a100ac86fbc646e5487ecab422808195ad132e70606a94a7edd8804605f12a2cf42511

Download Submit
C:\Log.crypt2

Filesize
90B

MD5
ddbb20eb84b3e55f91442c36f6a85904

SHA1
0168e36f735b5664d62dd125a475c07e1cf830ba

SHA256
e1f2595748cb97e0eb982f093be9cd9e6830e875a2c3d1d0d9baecbccfd9b5b2

SHA512
ef377abacda49a18b117dc298318052e1da92f18169a670f1bf57458af74663e288ae3aba6ec0d12a122fb698be00d4067b0f4a44e1b6012d8a3266256cdf0b7

Download Submit
C:\Log.crypt2

Filesize
99B

MD5
12586f308624c261d9ff40f6c7be6293

SHA1
f41a739b38ef9712f42869b68da3a3da091ae0f5

SHA256
28ccd38dcc7e2e1c32ba54d98a4f4dc7fc19918de7e3efd8694bccee78430ed4

SHA512
cfe2e384f6fe52c6700defc2bb39d6cd857ee3638fd3eabd8716554efdf156d13e95f82208ee101e465a626141af61bcd4ac160b12be77284545ace816572d64

Download Submit
C:\Log.crypt2

Filesize
99B

MD5
12586f308624c261d9ff40f6c7be6293

SHA1
f41a739b38ef9712f42869b68da3a3da091ae0f5

SHA256
28ccd38dcc7e2e1c32ba54d98a4f4dc7fc19918de7e3efd8694bccee78430ed4

SHA512
cfe2e384f6fe52c6700defc2bb39d6cd857ee3638fd3eabd8716554efdf156d13e95f82208ee101e465a626141af61bcd4ac160b12be77284545ace816572d64

Download Submit
C:\Log.crypt2

Filesize
1KB

MD5
08eb812f8e9c9f4af910ba1bf30f3b79

SHA1
e89e9ee83388483e50451ef602c446c630876f4d

SHA256
5510af0a8c4be555404a1dde3d2a83c2d717a4a543305d1babeb2bf352f7341f

SHA512
ee4da6b3d06547b08b96bf17e43f5cd4fee610741400cdd54158e2acca8b8660bba5ec6368468af58b8817778ef9b5df9109c6d32c49a47cc27837ee93884244

Download Submit
C:\Log.crypt2

Filesize
72B

MD5
c540878e3d2f2403184fb6e1782aff1a

SHA1
5fbfeb1c5e4697c10d0de8c8f2c0e7eee6e23002

SHA256
ad54a1baa4a577f1c8ee997d016269184176abf81218b39d94ce78854cea6eb8

SHA512
ab41d8a6123be5c662e9a95c9c8011c2441702cdd47ab2068b8dd64f0f9efbd1a06e7e54cea3a76da5ec82edfc95ae68c043aa212a397fc0c16db32e5259ff8d

Download Submit
C:\Log.crypt2

Filesize
25B

MD5
eba81de3310ef96a5f9324d38e1db4e3

SHA1
a60a2601a01ee6b72c792c8e8fe07c7698a6cf7d

SHA256
deb53e56badfa2c969aadfdb8b53f76e422f8a989191dbd3d90187a90afbe953

SHA512
e651a3223ccac9a7ef960fe35e22222c03aa0e0ed8bfff29d3866961ae2ef66fb706a35ec32c0e1e68b746946d110ba778b139344bf0a7532abc47bb6a4bee9a

Download Submit
C:\Log.crypt2

Filesize
34B

MD5
b70a87553ecc9bfc6fb913cdd27f119d

SHA1
57ccf4d5f48c5ed13085ad00d419028d901c1ea4

SHA256
394b37acaf41ae63cfc829291ae6b48909210c21f4f271c84e831afc894018f6

SHA512
92eddbcc02baf5adb0011b88e2e31f94d58f5055abf8e6adf512e008b99cad1c4f1a306901a0cdc2bfa944fc33f36110ac07e01e165915713a16e7a671cfe4f9

Download Submit
C:\Log.crypt2

Filesize
34B

MD5
b70a87553ecc9bfc6fb913cdd27f119d

SHA1
57ccf4d5f48c5ed13085ad00d419028d901c1ea4

SHA256
394b37acaf41ae63cfc829291ae6b48909210c21f4f271c84e831afc894018f6

SHA512
92eddbcc02baf5adb0011b88e2e31f94d58f5055abf8e6adf512e008b99cad1c4f1a306901a0cdc2bfa944fc33f36110ac07e01e165915713a16e7a671cfe4f9

Download Submit
C:\Log.crypt2

Filesize
63B

MD5
77e7ee3e56cdb1765ad870c263799223

SHA1
0a79bd1cf63e2a8db19d0ffed4f2fb12204d2db9

SHA256
fbb58532a50639f216486fb59ec1e11ba92ee2704e0c32d9d6577f9ba3a254fd

SHA512
5e91836b0d69eee5e756fefb48767f5e3a08d34be062ac470aedf6f0504f25ab82e98de531b8083f0e4ad5dccfc8d18e9cddaf64d6c4cb8d1b2d8450e93d9e6a

Download Submit
C:\Log.crypt2

Filesize
81B

MD5
54e3c3eb73a41b48821ab380611e252f

SHA1
c2c5ca8a8ec5cbe7c6725fcc055f9a749ae7652d

SHA256
8ce427319462a1625eea87e98f690620cbb51702d115456732371766548ca735

SHA512
a30a0748375e7a59b8ea46a7971a2d566973c5aced537e0c82ee873559a100ac86fbc646e5487ecab422808195ad132e70606a94a7edd8804605f12a2cf42511

Download Submit
C:\Log.crypt2

Filesize
81B

MD5
54e3c3eb73a41b48821ab380611e252f

SHA1
c2c5ca8a8ec5cbe7c6725fcc055f9a749ae7652d

SHA256
8ce427319462a1625eea87e98f690620cbb51702d115456732371766548ca735

SHA512
a30a0748375e7a59b8ea46a7971a2d566973c5aced537e0c82ee873559a100ac86fbc646e5487ecab422808195ad132e70606a94a7edd8804605f12a2cf42511

Download Submit
C:\Log.crypt2

Filesize
99B

MD5
12586f308624c261d9ff40f6c7be6293

SHA1
f41a739b38ef9712f42869b68da3a3da091ae0f5

SHA256
28ccd38dcc7e2e1c32ba54d98a4f4dc7fc19918de7e3efd8694bccee78430ed4

SHA512
cfe2e384f6fe52c6700defc2bb39d6cd857ee3638fd3eabd8716554efdf156d13e95f82208ee101e465a626141af61bcd4ac160b12be77284545ace816572d64

Download Submit
C:\Log.crypt2

Filesize
99B

MD5
12586f308624c261d9ff40f6c7be6293

SHA1
f41a739b38ef9712f42869b68da3a3da091ae0f5

SHA256
28ccd38dcc7e2e1c32ba54d98a4f4dc7fc19918de7e3efd8694bccee78430ed4

SHA512
cfe2e384f6fe52c6700defc2bb39d6cd857ee3638fd3eabd8716554efdf156d13e95f82208ee101e465a626141af61bcd4ac160b12be77284545ace816572d64

Download Submit
C:\Log.crypt2

Filesize
1KB

MD5
7b10e080cdfe653df6ac89eca77d34d4

SHA1
58b8568c650077942ea5ac0c73c103d4ef37f571

SHA256
38c2645599da4acbcc74c03f6d2408b3f9d894089a03c37974698d197b6ef08b

SHA512
37191c088e8b62e83d6e0d55b0b02f2e316bbacb91550288eeafe211cc8b90c5e2692893dca1aa85a0d9d35ea18b3806f8716faf158575565abb9eac99a3fdcb

Download Submit
C:\Log.crypt2

Filesize
81B

MD5
54e3c3eb73a41b48821ab380611e252f

SHA1
c2c5ca8a8ec5cbe7c6725fcc055f9a749ae7652d

SHA256
8ce427319462a1625eea87e98f690620cbb51702d115456732371766548ca735

SHA512
a30a0748375e7a59b8ea46a7971a2d566973c5aced537e0c82ee873559a100ac86fbc646e5487ecab422808195ad132e70606a94a7edd8804605f12a2cf42511

Download Submit
C:\Log.crypt2

Filesize
25B

MD5
eba81de3310ef96a5f9324d38e1db4e3

SHA1
a60a2601a01ee6b72c792c8e8fe07c7698a6cf7d

SHA256
deb53e56badfa2c969aadfdb8b53f76e422f8a989191dbd3d90187a90afbe953

SHA512
e651a3223ccac9a7ef960fe35e22222c03aa0e0ed8bfff29d3866961ae2ef66fb706a35ec32c0e1e68b746946d110ba778b139344bf0a7532abc47bb6a4bee9a

Download Submit
C:\Log.crypt2

Filesize
25B

MD5
eba81de3310ef96a5f9324d38e1db4e3

SHA1
a60a2601a01ee6b72c792c8e8fe07c7698a6cf7d

SHA256
deb53e56badfa2c969aadfdb8b53f76e422f8a989191dbd3d90187a90afbe953

SHA512
e651a3223ccac9a7ef960fe35e22222c03aa0e0ed8bfff29d3866961ae2ef66fb706a35ec32c0e1e68b746946d110ba778b139344bf0a7532abc47bb6a4bee9a

Download Submit
C:\Log.crypt2

Filesize
34B

MD5
b70a87553ecc9bfc6fb913cdd27f119d

SHA1
57ccf4d5f48c5ed13085ad00d419028d901c1ea4

SHA256
394b37acaf41ae63cfc829291ae6b48909210c21f4f271c84e831afc894018f6

SHA512
92eddbcc02baf5adb0011b88e2e31f94d58f5055abf8e6adf512e008b99cad1c4f1a306901a0cdc2bfa944fc33f36110ac07e01e165915713a16e7a671cfe4f9

Download Submit
C:\Log.crypt2

Filesize
34B

MD5
b70a87553ecc9bfc6fb913cdd27f119d

SHA1
57ccf4d5f48c5ed13085ad00d419028d901c1ea4

SHA256
394b37acaf41ae63cfc829291ae6b48909210c21f4f271c84e831afc894018f6

SHA512
92eddbcc02baf5adb0011b88e2e31f94d58f5055abf8e6adf512e008b99cad1c4f1a306901a0cdc2bfa944fc33f36110ac07e01e165915713a16e7a671cfe4f9

Download Submit
C:\Log.crypt2

Filesize
34B

MD5
b70a87553ecc9bfc6fb913cdd27f119d

SHA1
57ccf4d5f48c5ed13085ad00d419028d901c1ea4

SHA256
394b37acaf41ae63cfc829291ae6b48909210c21f4f271c84e831afc894018f6

SHA512
92eddbcc02baf5adb0011b88e2e31f94d58f5055abf8e6adf512e008b99cad1c4f1a306901a0cdc2bfa944fc33f36110ac07e01e165915713a16e7a671cfe4f9

Download Submit
C:\Log.crypt2

Filesize
63B

MD5
77e7ee3e56cdb1765ad870c263799223

SHA1
0a79bd1cf63e2a8db19d0ffed4f2fb12204d2db9

SHA256
fbb58532a50639f216486fb59ec1e11ba92ee2704e0c32d9d6577f9ba3a254fd

SHA512
5e91836b0d69eee5e756fefb48767f5e3a08d34be062ac470aedf6f0504f25ab82e98de531b8083f0e4ad5dccfc8d18e9cddaf64d6c4cb8d1b2d8450e93d9e6a

Download Submit
C:\Log.crypt2

Filesize
72B

MD5
c540878e3d2f2403184fb6e1782aff1a

SHA1
5fbfeb1c5e4697c10d0de8c8f2c0e7eee6e23002

SHA256
ad54a1baa4a577f1c8ee997d016269184176abf81218b39d94ce78854cea6eb8

SHA512
ab41d8a6123be5c662e9a95c9c8011c2441702cdd47ab2068b8dd64f0f9efbd1a06e7e54cea3a76da5ec82edfc95ae68c043aa212a397fc0c16db32e5259ff8d

Download Submit
C:\Log.crypt2

Filesize
72B

MD5
c540878e3d2f2403184fb6e1782aff1a

SHA1
5fbfeb1c5e4697c10d0de8c8f2c0e7eee6e23002

SHA256
ad54a1baa4a577f1c8ee997d016269184176abf81218b39d94ce78854cea6eb8

SHA512
ab41d8a6123be5c662e9a95c9c8011c2441702cdd47ab2068b8dd64f0f9efbd1a06e7e54cea3a76da5ec82edfc95ae68c043aa212a397fc0c16db32e5259ff8d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
32KB

MD5
ccf9970a30773d65b345eae8d931f84d

SHA1
6553f5dc06ae80377d639575818d6c09569675c0

SHA256
4a9f8c31e05a8fc5cf9d844a256d14fc4c1b8b2027f32d895fc00067ea285796

SHA512
a99c82a8ad89be0b3493eed05044e8fb05afdc0e80c967c6163a5571229872df0bc50e1fd16844f272dac36abc034cb1528311fd2a0c807957003f94ec1c5d8e

Download Submit
memory/520-140-0x0000000003290000-0x0000000003D4A000-memory.dmp

Filesize
10.7MB

Download
memory/840-213-0x0000000003140000-0x0000000003BFA000-memory.dmp

Filesize
10.7MB

Download
memory/1824-138-0x0000000003280000-0x0000000003D3A000-memory.dmp

Filesize
10.7MB

Download
memory/2104-137-0x0000000003390000-0x0000000003E4A000-memory.dmp

Filesize
10.7MB

Download
memory/2196-152-0x00000000032F0000-0x0000000003DAA000-memory.dmp

Filesize
10.7MB

Download
memory/2892-170-0x0000000003120000-0x0000000003BDA000-memory.dmp

Filesize
10.7MB

Download
memory/2892-235-0x0000000003C10000-0x00000000046CA000-memory.dmp

Filesize
10.7MB

Download
memory/2960-141-0x00000000033F0000-0x0000000003EAA000-memory.dmp

Filesize
10.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads