4a9f8c31e05a8fc5cf9d844a256d14fc4c1b8b2027f32d895fc00067ea285796

Analysis

max time kernel
39s
max time network
377s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2023, 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sihost.exe
Size

32KB
MD5

ccf9970a30773d65b345eae8d931f84d
SHA1

6553f5dc06ae80377d639575818d6c09569675c0
SHA256

4a9f8c31e05a8fc5cf9d844a256d14fc4c1b8b2027f32d895fc00067ea285796
SHA512

a99c82a8ad89be0b3493eed05044e8fb05afdc0e80c967c6163a5571229872df0bc50e1fd16844f272dac36abc034cb1528311fd2a0c807957003f94ec1c5d8e
SSDEEP

384:8LipZl447piqb/lUYf5uH3w59AMRG5qUIjFgOrjFymqAeO8W8RNlz8G:dmiiqTfk2AMRGwlFgOrjs7Nlz8G

Score

8^/10

evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 64 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
6748	Process not Found
2464	Process not Found
3856	Process not Found
10992	Process not Found
1012	attrib.exe
3324	attrib.exe
3324	Process not Found
7988	Process not Found
9288	Process not Found
2944	Process not Found
3084	attrib.exe
4092	Process not Found
964	Process not Found
8160	Process not Found
12256	Process not Found
7084	Process not Found
6364	Process not Found
5540	Process not Found
2052	attrib.exe
4140	attrib.exe
1260	attrib.exe
6688	Process not Found
5124	Process not Found
5608	Process not Found
2700	Process not Found
9664	Process not Found
4176	Process not Found
3596	Process not Found
1792	Process not Found
3532	Process not Found
5320	Process not Found
10144	Process not Found
12724	Process not Found
5868	attrib.exe
5776	attrib.exe
2796	Process not Found
11892	Process not Found
5688	Process not Found
10324	Process not Found
3476	attrib.exe
6072	attrib.exe
5520	attrib.exe
6488	Process not Found
6208	Process not Found
7624	Process not Found
3412	attrib.exe
6092	attrib.exe
6852	Process not Found
6028	Process not Found
8844	Process not Found
11836	Process not Found
1416	attrib.exe
8300	Process not Found
1484	Process not Found
4864	attrib.exe
3360	attrib.exe
6980	Process not Found
11936	Process not Found
2276	Process not Found
5576	Process not Found
4092	attrib.exe
5528	Process not Found
2188	Process not Found
8616	Process not Found

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	sihost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.zrz	attrib.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	sihost.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe	sihost.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe	sihost.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\StoreExperienceHost.exe	sihost.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe	Process not Found
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.zrz	attrib.exe
File created	C:\Program Files\Windows Media Player\setup_wm.exe	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.zrz	Conhost.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	sihost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	sihost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe	sihost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WORDICON.zrz	Process not Found
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe	sihost.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe	Process not Found
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	sihost.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.zrz	attrib.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.zrz	attrib.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe	sihost.exe
File created	C:\Program Files\Windows Media Player\wmprph.exe	sihost.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\codecpacks.heif.exe	sihost.exe
File created	C:\Program Files\Windows Media Player\wmplayer.exe	sihost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.zrz	attrib.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	sihost.exe
File created	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.zrz	Conhost.exe
File created	C:\Program Files\Windows Media Player\wmpnscfg.exe	sihost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.zrz	Process not Found
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	Process not Found
File created	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	sihost.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	sihost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.zrz	attrib.exe
File created	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	sihost.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE	sihost.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.exe	Process not Found
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.zrz	Conhost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.zrz	attrib.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	sihost.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	sihost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.zrz	attrib.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.zrz	Conhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoev.zrz	Process not Found
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOUC.zrz	attrib.exe
File created	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.zrz	Process not Found
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe	sihost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.zrz	Process not Found
File created	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	sihost.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe	sihost.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Process not Found
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.exe	Process not Found
File created	C:\Program Files\Internet Explorer\iexplore.exe	sihost.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.exe	Process not Found
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\YourPhone.exe	Process not Found
File opened for modification	C:\Program Files\7-Zip\Uninstall.zrz	Conhost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe	sihost.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe	sihost.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	sihost.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Process not Found
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.exe	Process not Found
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.zrz	Conhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 15 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3908	Process not Found
10788	Process not Found
2824	ipconfig.exe
1668	ipconfig.exe
4840	Process not Found
2740	Process not Found
212	Process not Found
5732	Process not Found
4260	Process not Found
1424	Process not Found
4640	ipconfig.exe
5380	Process not Found
4976	ipconfig.exe
6256	Process not Found
5108	ipconfig.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
5972	Process not Found
5556	Process not Found
3584	Process not Found

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
1904	sihost.exe
4228	sihost.exe
1648	Process not Found
4684	Process not Found

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1904	sihost.exe
4228	sihost.exe
1648	sihost.exe
4684	sihost.exe
4848	sihost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 1344	1904	sihost.exe	88
PID 1904 wrote to memory of 1344	1904	sihost.exe	88
PID 1904 wrote to memory of 1344	1904	sihost.exe	88
PID 1904 wrote to memory of 4892	1904	sihost.exe	90
PID 1904 wrote to memory of 4892	1904	sihost.exe	90
PID 1904 wrote to memory of 4892	1904	sihost.exe	90
PID 1904 wrote to memory of 4488	1904	sihost.exe	92
PID 1904 wrote to memory of 4488	1904	sihost.exe	92
PID 1904 wrote to memory of 4488	1904	sihost.exe	92
PID 4488 wrote to memory of 1248	4488	cmd.exe	94
PID 4488 wrote to memory of 1248	4488	cmd.exe	94
PID 4488 wrote to memory of 1248	4488	cmd.exe	94
PID 1904 wrote to memory of 3996	1904	sihost.exe	95
PID 1904 wrote to memory of 3996	1904	sihost.exe	95
PID 1904 wrote to memory of 3996	1904	sihost.exe	95
PID 1904 wrote to memory of 916	1904	sihost.exe	97
PID 1904 wrote to memory of 916	1904	sihost.exe	97
PID 1904 wrote to memory of 916	1904	sihost.exe	97
PID 1904 wrote to memory of 3568	1904	sihost.exe	99
PID 1904 wrote to memory of 3568	1904	sihost.exe	99
PID 1904 wrote to memory of 3568	1904	sihost.exe	99
PID 1904 wrote to memory of 2888	1904	sihost.exe	102
PID 1904 wrote to memory of 2888	1904	sihost.exe	102
PID 1904 wrote to memory of 2888	1904	sihost.exe	102
PID 1904 wrote to memory of 3940	1904	sihost.exe	104
PID 1904 wrote to memory of 3940	1904	sihost.exe	104
PID 1904 wrote to memory of 3940	1904	sihost.exe	104
PID 3940 wrote to memory of 4976	3940	cmd.exe	106
PID 3940 wrote to memory of 4976	3940	cmd.exe	106
PID 3940 wrote to memory of 4976	3940	cmd.exe	106
PID 1904 wrote to memory of 2792	1904	sihost.exe	107
PID 1904 wrote to memory of 2792	1904	sihost.exe	107
PID 1904 wrote to memory of 2792	1904	sihost.exe	107
PID 1904 wrote to memory of 4228	1904	sihost.exe	110
PID 1904 wrote to memory of 4228	1904	sihost.exe	110
PID 1904 wrote to memory of 4228	1904	sihost.exe	110
PID 1904 wrote to memory of 3512	1904	sihost.exe	238
PID 1904 wrote to memory of 3512	1904	sihost.exe	238
PID 1904 wrote to memory of 3512	1904	sihost.exe	238
PID 4228 wrote to memory of 852	4228	sihost.exe	112
PID 4228 wrote to memory of 852	4228	sihost.exe	112
PID 4228 wrote to memory of 852	4228	sihost.exe	112
PID 1904 wrote to memory of 3596	1904	sihost.exe	179
PID 1904 wrote to memory of 3596	1904	sihost.exe	179
PID 1904 wrote to memory of 3596	1904	sihost.exe	179
PID 1904 wrote to memory of 1356	1904	sihost.exe	548
PID 1904 wrote to memory of 1356	1904	sihost.exe	548
PID 1904 wrote to memory of 1356	1904	sihost.exe	548
PID 1904 wrote to memory of 2180	1904	sihost.exe	769
PID 1904 wrote to memory of 2180	1904	sihost.exe	769
PID 1904 wrote to memory of 2180	1904	sihost.exe	769
PID 1904 wrote to memory of 628	1904	sihost.exe	463
PID 1904 wrote to memory of 628	1904	sihost.exe	463
PID 1904 wrote to memory of 628	1904	sihost.exe	463
PID 4228 wrote to memory of 3460	4228	sihost.exe	670
PID 4228 wrote to memory of 3460	4228	sihost.exe	670
PID 4228 wrote to memory of 3460	4228	sihost.exe	670
PID 1904 wrote to memory of 3380	1904	sihost.exe	406
PID 1904 wrote to memory of 3380	1904	sihost.exe	406
PID 1904 wrote to memory of 3380	1904	sihost.exe	406
PID 1904 wrote to memory of 3504	1904	sihost.exe	726
PID 1904 wrote to memory of 3504	1904	sihost.exe	726
PID 1904 wrote to memory of 3504	1904	sihost.exe	726
PID 1904 wrote to memory of 3544	1904	sihost.exe	674

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4792	Process not Found
6456	Process not Found
8228	Process not Found
4740	attrib.exe
5400	attrib.exe
5180	attrib.exe
2796	Process not Found
4244	Process not Found
6184	Process not Found
9956	Process not Found
9212	Process not Found
3412	attrib.exe
6048	attrib.exe
6744	Process not Found
3952	Process not Found
1892	Process not Found
8356	Process not Found
6856	Process not Found
5536	Process not Found
1928	Process not Found
6828	Process not Found
6220	Process not Found
9408	Process not Found
848	Process not Found
1356	attrib.exe
984	Process not Found
4168	Process not Found
2804	Process not Found
6276	Process not Found
2460	Process not Found
10236	Process not Found
9436	Process not Found
3476	attrib.exe
4472	attrib.exe
7972	Process not Found
2796	attrib.exe
4208	Process not Found
5152	attrib.exe
2700	attrib.exe
4368	attrib.exe
1864	Process not Found
4644	Process not Found
552	Process not Found
7928	Process not Found
3148	Process not Found
10260	Process not Found
4860	attrib.exe
5048	attrib.exe
1720	Process not Found
7008	Process not Found
6252	Process not Found
6460	Process not Found
6116	Process not Found
5720	Process not Found
6904	Process not Found
6024	Process not Found
6620	Process not Found
1016	Process not Found
5964	Process not Found
11328	Process not Found
9576	Process not Found
6524	Process not Found
60	attrib.exe
3008	attrib.exe

C:\Users\Admin\AppData\Local\Temp\sihost.exe
"C:\Users\Admin\AppData\Local\Temp\sihost.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
  2⤵
  PID:1344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo \\\/// >> "C:\Log.crypt2"
  2⤵
  PID:4892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Tree "D:" >> "C:\Log.crypt2"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Windows\SysWOW64\tree.com
    Tree "D:"
    3⤵
    PID:1248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo \\\/// >> "C:\Log.crypt2"
  2⤵
  PID:3996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo \\\/// >> "C:\Log.crypt2"
  2⤵
  PID:916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo \\\/// >> "C:\Log.crypt2"
  2⤵
  PID:3568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo \\\/// >> "C:\Log.crypt2"
  2⤵
  PID:2888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ipconfig /all >> "C:\Log.crypt2"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:4976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo \\\/// >> "C:\Log.crypt2"
  2⤵
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\sihost.exe
  "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
    3⤵
    PID:852
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\Log.crypt2"
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c Tree "D:" >> "C:\Log.crypt2"
    3⤵
    PID:4320
  - - C:\Windows\SysWOW64\tree.com
      Tree "D:"
      4⤵
      PID:4196
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\Log.crypt2"
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\Log.crypt2"
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\Log.crypt2"
    3⤵
    PID:3184
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\Log.crypt2"
    3⤵
    PID:4044
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ipconfig /all >> "C:\Log.crypt2"
    3⤵
    PID:5104
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:5108
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\Log.crypt2"
    3⤵
    PID:5060
- - C:\Users\Admin\AppData\Local\Temp\sihost.exe
    "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
    3⤵
    - Checks computer location settings
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:1648
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
      4⤵
      PID:4068
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\Log.crypt2"
      4⤵
      PID:1952
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4564
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c Tree "D:" >> "C:\Log.crypt2"
      4⤵
      PID:3380
    - - C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        5⤵
        
        PID:2020
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\Log.crypt2"
      4⤵
      PID:1928
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\Log.crypt2"
      4⤵
      PID:3320
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\Log.crypt2"
      4⤵
      PID:3920
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\Log.crypt2"
      4⤵
      PID:4680
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ipconfig /all >> "C:\Log.crypt2"
      4⤵
      PID:4524
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:2824
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\Log.crypt2"
      4⤵
      PID:3784
  - - C:\Users\Admin\AppData\Local\Temp\sihost.exe
      "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
      4⤵
      Checks computer location settings
      Suspicious use of SetWindowsHookEx
      PID:4684
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        5⤵
        
        PID:1968
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        5⤵
        
        PID:5660
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3576
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        5⤵
        
        PID:536
      - C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        6⤵
        
        PID:2936
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        5⤵
        
        PID:5292
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        5⤵
        
        PID:5808
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        5⤵
        
        PID:5872
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3320
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        5⤵
        
        PID:4032
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        5⤵
        
        PID:4012
      - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        6⤵
        Gathers network information
        
        PID:4640
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        5⤵
        
        PID:3460
    - - C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4848
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        6⤵
        
        PID:5972
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        6⤵
        
        PID:3084
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        6⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        7⤵
        
        PID:3504
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        6⤵
        
        PID:2568
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        6⤵
        
        PID:4580
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        6⤵
        
        PID:6096
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        6⤵
        
        PID:7124
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\Log.crypt2"
        6⤵
        
        PID:5388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:1668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1368
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        6⤵
        
        PID:6908
      - C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe" 0
        6⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\Log.crypt2"
        7⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        7⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Tree "D:" >> "C:\Log.crypt2"
        7⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\tree.com
        
        Tree "D:"
        8⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        7⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        7⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\Log.crypt2"
        7⤵
        
        PID:6240
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\ink\mip.zrz"
        6⤵
        
        PID:5204
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\ink\TabTip.zrz"
        6⤵
        
        PID:5568
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.zrz"
        6⤵
        
        PID:5832
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        6⤵
        
        PID:6544
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        6⤵
        
        PID:5412
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        6⤵
        
        PID:1336
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        6⤵
        
        PID:4300
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ExtExport.zrz"
        6⤵
        
        PID:7120
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.zrz"
        6⤵
        
        PID:4696
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.zrz"
        6⤵
        
        PID:5748
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wab.zrz"
        6⤵
        
        PID:5112
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpconfig.zrz"
        6⤵
        
        PID:5012
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmplayer.zrz"
        6⤵
        
        PID:116
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnetwk.zrz"
        6⤵
        
        PID:1040
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnscfg.zrz"
        6⤵
        
        PID:3016
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmprph.zrz"
        6⤵
        
        PID:6696
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpshare.zrz"
        6⤵
        
        PID:3604
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows NT\Accessories\wordpad.zrz"
        6⤵
        
        PID:6040
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Photo Viewer\ImagingDevices.zrz"
        6⤵
        
        PID:6620
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Security\BrowserCore\BrowserCore.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:5180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2840
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmlaunch.zrz"
        6⤵
        
        PID:6456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2960
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\setup_wm.zrz"
        6⤵
        
        PID:6320
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wabmig.zrz"
        6⤵
        
        PID:5660
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.zrz"
        6⤵
        
        PID:1784
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.zrz"
        6⤵
        
        PID:6168
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.zrz"
        6⤵
        
        PID:7008
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.zrz"
        6⤵
        Drops file in Program Files directory
        
        PID:1796
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.zrz"
        6⤵
        
        PID:412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:3816
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerElevatedAppServiceClient.zrz"
        6⤵
        
        PID:5160
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.zrz"
        6⤵
        
        PID:5388
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\fmui.zrz"
        6⤵
        
        PID:5056
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.zrz"
        6⤵
        
        PID:3868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2244
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.zrz"
        6⤵
        
        PID:5692
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\3DViewer.zrz"
        6⤵
        
        PID:4900
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.zrz"
        6⤵
        
        PID:6000
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\codecpacks.heif.zrz"
        6⤵
        
        PID:4696
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.zrz"
        6⤵
        
        PID:7020
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Solitaire.zrz"
        6⤵
        
        PID:5664
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.zrz"
        6⤵
        
        PID:5484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5696
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.zrz"
        6⤵
        
        PID:5560
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.zrz"
        6⤵
        
        PID:6444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:3536
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.zrz"
        6⤵
        
        PID:6924
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.zrz"
        6⤵
        
        PID:6224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4084
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.zrz"
        6⤵
        
        PID:4464
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.zrz"
        6⤵
        
        PID:3940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4028
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.zrz"
        6⤵
        
        PID:4740
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.zrz"
        6⤵
        
        PID:3748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5112
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.zrz"
        6⤵
        
        PID:6044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4244
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\StoreExperienceHost.zrz"
        6⤵
        
        PID:5312
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.zrz"
        6⤵
        
        PID:6928
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\codecpacks.webp.zrz"
        6⤵
        
        PID:5720
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Photos.zrz"
        6⤵
        
        PID:2788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1356
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\WindowsCamera.zrz"
        6⤵
        
        PID:3996
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.zrz"
        6⤵
        
        PID:624
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Time.zrz"
        6⤵
        
        PID:5356
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.zrz"
        6⤵
        
        PID:6172
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\SoundRec.zrz"
        6⤵
        Drops file in Program Files directory
        
        PID:3612
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotshubApp.zrz"
        6⤵
        
        PID:5776
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.zrz"
        6⤵
        
        PID:4952
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.zrz"
        6⤵
        
        PID:6088
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.zrz"
        6⤵
        
        PID:4392
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.zrz"
        6⤵
        
        PID:6832
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.zrz"
        6⤵
        
        PID:2220
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\codecpacks.VP9.zrz"
        6⤵
        
        PID:6148
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.zrz"
        6⤵
        
        PID:3544
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-App.zrz"
        6⤵
        
        PID:2832
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.zrz"
        6⤵
        
        PID:5980
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.zrz"
        6⤵
        
        PID:3936
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\YourPhone.zrz"
        6⤵
        
        PID:5032
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.zrz"
        5⤵
        
        PID:2128
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.zrz"
        5⤵
        
        PID:4660
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\ink\mip.zrz"
        5⤵
        
        PID:4256
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\ink\TabTip.zrz"
        5⤵
        
        PID:6084
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.zrz"
        5⤵
        
        PID:4320
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ExtExport.zrz"
        5⤵
        
        PID:4140
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
        5⤵
        
        PID:4416
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
        5⤵
        
        PID:5544
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
        5⤵
        
        PID:2992
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5036
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
        5⤵
        
        PID:5260
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wab.zrz"
        5⤵
        
        PID:5192
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wabmig.zrz"
        5⤵
        
        PID:3780
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmlaunch.zrz"
        5⤵
        
        PID:2464
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5928
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpconfig.zrz"
        5⤵
        
        PID:5876
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\setup_wm.zrz"
        5⤵
        
        PID:640
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmplayer.zrz"
        5⤵
        Sets file to hidden
        
        PID:4140
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5048
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnscfg.zrz"
        5⤵
        
        PID:3220
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnetwk.zrz"
        5⤵
        
        PID:5252
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmprph.zrz"
        5⤵
        
        PID:4612
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpshare.zrz"
        5⤵
        
        PID:5904
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Photo Viewer\ImagingDevices.zrz"
        5⤵
        Sets file to hidden
        
        PID:5868
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Security\BrowserCore\BrowserCore.zrz"
        5⤵
        
        PID:5688
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.zrz"
        5⤵
        
        PID:3352
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.zrz"
        5⤵
        
        PID:5704
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.zrz"
        5⤵
        
        PID:216
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.zrz"
        5⤵
        
        PID:5288
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerElevatedAppServiceClient.zrz"
        5⤵
        
        PID:5772
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows NT\Accessories\wordpad.zrz"
        5⤵
        
        PID:5128
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.zrz"
        5⤵
        
        PID:5740
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\fmui.zrz"
        5⤵
        
        PID:5504
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\codecpacks.heif.zrz"
        5⤵
        
        PID:916
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.zrz"
        5⤵
        
        PID:1376
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.zrz"
        5⤵
        
        PID:6032
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\3DViewer.zrz"
        5⤵
        
        PID:1872
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4908
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.zrz"
        5⤵
        
        PID:2056
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.zrz"
        5⤵
        
        PID:5652
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Solitaire.zrz"
        5⤵
        
        PID:3272
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.zrz"
        5⤵
        
        PID:2400
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.zrz"
        5⤵
        
        PID:3504
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.zrz"
        5⤵
        
        PID:2180
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.zrz"
        5⤵
        
        PID:2948
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.zrz"
        5⤵
        
        PID:1040
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.zrz"
        5⤵
        
        PID:6640
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.zrz"
        5⤵
        
        PID:6424
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.zrz"
        5⤵
        
        PID:6204
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.zrz"
        5⤵
        
        PID:6760
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.zrz"
        5⤵
        
        PID:6804
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\StoreExperienceHost.zrz"
        5⤵
        
        PID:6856
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.zrz"
        5⤵
        
        PID:7048
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.zrz"
        5⤵
        
        PID:7108
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\codecpacks.VP9.zrz"
        5⤵
        
        PID:6988
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Photos.zrz"
        5⤵
        
        PID:5196
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\codecpacks.webp.zrz"
        5⤵
        
        PID:7156
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Time.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:6048
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.zrz"
        5⤵
        
        PID:5316
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.zrz"
        5⤵
        
        PID:5240
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\WindowsCamera.zrz"
        5⤵
        
        PID:5616
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2616
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.zrz"
        5⤵
        
        PID:5232
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.zrz"
        5⤵
        
        PID:6012
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.zrz"
        5⤵
        
        PID:4640
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5328
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.zrz"
        5⤵
        
        PID:5184
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.zrz"
        5⤵
        
        PID:6444
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotshubApp.zrz"
        5⤵
        
        PID:5628
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.zrz"
        5⤵
        
        PID:1276
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\SoundRec.zrz"
        5⤵
        
        PID:3448
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.zrz"
        5⤵
        
        PID:2840
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5648
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-App.zrz"
        5⤵
        
        PID:2752
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.zrz"
        5⤵
        
        PID:4788
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.zrz"
        5⤵
        
        PID:1036
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.zrz"
        5⤵
        
        PID:5684
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\XboxIdp.zrz"
        5⤵
        
        PID:4792
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.zrz"
        5⤵
        
        PID:5300
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.zrz"
        5⤵
        
        PID:4692
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\YourPhone.zrz"
        5⤵
        
        PID:5892
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.zrz"
        5⤵
        
        PID:6096
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.zrz"
        5⤵
        
        PID:1272
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        5⤵
        
        PID:5652
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2836
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
        5⤵
        
        PID:5136
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wab.zrz"
        5⤵
        
        PID:5216
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
        5⤵
        
        PID:1356
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wabmig.zrz"
        5⤵
        
        PID:5416
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\setup_wm.zrz"
        5⤵
        
        PID:7104
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4880
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
        5⤵
        
        PID:6832
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
        5⤵
        
        PID:7020
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmlaunch.zrz"
        5⤵
        
        PID:6632
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.zrz"
        5⤵
        
        PID:412
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmplayer.zrz"
        5⤵
        
        PID:5680
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmprph.zrz"
        5⤵
        
        PID:1200
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows NT\Accessories\wordpad.zrz"
        5⤵
        
        PID:5788
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.zrz"
        5⤵
        
        PID:2844
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpshare.zrz"
        5⤵
        
        PID:4988
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpconfig.zrz"
        5⤵
        
        PID:5116
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.zrz"
        5⤵
        
        PID:2724
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\MicrosoftEdge.zrz"
        5⤵
        
        PID:5440
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.zrz"
        5⤵
        
        PID:3252
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Boot\PCAT\memtest.zrz"
        5⤵
        
        PID:6900
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ImmersiveControlPanel\SystemSettings.zrz"
        5⤵
        Sets file to hidden
        
        PID:6092
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.zrz"
        5⤵
        
        PID:6312
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.zrz"
        5⤵
        
        PID:6404
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.zrz"
        5⤵
        
        PID:6952
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.zrz"
        5⤵
        
        PID:6760
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.zrz"
        5⤵
        
        PID:3476
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.zrz"
        5⤵
        
        PID:1632
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.zrz"
        5⤵
        
        PID:7144
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.zrz"
        5⤵
        
        PID:6772
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.zrz"
        5⤵
        
        PID:6124
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.zrz"
        5⤵
        
        PID:3084
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.zrz"
        5⤵
        
        PID:6300
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.zrz"
        5⤵
        
        PID:5204
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.zrz"
        5⤵
        
        PID:7032
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.zrz"
        5⤵
        
        PID:1268
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.zrz"
        5⤵
        
        PID:3960
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.zrz"
        5⤵
        
        PID:420
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.zrz"
        5⤵
        
        PID:6724
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.zrz"
        5⤵
        
        PID:6452
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.zrz"
        5⤵
        
        PID:6004
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.zrz"
        5⤵
        
        PID:4740
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.zrz"
        5⤵
        
        PID:2828
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.zrz"
        5⤵
        
        PID:4428
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v3.5\csc.zrz"
        5⤵
        
        PID:4472
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.zrz"
        5⤵
        
        PID:3412
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.zrz"
        5⤵
        
        PID:5500
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4012
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.zrz"
      4⤵
      PID:1356
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\ink\mip.zrz"
      4⤵
      PID:1048
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1780
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.zrz"
      4⤵
      PID:3912
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\ink\TabTip.zrz"
      4⤵
      PID:4084
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.zrz"
      4⤵
      PID:1248
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ExtExport.zrz"
      4⤵
      PID:4640
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
      4⤵
      PID:4908
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
      4⤵
      PID:4380
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
      4⤵
      PID:1012
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
      4⤵
      PID:3352
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wab.zrz"
      4⤵
      PID:3536
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1964
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wabmig.zrz"
      4⤵
      PID:6016
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\setup_wm.zrz"
      4⤵
      PID:3576
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpconfig.zrz"
      4⤵
      PID:2128
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmplayer.zrz"
      4⤵
      Views/modifies file attributes
      PID:3412
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmlaunch.zrz"
      4⤵
      PID:1440
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnetwk.zrz"
      4⤵
      PID:3632
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2312
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnscfg.zrz"
      4⤵
      PID:1368
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Drops file in Program Files directory
        
        PID:3504
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmprph.zrz"
      4⤵
      PID:612
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpshare.zrz"
      4⤵
      PID:3916
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows NT\Accessories\wordpad.zrz"
      4⤵
      PID:4220
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Photo Viewer\ImagingDevices.zrz"
      4⤵
      PID:5348
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Security\BrowserCore\BrowserCore.zrz"
      4⤵
      PID:6032
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.zrz"
      4⤵
      PID:5840
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.zrz"
      4⤵
      PID:5920
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.zrz"
      4⤵
      PID:6096
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerElevatedAppServiceClient.zrz"
      4⤵
      PID:5444
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.zrz"
      4⤵
      PID:6076
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.zrz"
      4⤵
      PID:1740
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.zrz"
      4⤵
      PID:2484
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\fmui.zrz"
      4⤵
      PID:5180
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.zrz"
      4⤵
      PID:2760
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\codecpacks.heif.zrz"
      4⤵
      PID:2940
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\3DViewer.zrz"
      4⤵
      PID:3052
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.zrz"
      4⤵
      PID:2888
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.zrz"
      4⤵
      PID:6064
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.zrz"
      4⤵
      PID:4608
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Solitaire.zrz"
      4⤵
      PID:5828
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.zrz"
      4⤵
      PID:2656
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4636
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.zrz"
      4⤵
      PID:5720
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.zrz"
      4⤵
      PID:2968
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.zrz"
      4⤵
      PID:5248
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.zrz"
      4⤵
      PID:2316
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.zrz"
      4⤵
      PID:5648
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.zrz"
      4⤵
      PID:1260
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.zrz"
      4⤵
      PID:4024
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.zrz"
      4⤵
      PID:444
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.zrz"
      4⤵
      PID:5944
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\StoreExperienceHost.zrz"
      4⤵
      PID:1368
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.zrz"
      4⤵
      PID:1416
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\codecpacks.VP9.zrz"
      4⤵
      PID:6076
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2628
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Time.zrz"
      4⤵
      PID:2728
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\WindowsCamera.zrz"
      4⤵
      PID:2836
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.zrz"
      4⤵
      PID:4440
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Photos.zrz"
      4⤵
      PID:4484
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\codecpacks.webp.zrz"
      4⤵
      PID:2652
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.zrz"
      4⤵
      PID:5852
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.zrz"
      4⤵
      PID:1652
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.zrz"
      4⤵
      PID:5648
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.zrz"
      4⤵
      PID:2656
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotshubApp.zrz"
      4⤵
      PID:5916
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.zrz"
      4⤵
      Sets file to hidden
      PID:1260
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.zrz"
      4⤵
      PID:2020
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\SoundRec.zrz"
      4⤵
      PID:5984
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.zrz"
      4⤵
      PID:3576
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-App.zrz"
      4⤵
      PID:5900
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.zrz"
      4⤵
      PID:5464
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\YourPhone.zrz"
      4⤵
      PID:804
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.zrz"
      4⤵
      PID:4256
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.zrz"
      4⤵
      PID:3512
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.zrz"
      4⤵
      PID:5412
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.zrz"
      4⤵
      PID:6508
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.zrz"
      4⤵
      PID:6432
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\XboxIdp.zrz"
      4⤵
      PID:416
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.zrz"
      4⤵
      PID:880
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.zrz"
      4⤵
      PID:1824
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.zrz"
      4⤵
      PID:6124
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.zrz"
      4⤵
      PID:5124
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.zrz"
      4⤵
      PID:4368
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.zrz"
      4⤵
      PID:4216
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.zrz"
      4⤵
      PID:5992
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.zrz"
      4⤵
      PID:5804
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.zrz"
      4⤵
      PID:5896
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4976
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.zrz"
      4⤵
      PID:6120
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5012
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.zrz"
      4⤵
      PID:6312
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
      4⤵
      PID:1868
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.zrz"
      4⤵
      PID:4440
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.zrz"
      4⤵
      PID:6008
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.zrz"
      4⤵
      PID:2836
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.zrz"
      4⤵
      PID:6700
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.zrz"
      4⤵
      PID:6516
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.zrz"
      4⤵
      PID:4288
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:60
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.zrz"
      4⤵
      PID:5176
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
      4⤵
      PID:3632
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
      4⤵
      PID:7056
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
      4⤵
      PID:3056
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
      4⤵
      PID:6368
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.zrz"
      4⤵
      PID:5324
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.zrz"
      4⤵
      PID:5816
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.zrz"
      4⤵
      PID:5404
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateSetup.zrz"
      4⤵
      PID:5944
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateCore.zrz"
      4⤵
      PID:6624
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeComRegisterShellARM64.zrz"
      4⤵
      PID:2464
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.zrz"
      4⤵
      Sets file to hidden
      PID:5776
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.177.11\MicrosoftEdgeUpdateSetup_X86_1.3.177.11.zrz"
      4⤵
      PID:3544
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.zrz"
      4⤵
      PID:2064
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Temp\EU80B9.tmp\MicrosoftEdgeUpdateBroker.zrz"
      4⤵
      PID:6024
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Temp\EU80B9.tmp\MicrosoftEdgeUpdateCore.zrz"
      4⤵
      PID:2656
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Temp\EU80B9.tmp\MicrosoftEdgeUpdateOnDemand.zrz"
      4⤵
      PID:5240
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.zrz"
      4⤵
      PID:2932
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wabmig.zrz"
      4⤵
      PID:5916
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\setup_wm.zrz"
      4⤵
      PID:4140
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmplayer.zrz"
      4⤵
      PID:2292
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmprph.zrz"
      4⤵
      PID:2944
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpshare.zrz"
      4⤵
      PID:6324
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows NT\Accessories\wordpad.zrz"
      4⤵
      PID:5160
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.zrz"
      4⤵
      PID:4692
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4312
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.zrz"
      4⤵
      PID:5176
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.zrz"
      4⤵
      PID:7036
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.zrz"
      4⤵
      PID:4640
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpconfig.zrz"
      4⤵
      PID:6840
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmlaunch.zrz"
      4⤵
      PID:4480
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wab.zrz"
      4⤵
      Drops file in Program Files directory
      PID:1176
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.zrz"
      4⤵
      PID:5512
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.zrz"
      4⤵
      PID:5076
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.zrz"
      4⤵
      PID:3184
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\MicrosoftEdge.zrz"
      4⤵
      PID:6416
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveSetup.zrz"
      4⤵
      PID:1268
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.zrz"
      4⤵
      PID:5972
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.zrz"
      4⤵
      PID:4120
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.zrz"
      4⤵
      PID:3556
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.zrz"
      4⤵
      PID:5740
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.zrz"
      4⤵
      PID:3128
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.zrz"
      4⤵
      PID:4220
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.zrz"
      4⤵
      PID:5232
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.zrz"
      4⤵
      PID:420
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.zrz"
      4⤵
      PID:3928
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Boot\PCAT\memtest.zrz"
      4⤵
      PID:5284
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ImmersiveControlPanel\SystemSettings.zrz"
      4⤵
      PID:3996
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.zrz"
      4⤵
      PID:2804
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adelrcp.zrz"
      4⤵
      PID:5136
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.zrz"
      4⤵
      PID:6396
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.zrz"
      4⤵
      PID:5184
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.zrz"
      4⤵
      PID:4288
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.zrz"
      4⤵
      PID:4184
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_4bitmapibroker.zrz"
      4⤵
      PID:7000
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.zrz"
      4⤵
      PID:5468
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:848
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.zrz"
      4⤵
      PID:2828
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.zrz"
      4⤵
      PID:6436
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.zrz"
      4⤵
      PID:5700
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.zrz"
      4⤵
      PID:5808
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.zrz"
      4⤵
      PID:6984
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.zrz"
      4⤵
      PID:1800
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.zrz"
      4⤵
      PID:4408
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.zrz"
      4⤵
      PID:6880
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:396
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.zrz"
      4⤵
      PID:5620
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.zrz"
      4⤵
      PID:2804
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.zrz"
      4⤵
      PID:6484
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.zrz"
      4⤵
      PID:3508
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.zrz"
      4⤵
      PID:760
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.zrz"
      4⤵
      PID:6060
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.zrz"
      4⤵
      PID:2564
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v3.5\csc.zrz"
      4⤵
      PID:5824
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.zrz"
      4⤵
      PID:6768
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.zrz"
      4⤵
      PID:5716
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.zrz"
      4⤵
      PID:6456
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.zrz"
      4⤵
      PID:5756
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.zrz"
      4⤵
      PID:6188
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.zrz"
      4⤵
      PID:5616
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.zrz"
      4⤵
      PID:1520
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.zrz"
      4⤵
      PID:5264
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.zrz"
      4⤵
      PID:5136
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.zrz"
      4⤵
      PID:5256
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.zrz"
      4⤵
      PID:4092
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.zrz"
      4⤵
      PID:2272
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.zrz"
      4⤵
      PID:6548
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.zrz"
      4⤵
      PID:5944
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.zrz"
      4⤵
      PID:4380
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.zrz"
      4⤵
      PID:2792
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.zrz"
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.zrz"
    3⤵
    PID:3200
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\ink\TabTip.zrz"
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\ink\mip.zrz"
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.zrz"
    3⤵
    PID:3816
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ExtExport.zrz"
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
    3⤵
    PID:760
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
    3⤵
    PID:4692
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.zrz"
    3⤵
    PID:4976
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\jre\bin\kinit.zrz"
    3⤵
    PID:3440
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\jre\bin\orbd.zrz"
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\jre\bin\pack200.zrz"
    3⤵
    PID:4020
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.zrz"
    3⤵
    - Views/modifies file attributes
    PID:4740
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.zrz"
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.zrz"
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre-1.8\bin\jabswitch.zrz"
    3⤵
    PID:2312
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre-1.8\bin\javacpl.zrz"
    3⤵
    PID:4220
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2824
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre-1.8\bin\java-rmi.zrz"
    3⤵
    - Views/modifies file attributes
    PID:4860
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre-1.8\bin\javaws.zrz"
    3⤵
    - Views/modifies file attributes
    PID:2796
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre-1.8\bin\jp2launcher.zrz"
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre-1.8\bin\klist.zrz"
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre-1.8\bin\orbd.zrz"
    3⤵
    PID:3248
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre-1.8\bin\rmiregistry.zrz"
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre-1.8\bin\ssvagent.zrz"
    3⤵
    PID:3840
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre-1.8\bin\policytool.zrz"
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Client\AppVLP.zrz"
    3⤵
    - Views/modifies file attributes
    PID:2700
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\Office16\OSPPREARM.zrz"
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Integration\Integrator.zrz"
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.zrz"
    3⤵
    PID:5116
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3544
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.zrz"
    3⤵
    PID:2312
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1116
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\CLVIEW.zrz"
    3⤵
    PID:4684
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\EXCEL.zrz"
    3⤵
    PID:4560
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\IEContentService.zrz"
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\msoadfsb.zrz"
    3⤵
    PID:932
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\msoev.zrz"
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\msoia.zrz"
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.zrz"
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\MSOUC.zrz"
    3⤵
    PID:3612
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.zrz"
    3⤵
    PID:3844
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.zrz"
    3⤵
    PID:4880
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.zrz"
    3⤵
    PID:3456
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\POWERPNT.zrz"
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.zrz"
    3⤵
    PID:4380
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\protocolhandler.zrz"
    3⤵
    PID:852
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.zrz"
    3⤵
    PID:4512
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\SETLANG.zrz"
    3⤵
    PID:4256
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\WORDICON.zrz"
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.zrz"
    3⤵
    PID:4052
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\WINWORD.zrz"
    3⤵
    PID:412
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.zrz"
    3⤵
    PID:3536
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.zrz"
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.zrz"
    3⤵
    PID:4864
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.zrz"
    3⤵
    PID:3188
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4092
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.zrz"
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.zrz"
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.zrz"
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.zrz"
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.zrz"
    3⤵
    PID:760
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.zrz"
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.zrz"
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.zrz"
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.zrz"
    3⤵
    PID:916
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.zrz"
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.zrz"
    3⤵
    PID:5108
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.zrz"
    3⤵
    PID:5060
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Drops file in Program Files directory
      PID:3828
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.zrz"
    3⤵
    PID:3996
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3008
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.zrz"
    3⤵
    PID:4416
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.zrz"
    3⤵
    - Views/modifies file attributes
    PID:5152
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\crashreporter.zrz"
    3⤵
    PID:5256
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\maintenanceservice.zrz"
    3⤵
    PID:5428
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\maintenanceservice_installer.zrz"
    3⤵
    PID:5524
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\private_browsing.zrz"
    3⤵
    PID:5804
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\pingsender.zrz"
    3⤵
    PID:5680
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\firefox.zrz"
    3⤵
    PID:5328
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.zrz"
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\VideoLAN\VLC\vlc.zrz"
    3⤵
    PID:6116
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\VideoLAN\VLC\uninstall.zrz"
    3⤵
    PID:6092
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wab.zrz"
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wabmig.zrz"
    3⤵
    PID:3448
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\setup_wm.zrz"
    3⤵
    PID:5252
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmlaunch.zrz"
    3⤵
    PID:5440
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmplayer.zrz"
    3⤵
    PID:5696
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpconfig.zrz"
    3⤵
    PID:5116
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnetwk.zrz"
    3⤵
    PID:3176
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmprph.zrz"
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpshare.zrz"
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnscfg.zrz"
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Photo Viewer\ImagingDevices.zrz"
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows NT\Accessories\wordpad.zrz"
    3⤵
    - Views/modifies file attributes
    PID:5400
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Security\BrowserCore\BrowserCore.zrz"
    3⤵
    - Drops file in Program Files directory
    PID:2732
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4348
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.zrz"
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.zrz"
    3⤵
    PID:5156
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.zrz"
    3⤵
    - Drops file in Program Files directory
    PID:1420
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.zrz"
    3⤵
    PID:5940
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerElevatedAppServiceClient.zrz"
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.zrz"
    3⤵
    PID:5716
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4056
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.zrz"
    3⤵
    PID:3840
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\fmui.zrz"
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.zrz"
    3⤵
    - Views/modifies file attributes
    PID:5048
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\codecpacks.heif.zrz"
    3⤵
    PID:760
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.zrz"
    3⤵
    - Sets file to hidden
    PID:1012
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\3DViewer.zrz"
    3⤵
    PID:5680
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.zrz"
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Solitaire.zrz"
    3⤵
    PID:1016
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.zrz"
    3⤵
    PID:5780
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.zrz"
    3⤵
    PID:2848
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.zrz"
    3⤵
    PID:5596
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.zrz"
    3⤵
    PID:3324
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.zrz"
    3⤵
    PID:5644
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.zrz"
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.zrz"
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.zrz"
    3⤵
    PID:5928
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.zrz"
    3⤵
    PID:964
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.zrz"
    3⤵
    PID:5468
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4892
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.zrz"
    3⤵
    PID:5272
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4068
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.zrz"
    3⤵
    PID:5832
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\StoreExperienceHost.zrz"
    3⤵
    PID:2840
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\codecpacks.VP9.zrz"
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.zrz"
    3⤵
    PID:3784
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.zrz"
    3⤵
    PID:5236
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Time.zrz"
    3⤵
    PID:5788
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\WindowsCamera.zrz"
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.zrz"
    3⤵
    PID:3528
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Photos.zrz"
    3⤵
    PID:5840
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\codecpacks.webp.zrz"
    3⤵
    PID:920
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.zrz"
    3⤵
    PID:5920
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.zrz"
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.zrz"
    3⤵
    PID:5628
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotshubApp.zrz"
    3⤵
    PID:5336
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.zrz"
    3⤵
    PID:3780
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.zrz"
    3⤵
    PID:5436
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\SoundRec.zrz"
    3⤵
    PID:3200
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.zrz"
    3⤵
    PID:5512
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.zrz"
    3⤵
    - Sets file to hidden
    PID:4864
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2400
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\YourPhone.zrz"
    3⤵
    - Sets file to hidden
    - Drops file in Program Files directory
    PID:3324
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.zrz"
    3⤵
    PID:5952
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.zrz"
    3⤵
    PID:6472
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.zrz"
    3⤵
    PID:6340
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\XboxIdp.zrz"
    3⤵
    PID:6108
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.zrz"
    3⤵
    PID:6080
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.zrz"
    3⤵
    PID:116
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.zrz"
    3⤵
    PID:6140
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-App.zrz"
    3⤵
    - Sets file to hidden
    PID:1416
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.zrz"
    3⤵
    PID:5908
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.zrz"
    3⤵
    PID:6828
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.zrz"
    3⤵
    PID:6944
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.zrz"
    3⤵
    PID:5968
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.zrz"
    3⤵
    PID:3932
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.zrz"
    3⤵
    PID:5600
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.zrz"
    3⤵
    PID:6092
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.zrz"
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
    3⤵
    PID:5568
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.zrz"
    3⤵
    PID:3568
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.zrz"
    3⤵
    PID:6292
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.zrz"
    3⤵
    PID:6924
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.zrz"
    3⤵
    PID:3512
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.zrz"
    3⤵
    PID:6512
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.zrz"
    3⤵
    PID:6772
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
    3⤵
    PID:3780
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.zrz"
    3⤵
    PID:6032
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
    3⤵
    PID:6796
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
    3⤵
    PID:6600
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.zrz"
    3⤵
    PID:3440
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2376
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
    3⤵
    PID:6900
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.zrz"
    3⤵
    PID:5040
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.zrz"
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.zrz"
    3⤵
    PID:3476
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.zrz"
    3⤵
    PID:5468
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateComRegisterShell64.zrz"
    3⤵
    PID:6384
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{413231AA-9CB1-48F6-8F03-FAD29C1C9B35}\MicrosoftEdgeUpdateSetup_X86_1.3.177.11.zrz"
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Temp\EU80B9.tmp\MicrosoftEdgeComRegisterShellARM64.zrz"
    3⤵
    PID:5244
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Temp\EU80B9.tmp\MicrosoftEdgeUpdate.zrz"
    3⤵
    PID:5628
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Temp\EU80B9.tmp\MicrosoftEdgeUpdateComRegisterShell64.zrz"
    3⤵
    PID:1824
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1932
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Temp\EU80B9.tmp\MicrosoftEdgeUpdateSetup.zrz"
    3⤵
    PID:5676
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.zrz"
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wab.zrz"
    3⤵
    PID:3932
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wabmig.zrz"
    3⤵
    - Sets file to hidden
    PID:6072
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmlaunch.zrz"
    3⤵
    PID:5476
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows NT\Accessories\wordpad.zrz"
    3⤵
    PID:5968
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.zrz"
    3⤵
    PID:1280
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.zrz"
    3⤵
    PID:5500
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4052
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.zrz"
    3⤵
    PID:6376
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.zrz"
    3⤵
    PID:880
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.zrz"
    3⤵
    PID:6792
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.zrz"
    3⤵
    PID:5192
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpshare.zrz"
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmprph.zrz"
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmplayer.zrz"
    3⤵
    PID:6944
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpconfig.zrz"
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\setup_wm.zrz"
    3⤵
    PID:4864
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.zrz"
    3⤵
    PID:4232
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.zrz"
    3⤵
    PID:5452
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2084
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\MicrosoftEdge.zrz"
    3⤵
    PID:6356
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\Admin\AppData\Local\Temp\sihost.zrz"
    3⤵
    PID:3544
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.zrz"
    3⤵
    PID:7048
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.zrz"
    3⤵
    PID:6984
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Boot\PCAT\memtest.zrz"
    3⤵
    PID:5424
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\ImmersiveControlPanel\SystemSettings.zrz"
    3⤵
    PID:5796
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.zrz"
    3⤵
    PID:216
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.zrz"
    3⤵
    PID:880
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.zrz"
    3⤵
    PID:5724
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.zrz"
    3⤵
    PID:7160
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.zrz"
    3⤵
    PID:6360
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\wow_helper.zrz"
    3⤵
    PID:5940
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1012
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\rdrservicesupdater.zrz"
    3⤵
    PID:4604
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\assembly\GAC_64\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.zrz"
    3⤵
    PID:5652
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3448
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.zrz"
    3⤵
    PID:4032
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.zrz"
    3⤵
    PID:872
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.zrz"
    3⤵
    PID:3628
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4864
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.zrz"
    3⤵
    PID:6004
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.zrz"
    3⤵
    PID:6932
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.zrz"
    3⤵
    PID:688
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.zrz"
    3⤵
    PID:6448
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.zrz"
    3⤵
    PID:6204
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.zrz"
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.zrz"
    3⤵
    PID:6836
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.zrz"
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.zrz"
    3⤵
    PID:6520
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.zrz"
    3⤵
    PID:5272
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.zrz"
    3⤵
    - Sets file to hidden
    PID:3360
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.zrz"
    3⤵
    PID:5416
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.zrz"
    3⤵
    PID:6352
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.zrz"
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.zrz"
    3⤵
    PID:2728
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4064
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.zrz"
    3⤵
    PID:6200
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3320
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.zrz"
    3⤵
    PID:6708
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4504
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.zrz"
    3⤵
    PID:6444
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.zrz"
    3⤵
    PID:6336
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.zrz"
    3⤵
    PID:5632
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v3.5\csc.zrz"
    3⤵
    PID:5008
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.zrz"
    3⤵
    PID:6684
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.zrz"
    3⤵
    PID:6740
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.zrz"
    3⤵
    - Sets file to hidden
    PID:5520
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.zrz"
    3⤵
    PID:6036
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.zrz"
    3⤵
    PID:4016
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.zrz"
    3⤵
    PID:6884
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.zrz"
    3⤵
    PID:964
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.zrz"
    3⤵
    PID:4496
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.zrz"
    3⤵
    PID:6020
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.zrz"
    3⤵
    PID:5704
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.zrz"
    3⤵
    PID:6948
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.zrz"
    3⤵
    PID:4380
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.zrz"
    3⤵
    PID:740
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\odt\office2016setup.zrz"
  2⤵
  PID:3512
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\7-Zip\7z.zrz"
  2⤵
  PID:3596
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\7-Zip\7zFM.zrz"
  2⤵
  PID:1356
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\7-Zip\7zG.zrz"
  2⤵
  PID:2180
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\7-Zip\Uninstall.zrz"
  2⤵
  PID:628
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.zrz"
  2⤵
  PID:3380
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.zrz"
  2⤵
  PID:3504
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.zrz"
  2⤵
  PID:3544
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.zrz"
  2⤵
  PID:2292
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.zrz"
  2⤵
  PID:5076
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.zrz"
  2⤵
  PID:4056
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.zrz"
  2⤵
  PID:1012
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.zrz"
  2⤵
  PID:4380
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\ink\mip.zrz"
  2⤵
  PID:2348
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.zrz"
  2⤵
  PID:4408
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\ink\TabTip.zrz"
  2⤵
  PID:1368
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.zrz"
  2⤵
  PID:4564
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.zrz"
  2⤵
  PID:3724
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.zrz"
  2⤵
  - Sets file to hidden
  PID:4092
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.zrz"
  2⤵
  PID:4848
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.zrz"
  2⤵
  PID:4604
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.zrz"
  2⤵
  PID:1968
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.zrz"
  2⤵
  PID:5108
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.zrz"
  2⤵
  PID:3696
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.zrz"
  2⤵
  PID:2324
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Google\Chrome\Application\chrome.zrz"
  2⤵
  PID:3320
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Google\Chrome\Application\chrome_proxy.zrz"
  2⤵
  PID:2368
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iediagcmd.zrz"
  2⤵
  PID:3596
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ExtExport.zrz"
  2⤵
  PID:3272
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ieinstal.zrz"
  2⤵
  PID:3636
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\ielowutil.zrz"
  2⤵
  PID:1864
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Internet Explorer\iexplore.zrz"
  2⤵
  PID:1116
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\appletviewer.zrz"
  2⤵
  PID:1176
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\extcheck.zrz"
  2⤵
  PID:1036
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\idlj.zrz"
  2⤵
  PID:5012
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\jabswitch.zrz"
  2⤵
  PID:848
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\jar.zrz"
  2⤵
  PID:3456
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\jarsigner.zrz"
  2⤵
  PID:5048
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\java-rmi.zrz"
  2⤵
  PID:4380
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\java.zrz"
  2⤵
  PID:1420
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\javac.zrz"
  2⤵
  - Views/modifies file attributes
  PID:60
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\javadoc.zrz"
  2⤵
  PID:4488
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\javah.zrz"
  2⤵
  PID:4820
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\javafxpackager.zrz"
  2⤵
  PID:2588
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\javapackager.zrz"
  2⤵
  PID:3912
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\javaw.zrz"
  2⤵
  PID:4460
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\javaws.zrz"
  2⤵
  - Sets file to hidden
  PID:2052
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\javap.zrz"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:3476
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\jcmd.zrz"
  2⤵
  PID:220
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\jconsole.zrz"
  2⤵
  PID:1952
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\jdb.zrz"
  2⤵
  PID:4988
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\jhat.zrz"
  2⤵
  PID:4064
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\jdeps.zrz"
  2⤵
  PID:2948
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\jinfo.zrz"
  2⤵
  - Views/modifies file attributes
  PID:1356
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3512
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\jjs.zrz"
  2⤵
  - Sets file to hidden
  PID:3412
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\jmap.zrz"
  2⤵
  PID:4052
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\jps.zrz"
  2⤵
  PID:1928
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\jrunscript.zrz"
  2⤵
  PID:4548
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\jsadebugd.zrz"
  2⤵
  PID:4612
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\jstack.zrz"
  2⤵
  PID:3828
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\jstat.zrz"
  2⤵
  PID:920
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3988
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\jstatd.zrz"
  2⤵
  PID:3916
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\keytool.zrz"
  2⤵
  PID:412
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\kinit.zrz"
  2⤵
  PID:3760
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\klist.zrz"
  2⤵
  - Drops file in Program Files directory
  PID:4584
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\ktab.zrz"
  2⤵
  PID:2968
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\native2ascii.zrz"
  2⤵
  PID:848
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\orbd.zrz"
  2⤵
  PID:4244
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\pack200.zrz"
  2⤵
  PID:1276
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\policytool.zrz"
  2⤵
  PID:2960
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\rmic.zrz"
  2⤵
  PID:4020
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\rmid.zrz"
  2⤵
  PID:2008
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\rmiregistry.zrz"
  2⤵
  PID:4848
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\schemagen.zrz"
  2⤵
  PID:1964
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\serialver.zrz"
  2⤵
  PID:3076
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\servertool.zrz"
  2⤵
  PID:2836
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\wsimport.zrz"
  2⤵
  PID:3576
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\wsgen.zrz"
  2⤵
  PID:2796
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\unpack200.zrz"
  2⤵
  PID:644
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\tnameserv.zrz"
  2⤵
  PID:2272
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.zrz"
  2⤵
  PID:4548
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\bin\xjc.zrz"
  2⤵
  PID:1200
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.zrz"
  2⤵
  PID:3828
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\jre\bin\java.zrz"
  2⤵
  PID:3992
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\jre\bin\javaw.zrz"
  2⤵
  PID:3988
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\jre\bin\javaws.zrz"
  2⤵
  PID:3044
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\jre\bin\jjs.zrz"
  2⤵
  PID:4440
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\jre\bin\keytool.zrz"
  2⤵
  PID:4348
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.zrz"
  2⤵
  PID:5060
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\jre\bin\klist.zrz"
  2⤵
  PID:1640
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\jre\bin\ktab.zrz"
  2⤵
  PID:4368
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\jre\bin\policytool.zrz"
  2⤵
  PID:884
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\jre\bin\rmid.zrz"
  2⤵
  PID:4504
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\jre\bin\servertool.zrz"
  2⤵
  PID:2504
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.zrz"
  2⤵
  PID:1780
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre-1.8\bin\jabswitch.zrz"
  2⤵
  PID:5012
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre-1.8\bin\java.zrz"
  2⤵
  PID:1932
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre-1.8\bin\jjs.zrz"
  2⤵
  PID:1456
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre-1.8\bin\keytool.zrz"
  2⤵
  PID:2628
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2348
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre-1.8\bin\javaw.zrz"
  2⤵
  PID:2528
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre-1.8\bin\kinit.zrz"
  2⤵
  PID:3916
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre-1.8\bin\ktab.zrz"
  2⤵
  PID:2732
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre-1.8\bin\pack200.zrz"
  2⤵
  - Views/modifies file attributes
  PID:3008
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre-1.8\bin\tnameserv.zrz"
  2⤵
  - Sets file to hidden
  PID:3084
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre-1.8\bin\servertool.zrz"
  2⤵
  PID:2148
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre-1.8\bin\rmid.zrz"
  2⤵
  PID:5036
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Java\jre-1.8\bin\unpack200.zrz"
  2⤵
  PID:2196
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.zrz"
  2⤵
  PID:3448
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.zrz"
  2⤵
  PID:4312
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.zrz"
  2⤵
  PID:2560
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.zrz"
  2⤵
  PID:4892
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.zrz"
  2⤵
  PID:3440
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.zrz"
  2⤵
  PID:4044
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\excelcnv.zrz"
  2⤵
  PID:1652
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\GRAPH.zrz"
  2⤵
  PID:5012
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\msoasb.zrz"
  2⤵
  PID:3536
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\misc.zrz"
  2⤵
  PID:2732
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.zrz"
  2⤵
  PID:4904
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Drops file in Program Files directory
    PID:628
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\MSOSREC.zrz"
  2⤵
  PID:828
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\msotd.zrz"
  2⤵
  PID:1188
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\MSQRY32.zrz"
  2⤵
  PID:3044
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\ONENOTE.zrz"
  2⤵
  PID:984
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\ORGCHART.zrz"
  2⤵
  PID:1824
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\PerfBoost.zrz"
  2⤵
  PID:4692
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\PPTICO.zrz"
  2⤵
  PID:4440
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\SDXHelper.zrz"
  2⤵
  PID:2056
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\SELFCERT.zrz"
  2⤵
  PID:3748
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.zrz"
  2⤵
  PID:3324
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\Wordconv.zrz"
  2⤵
  PID:3144
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\Office16\XLICONS.zrz"
  2⤵
  PID:5112
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2560
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.zrz"
  2⤵
  PID:396
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.zrz"
  2⤵
  PID:3884
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.zrz"
  2⤵
  PID:644
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.zrz"
  2⤵
  PID:3528
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.zrz"
  2⤵
  PID:2948
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.zrz"
  2⤵
  PID:4904
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.zrz"
  2⤵
  PID:3612
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.zrz"
  2⤵
  - Views/modifies file attributes
  PID:4368
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.zrz"
  2⤵
  PID:4068
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.zrz"
  2⤵
  PID:2796
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.zrz"
  2⤵
  PID:3856
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.zrz"
  2⤵
  PID:4636
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.zrz"
  2⤵
  PID:4936
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Drops file in Program Files directory
    PID:3696
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.zrz"
  2⤵
  PID:412
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.zrz"
  2⤵
  PID:3180
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.zrz"
  2⤵
  PID:396
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.zrz"
  2⤵
  PID:3508
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.zrz"
  2⤵
  PID:1172
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.zrz"
  2⤵
  PID:2840
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\visicon.zrz"
  2⤵
  PID:3908
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.zrz"
  2⤵
  PID:4220
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.zrz"
  2⤵
  PID:4488
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\uninstall\helper.zrz"
  2⤵
  PID:5212
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\minidump-analyzer.zrz"
  2⤵
  PID:5620
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\plugin-container.zrz"
  2⤵
  PID:5736
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\updater.zrz"
  2⤵
  PID:5796
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Mozilla Firefox\default-browser-agent.zrz"
  2⤵
  PID:5384
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.zrz"
  2⤵
  PID:2960
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\VideoLAN\VLC\uninstall.zrz"
  2⤵
  PID:6076
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\VideoLAN\VLC\vlc-cache-gen.zrz"
  2⤵
  PID:6124
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wabmig.zrz"
  2⤵
  PID:4028
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Mail\wab.zrz"
  2⤵
  PID:3784
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\setup_wm.zrz"
  2⤵
  PID:3748
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmlaunch.zrz"
  2⤵
  PID:2512
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3460
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpconfig.zrz"
  2⤵
  - Drops file in Program Files directory
  PID:1952
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmplayer.zrz"
  2⤵
  PID:4692
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnscfg.zrz"
  2⤵
  PID:4900
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Drops file in Program Files directory
    PID:4604
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpshare.zrz"
  2⤵
  PID:1256
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmprph.zrz"
  2⤵
  PID:2700
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Media Player\wmpnetwk.zrz"
  2⤵
  PID:5748
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows NT\Accessories\wordpad.zrz"
  2⤵
  PID:1868
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Security\BrowserCore\BrowserCore.zrz"
  2⤵
  PID:6084
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\Windows Photo Viewer\ImagingDevices.zrz"
  2⤵
  PID:3908
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.zrz"
  2⤵
  PID:4420
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.zrz"
  2⤵
  PID:4312
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.zrz"
  2⤵
  PID:5800
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.zrz"
  2⤵
  PID:5996
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerElevatedAppServiceClient.zrz"
  2⤵
  PID:5828
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.zrz"
  2⤵
  PID:6068
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.zrz"
  2⤵
  PID:5596
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2180
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\fmui.zrz"
  2⤵
  PID:5756
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.zrz"
  2⤵
  PID:5188
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\codecpacks.heif.zrz"
  2⤵
  PID:3448
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\3DViewer.zrz"
  2⤵
  PID:6060
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.zrz"
  2⤵
  PID:3456
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4380
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.zrz"
  2⤵
  PID:1824
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Solitaire.zrz"
  2⤵
  PID:1280
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.zrz"
  2⤵
  PID:3188
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.zrz"
  2⤵
  PID:3248
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.zrz"
  2⤵
  PID:5264
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.zrz"
  2⤵
  PID:3596
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.zrz"
  2⤵
  PID:5836
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.zrz"
  2⤵
  PID:5748
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:984
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.zrz"
  2⤵
  PID:5404
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:852
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.zrz"
  2⤵
  PID:3372
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.zrz"
  2⤵
  PID:5208
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.zrz"
  2⤵
  PID:3200
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.zrz"
  2⤵
  PID:4696
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.zrz"
  2⤵
  PID:5296
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\StoreExperienceHost.zrz"
  2⤵
  PID:4416
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\codecpacks.VP9.zrz"
  2⤵
  PID:5332
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.zrz"
  2⤵
  PID:2208
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\codecpacks.webp.zrz"
  2⤵
  PID:5576
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.zrz"
  2⤵
  PID:5712
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\WindowsCamera.zrz"
  2⤵
  PID:5584
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Time.zrz"
  2⤵
  PID:2564
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Photos.zrz"
  2⤵
  PID:5212
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.zrz"
  2⤵
  PID:628
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.zrz"
  2⤵
  PID:1180
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotshubApp.zrz"
  2⤵
  PID:2008
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.zrz"
  2⤵
  PID:1036
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.zrz"
  2⤵
  PID:5172
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.zrz"
  2⤵
  PID:4640
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\SoundRec.zrz"
  2⤵
  PID:852
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.zrz"
  2⤵
  PID:2904
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\YourPhone.zrz"
  2⤵
  PID:1632
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.zrz"
  2⤵
  PID:5104
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.zrz"
  2⤵
  PID:6112
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.zrz"
  2⤵
  PID:5928
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.zrz"
  2⤵
  PID:6556
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.zrz"
  2⤵
  PID:6380
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\XboxIdp.zrz"
  2⤵
  PID:5380
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.zrz"
  2⤵
  PID:5568
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.zrz"
  2⤵
  PID:4976
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-App.zrz"
  2⤵
  PID:5972
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.zrz"
  2⤵
  PID:4140
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.zrz"
  2⤵
  PID:4552
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.zrz"
  2⤵
  PID:3928
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.zrz"
  2⤵
  PID:4840
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.zrz"
  2⤵
  PID:5852
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.zrz"
  2⤵
  PID:5676
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.zrz"
  2⤵
  PID:3412
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.zrz"
  2⤵
  PID:6360
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.zrz"
  2⤵
  PID:1640
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
  2⤵
  PID:4604
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.zrz"
  2⤵
  PID:5572
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.zrz"
  2⤵
  PID:6584
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.zrz"
  2⤵
  PID:6564
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\Install\{4D2DBF58-BCAB-45CC-898B-72432E8740A5}\chrome_installer.zrz"
  2⤵
  PID:2740
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
  2⤵
  PID:4992
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Drops file in Program Files directory
    PID:4612
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.zrz"
  2⤵
  PID:6216
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.zrz"
  2⤵
  PID:5520
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
  2⤵
  PID:6992
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
  2⤵
  PID:6676
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
  2⤵
  - Views/modifies file attributes
  PID:4472
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.zrz"
  2⤵
  PID:4436
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdate.zrz"
  2⤵
  PID:4116
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.zrz"
  2⤵
  PID:4196
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateOnDemand.zrz"
  2⤵
  PID:5152
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge.zrz"
  2⤵
  PID:3176

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2292

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4044

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2700

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3596

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3380

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:848

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3992

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5060

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Log.crypt2

Filesize
90B

MD5
ddbb20eb84b3e55f91442c36f6a85904

SHA1
0168e36f735b5664d62dd125a475c07e1cf830ba

SHA256
e1f2595748cb97e0eb982f093be9cd9e6830e875a2c3d1d0d9baecbccfd9b5b2

SHA512
ef377abacda49a18b117dc298318052e1da92f18169a670f1bf57458af74663e288ae3aba6ec0d12a122fb698be00d4067b0f4a44e1b6012d8a3266256cdf0b7

Download Submit
C:\Log.crypt2

Filesize
25B

MD5
eba81de3310ef96a5f9324d38e1db4e3

SHA1
a60a2601a01ee6b72c792c8e8fe07c7698a6cf7d

SHA256
deb53e56badfa2c969aadfdb8b53f76e422f8a989191dbd3d90187a90afbe953

SHA512
e651a3223ccac9a7ef960fe35e22222c03aa0e0ed8bfff29d3866961ae2ef66fb706a35ec32c0e1e68b746946d110ba778b139344bf0a7532abc47bb6a4bee9a

Download Submit
C:\Log.crypt2

Filesize
99B

MD5
12586f308624c261d9ff40f6c7be6293

SHA1
f41a739b38ef9712f42869b68da3a3da091ae0f5

SHA256
28ccd38dcc7e2e1c32ba54d98a4f4dc7fc19918de7e3efd8694bccee78430ed4

SHA512
cfe2e384f6fe52c6700defc2bb39d6cd857ee3638fd3eabd8716554efdf156d13e95f82208ee101e465a626141af61bcd4ac160b12be77284545ace816572d64

Download Submit
C:\Log.crypt2

Filesize
34B

MD5
b70a87553ecc9bfc6fb913cdd27f119d

SHA1
57ccf4d5f48c5ed13085ad00d419028d901c1ea4

SHA256
394b37acaf41ae63cfc829291ae6b48909210c21f4f271c84e831afc894018f6

SHA512
92eddbcc02baf5adb0011b88e2e31f94d58f5055abf8e6adf512e008b99cad1c4f1a306901a0cdc2bfa944fc33f36110ac07e01e165915713a16e7a671cfe4f9

Download Submit
C:\Log.crypt2

Filesize
34B

MD5
b70a87553ecc9bfc6fb913cdd27f119d

SHA1
57ccf4d5f48c5ed13085ad00d419028d901c1ea4

SHA256
394b37acaf41ae63cfc829291ae6b48909210c21f4f271c84e831afc894018f6

SHA512
92eddbcc02baf5adb0011b88e2e31f94d58f5055abf8e6adf512e008b99cad1c4f1a306901a0cdc2bfa944fc33f36110ac07e01e165915713a16e7a671cfe4f9

Download Submit
C:\Log.crypt2

Filesize
99B

MD5
12586f308624c261d9ff40f6c7be6293

SHA1
f41a739b38ef9712f42869b68da3a3da091ae0f5

SHA256
28ccd38dcc7e2e1c32ba54d98a4f4dc7fc19918de7e3efd8694bccee78430ed4

SHA512
cfe2e384f6fe52c6700defc2bb39d6cd857ee3638fd3eabd8716554efdf156d13e95f82208ee101e465a626141af61bcd4ac160b12be77284545ace816572d64

Download Submit
C:\Log.crypt2

Filesize
72B

MD5
c540878e3d2f2403184fb6e1782aff1a

SHA1
5fbfeb1c5e4697c10d0de8c8f2c0e7eee6e23002

SHA256
ad54a1baa4a577f1c8ee997d016269184176abf81218b39d94ce78854cea6eb8

SHA512
ab41d8a6123be5c662e9a95c9c8011c2441702cdd47ab2068b8dd64f0f9efbd1a06e7e54cea3a76da5ec82edfc95ae68c043aa212a397fc0c16db32e5259ff8d

Download Submit
C:\Log.crypt2

Filesize
1KB

MD5
5fc45cf74c7e501aab0a2756a9cb06f4

SHA1
89d24f55254d04e0885ac126d5768bee98af6211

SHA256
683f7addd899b7ec0c2dc8fa23279d3eb47969fada9424bccd82592100370b82

SHA512
832371ec16083a16e3a5ab0d2697a0ec2d08b474d8f7e474413cecc002ab96fff66b881c19977560200d71b4f25888d43932455b1a00d32f30962f8bea2ebca8

Download Submit
C:\Log.crypt2

Filesize
81B

MD5
54e3c3eb73a41b48821ab380611e252f

SHA1
c2c5ca8a8ec5cbe7c6725fcc055f9a749ae7652d

SHA256
8ce427319462a1625eea87e98f690620cbb51702d115456732371766548ca735

SHA512
a30a0748375e7a59b8ea46a7971a2d566973c5aced537e0c82ee873559a100ac86fbc646e5487ecab422808195ad132e70606a94a7edd8804605f12a2cf42511

Download Submit
C:\Log.crypt2

Filesize
90B

MD5
ddbb20eb84b3e55f91442c36f6a85904

SHA1
0168e36f735b5664d62dd125a475c07e1cf830ba

SHA256
e1f2595748cb97e0eb982f093be9cd9e6830e875a2c3d1d0d9baecbccfd9b5b2

SHA512
ef377abacda49a18b117dc298318052e1da92f18169a670f1bf57458af74663e288ae3aba6ec0d12a122fb698be00d4067b0f4a44e1b6012d8a3266256cdf0b7

Download Submit
C:\Log.crypt2

Filesize
99B

MD5
12586f308624c261d9ff40f6c7be6293

SHA1
f41a739b38ef9712f42869b68da3a3da091ae0f5

SHA256
28ccd38dcc7e2e1c32ba54d98a4f4dc7fc19918de7e3efd8694bccee78430ed4

SHA512
cfe2e384f6fe52c6700defc2bb39d6cd857ee3638fd3eabd8716554efdf156d13e95f82208ee101e465a626141af61bcd4ac160b12be77284545ace816572d64

Download Submit
C:\Log.crypt2

Filesize
99B

MD5
12586f308624c261d9ff40f6c7be6293

SHA1
f41a739b38ef9712f42869b68da3a3da091ae0f5

SHA256
28ccd38dcc7e2e1c32ba54d98a4f4dc7fc19918de7e3efd8694bccee78430ed4

SHA512
cfe2e384f6fe52c6700defc2bb39d6cd857ee3638fd3eabd8716554efdf156d13e95f82208ee101e465a626141af61bcd4ac160b12be77284545ace816572d64

Download Submit
C:\Log.crypt2

Filesize
1KB

MD5
5fc45cf74c7e501aab0a2756a9cb06f4

SHA1
89d24f55254d04e0885ac126d5768bee98af6211

SHA256
683f7addd899b7ec0c2dc8fa23279d3eb47969fada9424bccd82592100370b82

SHA512
832371ec16083a16e3a5ab0d2697a0ec2d08b474d8f7e474413cecc002ab96fff66b881c19977560200d71b4f25888d43932455b1a00d32f30962f8bea2ebca8

Download Submit
C:\Log.crypt2

Filesize
25B

MD5
eba81de3310ef96a5f9324d38e1db4e3

SHA1
a60a2601a01ee6b72c792c8e8fe07c7698a6cf7d

SHA256
deb53e56badfa2c969aadfdb8b53f76e422f8a989191dbd3d90187a90afbe953

SHA512
e651a3223ccac9a7ef960fe35e22222c03aa0e0ed8bfff29d3866961ae2ef66fb706a35ec32c0e1e68b746946d110ba778b139344bf0a7532abc47bb6a4bee9a

Download Submit
C:\Log.crypt2

Filesize
25B

MD5
eba81de3310ef96a5f9324d38e1db4e3

SHA1
a60a2601a01ee6b72c792c8e8fe07c7698a6cf7d

SHA256
deb53e56badfa2c969aadfdb8b53f76e422f8a989191dbd3d90187a90afbe953

SHA512
e651a3223ccac9a7ef960fe35e22222c03aa0e0ed8bfff29d3866961ae2ef66fb706a35ec32c0e1e68b746946d110ba778b139344bf0a7532abc47bb6a4bee9a

Download Submit
C:\Log.crypt2

Filesize
34B

MD5
b70a87553ecc9bfc6fb913cdd27f119d

SHA1
57ccf4d5f48c5ed13085ad00d419028d901c1ea4

SHA256
394b37acaf41ae63cfc829291ae6b48909210c21f4f271c84e831afc894018f6

SHA512
92eddbcc02baf5adb0011b88e2e31f94d58f5055abf8e6adf512e008b99cad1c4f1a306901a0cdc2bfa944fc33f36110ac07e01e165915713a16e7a671cfe4f9

Download Submit
C:\Log.crypt2

Filesize
34B

MD5
b70a87553ecc9bfc6fb913cdd27f119d

SHA1
57ccf4d5f48c5ed13085ad00d419028d901c1ea4

SHA256
394b37acaf41ae63cfc829291ae6b48909210c21f4f271c84e831afc894018f6

SHA512
92eddbcc02baf5adb0011b88e2e31f94d58f5055abf8e6adf512e008b99cad1c4f1a306901a0cdc2bfa944fc33f36110ac07e01e165915713a16e7a671cfe4f9

Download Submit
C:\Log.crypt2

Filesize
63B

MD5
77e7ee3e56cdb1765ad870c263799223

SHA1
0a79bd1cf63e2a8db19d0ffed4f2fb12204d2db9

SHA256
fbb58532a50639f216486fb59ec1e11ba92ee2704e0c32d9d6577f9ba3a254fd

SHA512
5e91836b0d69eee5e756fefb48767f5e3a08d34be062ac470aedf6f0504f25ab82e98de531b8083f0e4ad5dccfc8d18e9cddaf64d6c4cb8d1b2d8450e93d9e6a

Download Submit
C:\Log.crypt2

Filesize
81B

MD5
54e3c3eb73a41b48821ab380611e252f

SHA1
c2c5ca8a8ec5cbe7c6725fcc055f9a749ae7652d

SHA256
8ce427319462a1625eea87e98f690620cbb51702d115456732371766548ca735

SHA512
a30a0748375e7a59b8ea46a7971a2d566973c5aced537e0c82ee873559a100ac86fbc646e5487ecab422808195ad132e70606a94a7edd8804605f12a2cf42511

Download Submit
C:\Log.crypt2

Filesize
90B

MD5
ddbb20eb84b3e55f91442c36f6a85904

SHA1
0168e36f735b5664d62dd125a475c07e1cf830ba

SHA256
e1f2595748cb97e0eb982f093be9cd9e6830e875a2c3d1d0d9baecbccfd9b5b2

SHA512
ef377abacda49a18b117dc298318052e1da92f18169a670f1bf57458af74663e288ae3aba6ec0d12a122fb698be00d4067b0f4a44e1b6012d8a3266256cdf0b7

Download Submit
C:\Log.crypt2

Filesize
99B

MD5
12586f308624c261d9ff40f6c7be6293

SHA1
f41a739b38ef9712f42869b68da3a3da091ae0f5

SHA256
28ccd38dcc7e2e1c32ba54d98a4f4dc7fc19918de7e3efd8694bccee78430ed4

SHA512
cfe2e384f6fe52c6700defc2bb39d6cd857ee3638fd3eabd8716554efdf156d13e95f82208ee101e465a626141af61bcd4ac160b12be77284545ace816572d64

Download Submit
C:\Log.crypt2

Filesize
99B

MD5
12586f308624c261d9ff40f6c7be6293

SHA1
f41a739b38ef9712f42869b68da3a3da091ae0f5

SHA256
28ccd38dcc7e2e1c32ba54d98a4f4dc7fc19918de7e3efd8694bccee78430ed4

SHA512
cfe2e384f6fe52c6700defc2bb39d6cd857ee3638fd3eabd8716554efdf156d13e95f82208ee101e465a626141af61bcd4ac160b12be77284545ace816572d64

Download Submit
C:\Log.crypt2

Filesize
1KB

MD5
e26d81477c9ad18c249a5f697ff68ee3

SHA1
684938ceb0a75c52f3367681649fe3416fdba67f

SHA256
f92a1cc0c4426757348f383099a902cc9a5fa5dc0f51cec4241a7cd8a80b1654

SHA512
ff6531d0e3428d7fa3d3e53d7146867b59e90ec21ed1d65c5331b9faaccb6c8fd9160c247f3e9b0ad42e98a91fd5a2192e79064a0207080dea061e184bac3a64

Download Submit
C:\Log.crypt2

Filesize
25B

MD5
eba81de3310ef96a5f9324d38e1db4e3

SHA1
a60a2601a01ee6b72c792c8e8fe07c7698a6cf7d

SHA256
deb53e56badfa2c969aadfdb8b53f76e422f8a989191dbd3d90187a90afbe953

SHA512
e651a3223ccac9a7ef960fe35e22222c03aa0e0ed8bfff29d3866961ae2ef66fb706a35ec32c0e1e68b746946d110ba778b139344bf0a7532abc47bb6a4bee9a

Download Submit
C:\Log.crypt2

Filesize
25B

MD5
eba81de3310ef96a5f9324d38e1db4e3

SHA1
a60a2601a01ee6b72c792c8e8fe07c7698a6cf7d

SHA256
deb53e56badfa2c969aadfdb8b53f76e422f8a989191dbd3d90187a90afbe953

SHA512
e651a3223ccac9a7ef960fe35e22222c03aa0e0ed8bfff29d3866961ae2ef66fb706a35ec32c0e1e68b746946d110ba778b139344bf0a7532abc47bb6a4bee9a

Download Submit
C:\Log.crypt2

Filesize
25B

MD5
eba81de3310ef96a5f9324d38e1db4e3

SHA1
a60a2601a01ee6b72c792c8e8fe07c7698a6cf7d

SHA256
deb53e56badfa2c969aadfdb8b53f76e422f8a989191dbd3d90187a90afbe953

SHA512
e651a3223ccac9a7ef960fe35e22222c03aa0e0ed8bfff29d3866961ae2ef66fb706a35ec32c0e1e68b746946d110ba778b139344bf0a7532abc47bb6a4bee9a

Download Submit
C:\Log.crypt2

Filesize
34B

MD5
b70a87553ecc9bfc6fb913cdd27f119d

SHA1
57ccf4d5f48c5ed13085ad00d419028d901c1ea4

SHA256
394b37acaf41ae63cfc829291ae6b48909210c21f4f271c84e831afc894018f6

SHA512
92eddbcc02baf5adb0011b88e2e31f94d58f5055abf8e6adf512e008b99cad1c4f1a306901a0cdc2bfa944fc33f36110ac07e01e165915713a16e7a671cfe4f9

Download Submit
C:\Log.crypt2

Filesize
34B

MD5
b70a87553ecc9bfc6fb913cdd27f119d

SHA1
57ccf4d5f48c5ed13085ad00d419028d901c1ea4

SHA256
394b37acaf41ae63cfc829291ae6b48909210c21f4f271c84e831afc894018f6

SHA512
92eddbcc02baf5adb0011b88e2e31f94d58f5055abf8e6adf512e008b99cad1c4f1a306901a0cdc2bfa944fc33f36110ac07e01e165915713a16e7a671cfe4f9

Download Submit
C:\Log.crypt2

Filesize
34B

MD5
b70a87553ecc9bfc6fb913cdd27f119d

SHA1
57ccf4d5f48c5ed13085ad00d419028d901c1ea4

SHA256
394b37acaf41ae63cfc829291ae6b48909210c21f4f271c84e831afc894018f6

SHA512
92eddbcc02baf5adb0011b88e2e31f94d58f5055abf8e6adf512e008b99cad1c4f1a306901a0cdc2bfa944fc33f36110ac07e01e165915713a16e7a671cfe4f9

Download Submit
C:\Log.crypt2

Filesize
63B

MD5
77e7ee3e56cdb1765ad870c263799223

SHA1
0a79bd1cf63e2a8db19d0ffed4f2fb12204d2db9

SHA256
fbb58532a50639f216486fb59ec1e11ba92ee2704e0c32d9d6577f9ba3a254fd

SHA512
5e91836b0d69eee5e756fefb48767f5e3a08d34be062ac470aedf6f0504f25ab82e98de531b8083f0e4ad5dccfc8d18e9cddaf64d6c4cb8d1b2d8450e93d9e6a

Download Submit
C:\Log.crypt2

Filesize
63B

MD5
77e7ee3e56cdb1765ad870c263799223

SHA1
0a79bd1cf63e2a8db19d0ffed4f2fb12204d2db9

SHA256
fbb58532a50639f216486fb59ec1e11ba92ee2704e0c32d9d6577f9ba3a254fd

SHA512
5e91836b0d69eee5e756fefb48767f5e3a08d34be062ac470aedf6f0504f25ab82e98de531b8083f0e4ad5dccfc8d18e9cddaf64d6c4cb8d1b2d8450e93d9e6a

Download Submit
C:\Log.crypt2

Filesize
72B

MD5
c540878e3d2f2403184fb6e1782aff1a

SHA1
5fbfeb1c5e4697c10d0de8c8f2c0e7eee6e23002

SHA256
ad54a1baa4a577f1c8ee997d016269184176abf81218b39d94ce78854cea6eb8

SHA512
ab41d8a6123be5c662e9a95c9c8011c2441702cdd47ab2068b8dd64f0f9efbd1a06e7e54cea3a76da5ec82edfc95ae68c043aa212a397fc0c16db32e5259ff8d

Download Submit
C:\Log.crypt2

Filesize
72B

MD5
c540878e3d2f2403184fb6e1782aff1a

SHA1
5fbfeb1c5e4697c10d0de8c8f2c0e7eee6e23002

SHA256
ad54a1baa4a577f1c8ee997d016269184176abf81218b39d94ce78854cea6eb8

SHA512
ab41d8a6123be5c662e9a95c9c8011c2441702cdd47ab2068b8dd64f0f9efbd1a06e7e54cea3a76da5ec82edfc95ae68c043aa212a397fc0c16db32e5259ff8d

Download Submit
C:\Log.crypt2

Filesize
81B

MD5
54e3c3eb73a41b48821ab380611e252f

SHA1
c2c5ca8a8ec5cbe7c6725fcc055f9a749ae7652d

SHA256
8ce427319462a1625eea87e98f690620cbb51702d115456732371766548ca735

SHA512
a30a0748375e7a59b8ea46a7971a2d566973c5aced537e0c82ee873559a100ac86fbc646e5487ecab422808195ad132e70606a94a7edd8804605f12a2cf42511

Download Submit
C:\Log.crypt2

Filesize
90B

MD5
ddbb20eb84b3e55f91442c36f6a85904

SHA1
0168e36f735b5664d62dd125a475c07e1cf830ba

SHA256
e1f2595748cb97e0eb982f093be9cd9e6830e875a2c3d1d0d9baecbccfd9b5b2

SHA512
ef377abacda49a18b117dc298318052e1da92f18169a670f1bf57458af74663e288ae3aba6ec0d12a122fb698be00d4067b0f4a44e1b6012d8a3266256cdf0b7

Download Submit
C:\Log.crypt2

Filesize
90B

MD5
ddbb20eb84b3e55f91442c36f6a85904

SHA1
0168e36f735b5664d62dd125a475c07e1cf830ba

SHA256
e1f2595748cb97e0eb982f093be9cd9e6830e875a2c3d1d0d9baecbccfd9b5b2

SHA512
ef377abacda49a18b117dc298318052e1da92f18169a670f1bf57458af74663e288ae3aba6ec0d12a122fb698be00d4067b0f4a44e1b6012d8a3266256cdf0b7

Download Submit
C:\Log.crypt2

Filesize
99B

MD5
12586f308624c261d9ff40f6c7be6293

SHA1
f41a739b38ef9712f42869b68da3a3da091ae0f5

SHA256
28ccd38dcc7e2e1c32ba54d98a4f4dc7fc19918de7e3efd8694bccee78430ed4

SHA512
cfe2e384f6fe52c6700defc2bb39d6cd857ee3638fd3eabd8716554efdf156d13e95f82208ee101e465a626141af61bcd4ac160b12be77284545ace816572d64

Download Submit
C:\Log.crypt2

Filesize
99B

MD5
12586f308624c261d9ff40f6c7be6293

SHA1
f41a739b38ef9712f42869b68da3a3da091ae0f5

SHA256
28ccd38dcc7e2e1c32ba54d98a4f4dc7fc19918de7e3efd8694bccee78430ed4

SHA512
cfe2e384f6fe52c6700defc2bb39d6cd857ee3638fd3eabd8716554efdf156d13e95f82208ee101e465a626141af61bcd4ac160b12be77284545ace816572d64

Download Submit
C:\Log.crypt2

Filesize
99B

MD5
12586f308624c261d9ff40f6c7be6293

SHA1
f41a739b38ef9712f42869b68da3a3da091ae0f5

SHA256
28ccd38dcc7e2e1c32ba54d98a4f4dc7fc19918de7e3efd8694bccee78430ed4

SHA512
cfe2e384f6fe52c6700defc2bb39d6cd857ee3638fd3eabd8716554efdf156d13e95f82208ee101e465a626141af61bcd4ac160b12be77284545ace816572d64

Download Submit
C:\Log.crypt2

Filesize
34B

MD5
b70a87553ecc9bfc6fb913cdd27f119d

SHA1
57ccf4d5f48c5ed13085ad00d419028d901c1ea4

SHA256
394b37acaf41ae63cfc829291ae6b48909210c21f4f271c84e831afc894018f6

SHA512
92eddbcc02baf5adb0011b88e2e31f94d58f5055abf8e6adf512e008b99cad1c4f1a306901a0cdc2bfa944fc33f36110ac07e01e165915713a16e7a671cfe4f9

Download Submit
C:\Log.crypt2

Filesize
1KB

MD5
e26d81477c9ad18c249a5f697ff68ee3

SHA1
684938ceb0a75c52f3367681649fe3416fdba67f

SHA256
f92a1cc0c4426757348f383099a902cc9a5fa5dc0f51cec4241a7cd8a80b1654

SHA512
ff6531d0e3428d7fa3d3e53d7146867b59e90ec21ed1d65c5331b9faaccb6c8fd9160c247f3e9b0ad42e98a91fd5a2192e79064a0207080dea061e184bac3a64

Download Submit
C:\Log.crypt2

Filesize
34B

MD5
b70a87553ecc9bfc6fb913cdd27f119d

SHA1
57ccf4d5f48c5ed13085ad00d419028d901c1ea4

SHA256
394b37acaf41ae63cfc829291ae6b48909210c21f4f271c84e831afc894018f6

SHA512
92eddbcc02baf5adb0011b88e2e31f94d58f5055abf8e6adf512e008b99cad1c4f1a306901a0cdc2bfa944fc33f36110ac07e01e165915713a16e7a671cfe4f9

Download Submit
C:\Log.crypt2

Filesize
1KB

MD5
e26d81477c9ad18c249a5f697ff68ee3

SHA1
684938ceb0a75c52f3367681649fe3416fdba67f

SHA256
f92a1cc0c4426757348f383099a902cc9a5fa5dc0f51cec4241a7cd8a80b1654

SHA512
ff6531d0e3428d7fa3d3e53d7146867b59e90ec21ed1d65c5331b9faaccb6c8fd9160c247f3e9b0ad42e98a91fd5a2192e79064a0207080dea061e184bac3a64

Download Submit
C:\Log.crypt2

Filesize
1KB

MD5
5fc45cf74c7e501aab0a2756a9cb06f4

SHA1
89d24f55254d04e0885ac126d5768bee98af6211

SHA256
683f7addd899b7ec0c2dc8fa23279d3eb47969fada9424bccd82592100370b82

SHA512
832371ec16083a16e3a5ab0d2697a0ec2d08b474d8f7e474413cecc002ab96fff66b881c19977560200d71b4f25888d43932455b1a00d32f30962f8bea2ebca8

Download Submit
C:\Log.crypt2

Filesize
25B

MD5
eba81de3310ef96a5f9324d38e1db4e3

SHA1
a60a2601a01ee6b72c792c8e8fe07c7698a6cf7d

SHA256
deb53e56badfa2c969aadfdb8b53f76e422f8a989191dbd3d90187a90afbe953

SHA512
e651a3223ccac9a7ef960fe35e22222c03aa0e0ed8bfff29d3866961ae2ef66fb706a35ec32c0e1e68b746946d110ba778b139344bf0a7532abc47bb6a4bee9a

Download Submit
C:\Log.crypt2

Filesize
25B

MD5
eba81de3310ef96a5f9324d38e1db4e3

SHA1
a60a2601a01ee6b72c792c8e8fe07c7698a6cf7d

SHA256
deb53e56badfa2c969aadfdb8b53f76e422f8a989191dbd3d90187a90afbe953

SHA512
e651a3223ccac9a7ef960fe35e22222c03aa0e0ed8bfff29d3866961ae2ef66fb706a35ec32c0e1e68b746946d110ba778b139344bf0a7532abc47bb6a4bee9a

Download Submit
C:\Log.crypt2

Filesize
34B

MD5
b70a87553ecc9bfc6fb913cdd27f119d

SHA1
57ccf4d5f48c5ed13085ad00d419028d901c1ea4

SHA256
394b37acaf41ae63cfc829291ae6b48909210c21f4f271c84e831afc894018f6

SHA512
92eddbcc02baf5adb0011b88e2e31f94d58f5055abf8e6adf512e008b99cad1c4f1a306901a0cdc2bfa944fc33f36110ac07e01e165915713a16e7a671cfe4f9

Download Submit
C:\Log.crypt2

Filesize
63B

MD5
77e7ee3e56cdb1765ad870c263799223

SHA1
0a79bd1cf63e2a8db19d0ffed4f2fb12204d2db9

SHA256
fbb58532a50639f216486fb59ec1e11ba92ee2704e0c32d9d6577f9ba3a254fd

SHA512
5e91836b0d69eee5e756fefb48767f5e3a08d34be062ac470aedf6f0504f25ab82e98de531b8083f0e4ad5dccfc8d18e9cddaf64d6c4cb8d1b2d8450e93d9e6a

Download Submit
C:\Log.crypt2

Filesize
72B

MD5
c540878e3d2f2403184fb6e1782aff1a

SHA1
5fbfeb1c5e4697c10d0de8c8f2c0e7eee6e23002

SHA256
ad54a1baa4a577f1c8ee997d016269184176abf81218b39d94ce78854cea6eb8

SHA512
ab41d8a6123be5c662e9a95c9c8011c2441702cdd47ab2068b8dd64f0f9efbd1a06e7e54cea3a76da5ec82edfc95ae68c043aa212a397fc0c16db32e5259ff8d

Download Submit
C:\Log.crypt2

Filesize
90B

MD5
ddbb20eb84b3e55f91442c36f6a85904

SHA1
0168e36f735b5664d62dd125a475c07e1cf830ba

SHA256
e1f2595748cb97e0eb982f093be9cd9e6830e875a2c3d1d0d9baecbccfd9b5b2

SHA512
ef377abacda49a18b117dc298318052e1da92f18169a670f1bf57458af74663e288ae3aba6ec0d12a122fb698be00d4067b0f4a44e1b6012d8a3266256cdf0b7

Download Submit
C:\Log.crypt2

Filesize
99B

MD5
12586f308624c261d9ff40f6c7be6293

SHA1
f41a739b38ef9712f42869b68da3a3da091ae0f5

SHA256
28ccd38dcc7e2e1c32ba54d98a4f4dc7fc19918de7e3efd8694bccee78430ed4

SHA512
cfe2e384f6fe52c6700defc2bb39d6cd857ee3638fd3eabd8716554efdf156d13e95f82208ee101e465a626141af61bcd4ac160b12be77284545ace816572d64

Download Submit
C:\Log.crypt2

Filesize
99B

MD5
12586f308624c261d9ff40f6c7be6293

SHA1
f41a739b38ef9712f42869b68da3a3da091ae0f5

SHA256
28ccd38dcc7e2e1c32ba54d98a4f4dc7fc19918de7e3efd8694bccee78430ed4

SHA512
cfe2e384f6fe52c6700defc2bb39d6cd857ee3638fd3eabd8716554efdf156d13e95f82208ee101e465a626141af61bcd4ac160b12be77284545ace816572d64

Download Submit
C:\Log.crypt2

Filesize
1KB

MD5
5fc45cf74c7e501aab0a2756a9cb06f4

SHA1
89d24f55254d04e0885ac126d5768bee98af6211

SHA256
683f7addd899b7ec0c2dc8fa23279d3eb47969fada9424bccd82592100370b82

SHA512
832371ec16083a16e3a5ab0d2697a0ec2d08b474d8f7e474413cecc002ab96fff66b881c19977560200d71b4f25888d43932455b1a00d32f30962f8bea2ebca8

Download Submit
C:\Log.crypt2

Filesize
72B

MD5
c540878e3d2f2403184fb6e1782aff1a

SHA1
5fbfeb1c5e4697c10d0de8c8f2c0e7eee6e23002

SHA256
ad54a1baa4a577f1c8ee997d016269184176abf81218b39d94ce78854cea6eb8

SHA512
ab41d8a6123be5c662e9a95c9c8011c2441702cdd47ab2068b8dd64f0f9efbd1a06e7e54cea3a76da5ec82edfc95ae68c043aa212a397fc0c16db32e5259ff8d

Download Submit
C:\Log.crypt2

Filesize
25B

MD5
eba81de3310ef96a5f9324d38e1db4e3

SHA1
a60a2601a01ee6b72c792c8e8fe07c7698a6cf7d

SHA256
deb53e56badfa2c969aadfdb8b53f76e422f8a989191dbd3d90187a90afbe953

SHA512
e651a3223ccac9a7ef960fe35e22222c03aa0e0ed8bfff29d3866961ae2ef66fb706a35ec32c0e1e68b746946d110ba778b139344bf0a7532abc47bb6a4bee9a

Download Submit
C:\Log.crypt2

Filesize
34B

MD5
b70a87553ecc9bfc6fb913cdd27f119d

SHA1
57ccf4d5f48c5ed13085ad00d419028d901c1ea4

SHA256
394b37acaf41ae63cfc829291ae6b48909210c21f4f271c84e831afc894018f6

SHA512
92eddbcc02baf5adb0011b88e2e31f94d58f5055abf8e6adf512e008b99cad1c4f1a306901a0cdc2bfa944fc33f36110ac07e01e165915713a16e7a671cfe4f9

Download Submit
C:\Log.crypt2

Filesize
63B

MD5
77e7ee3e56cdb1765ad870c263799223

SHA1
0a79bd1cf63e2a8db19d0ffed4f2fb12204d2db9

SHA256
fbb58532a50639f216486fb59ec1e11ba92ee2704e0c32d9d6577f9ba3a254fd

SHA512
5e91836b0d69eee5e756fefb48767f5e3a08d34be062ac470aedf6f0504f25ab82e98de531b8083f0e4ad5dccfc8d18e9cddaf64d6c4cb8d1b2d8450e93d9e6a

Download Submit
C:\Log.crypt2

Filesize
81B

MD5
54e3c3eb73a41b48821ab380611e252f

SHA1
c2c5ca8a8ec5cbe7c6725fcc055f9a749ae7652d

SHA256
8ce427319462a1625eea87e98f690620cbb51702d115456732371766548ca735

SHA512
a30a0748375e7a59b8ea46a7971a2d566973c5aced537e0c82ee873559a100ac86fbc646e5487ecab422808195ad132e70606a94a7edd8804605f12a2cf42511

Download Submit
C:\Log.crypt2

Filesize
34B

MD5
b70a87553ecc9bfc6fb913cdd27f119d

SHA1
57ccf4d5f48c5ed13085ad00d419028d901c1ea4

SHA256
394b37acaf41ae63cfc829291ae6b48909210c21f4f271c84e831afc894018f6

SHA512
92eddbcc02baf5adb0011b88e2e31f94d58f5055abf8e6adf512e008b99cad1c4f1a306901a0cdc2bfa944fc33f36110ac07e01e165915713a16e7a671cfe4f9

Download Submit
C:\Log.crypt2

Filesize
81B

MD5
54e3c3eb73a41b48821ab380611e252f

SHA1
c2c5ca8a8ec5cbe7c6725fcc055f9a749ae7652d

SHA256
8ce427319462a1625eea87e98f690620cbb51702d115456732371766548ca735

SHA512
a30a0748375e7a59b8ea46a7971a2d566973c5aced537e0c82ee873559a100ac86fbc646e5487ecab422808195ad132e70606a94a7edd8804605f12a2cf42511

Download Submit
C:\Log.crypt2

Filesize
90B

MD5
ddbb20eb84b3e55f91442c36f6a85904

SHA1
0168e36f735b5664d62dd125a475c07e1cf830ba

SHA256
e1f2595748cb97e0eb982f093be9cd9e6830e875a2c3d1d0d9baecbccfd9b5b2

SHA512
ef377abacda49a18b117dc298318052e1da92f18169a670f1bf57458af74663e288ae3aba6ec0d12a122fb698be00d4067b0f4a44e1b6012d8a3266256cdf0b7

Download Submit
C:\Log.crypt2

Filesize
99B

MD5
12586f308624c261d9ff40f6c7be6293

SHA1
f41a739b38ef9712f42869b68da3a3da091ae0f5

SHA256
28ccd38dcc7e2e1c32ba54d98a4f4dc7fc19918de7e3efd8694bccee78430ed4

SHA512
cfe2e384f6fe52c6700defc2bb39d6cd857ee3638fd3eabd8716554efdf156d13e95f82208ee101e465a626141af61bcd4ac160b12be77284545ace816572d64

Download Submit
C:\Log.crypt2

Filesize
72B

MD5
c540878e3d2f2403184fb6e1782aff1a

SHA1
5fbfeb1c5e4697c10d0de8c8f2c0e7eee6e23002

SHA256
ad54a1baa4a577f1c8ee997d016269184176abf81218b39d94ce78854cea6eb8

SHA512
ab41d8a6123be5c662e9a95c9c8011c2441702cdd47ab2068b8dd64f0f9efbd1a06e7e54cea3a76da5ec82edfc95ae68c043aa212a397fc0c16db32e5259ff8d

Download Submit
C:\Log.crypt2

Filesize
99B

MD5
12586f308624c261d9ff40f6c7be6293

SHA1
f41a739b38ef9712f42869b68da3a3da091ae0f5

SHA256
28ccd38dcc7e2e1c32ba54d98a4f4dc7fc19918de7e3efd8694bccee78430ed4

SHA512
cfe2e384f6fe52c6700defc2bb39d6cd857ee3638fd3eabd8716554efdf156d13e95f82208ee101e465a626141af61bcd4ac160b12be77284545ace816572d64

Download Submit
C:\Log.crypt2

Filesize
81B

MD5
54e3c3eb73a41b48821ab380611e252f

SHA1
c2c5ca8a8ec5cbe7c6725fcc055f9a749ae7652d

SHA256
8ce427319462a1625eea87e98f690620cbb51702d115456732371766548ca735

SHA512
a30a0748375e7a59b8ea46a7971a2d566973c5aced537e0c82ee873559a100ac86fbc646e5487ecab422808195ad132e70606a94a7edd8804605f12a2cf42511

Download Submit
C:\Log.crypt2

Filesize
1KB

MD5
5fc45cf74c7e501aab0a2756a9cb06f4

SHA1
89d24f55254d04e0885ac126d5768bee98af6211

SHA256
683f7addd899b7ec0c2dc8fa23279d3eb47969fada9424bccd82592100370b82

SHA512
832371ec16083a16e3a5ab0d2697a0ec2d08b474d8f7e474413cecc002ab96fff66b881c19977560200d71b4f25888d43932455b1a00d32f30962f8bea2ebca8

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe

Filesize
32KB

MD5
ccf9970a30773d65b345eae8d931f84d

SHA1
6553f5dc06ae80377d639575818d6c09569675c0

SHA256
4a9f8c31e05a8fc5cf9d844a256d14fc4c1b8b2027f32d895fc00067ea285796

SHA512
a99c82a8ad89be0b3493eed05044e8fb05afdc0e80c967c6163a5571229872df0bc50e1fd16844f272dac36abc034cb1528311fd2a0c807957003f94ec1c5d8e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
32KB

MD5
ccf9970a30773d65b345eae8d931f84d

SHA1
6553f5dc06ae80377d639575818d6c09569675c0

SHA256
4a9f8c31e05a8fc5cf9d844a256d14fc4c1b8b2027f32d895fc00067ea285796

SHA512
a99c82a8ad89be0b3493eed05044e8fb05afdc0e80c967c6163a5571229872df0bc50e1fd16844f272dac36abc034cb1528311fd2a0c807957003f94ec1c5d8e

Download Submit
C:\Program Files\Java\jre-1.8\bin\jabswitch.exe

Filesize
32KB

MD5
ccf9970a30773d65b345eae8d931f84d

SHA1
6553f5dc06ae80377d639575818d6c09569675c0

SHA256
4a9f8c31e05a8fc5cf9d844a256d14fc4c1b8b2027f32d895fc00067ea285796

SHA512
a99c82a8ad89be0b3493eed05044e8fb05afdc0e80c967c6163a5571229872df0bc50e1fd16844f272dac36abc034cb1528311fd2a0c807957003f94ec1c5d8e

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe

Filesize
32KB

MD5
ccf9970a30773d65b345eae8d931f84d

SHA1
6553f5dc06ae80377d639575818d6c09569675c0

SHA256
4a9f8c31e05a8fc5cf9d844a256d14fc4c1b8b2027f32d895fc00067ea285796

SHA512
a99c82a8ad89be0b3493eed05044e8fb05afdc0e80c967c6163a5571229872df0bc50e1fd16844f272dac36abc034cb1528311fd2a0c807957003f94ec1c5d8e

Download Submit
C:\Program Files\VideoLAN\VLC\uninstall.exe

Filesize
32KB

MD5
ccf9970a30773d65b345eae8d931f84d

SHA1
6553f5dc06ae80377d639575818d6c09569675c0

SHA256
4a9f8c31e05a8fc5cf9d844a256d14fc4c1b8b2027f32d895fc00067ea285796

SHA512
a99c82a8ad89be0b3493eed05044e8fb05afdc0e80c967c6163a5571229872df0bc50e1fd16844f272dac36abc034cb1528311fd2a0c807957003f94ec1c5d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sihost.exe

Filesize
32KB

MD5
ccf9970a30773d65b345eae8d931f84d

SHA1
6553f5dc06ae80377d639575818d6c09569675c0

SHA256
4a9f8c31e05a8fc5cf9d844a256d14fc4c1b8b2027f32d895fc00067ea285796

SHA512
a99c82a8ad89be0b3493eed05044e8fb05afdc0e80c967c6163a5571229872df0bc50e1fd16844f272dac36abc034cb1528311fd2a0c807957003f94ec1c5d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sihost.exe

Filesize
32KB

MD5
ccf9970a30773d65b345eae8d931f84d

SHA1
6553f5dc06ae80377d639575818d6c09569675c0

SHA256
4a9f8c31e05a8fc5cf9d844a256d14fc4c1b8b2027f32d895fc00067ea285796

SHA512
a99c82a8ad89be0b3493eed05044e8fb05afdc0e80c967c6163a5571229872df0bc50e1fd16844f272dac36abc034cb1528311fd2a0c807957003f94ec1c5d8e

Download Submit
memory/4944-612-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads