matrix | a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3

Analysis

max time kernel
4294181s
max time network
123s
platform
windows7_x64
resource
win7-20220223-en
submitted
06-03-2022 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
Size

1.3MB
MD5

b9b5c6c4e7704fddd39f46d293f2ca08
SHA1

7f8d2d8af69405bc5feab6621aea70bc34dd8eb4
SHA256

a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3
SHA512

aee5caaa7fc5c94741fc44f8a1615fe874c70d95a6be4249433d403d669e1f03fd0dbcfa9926b8897d4237d91ca8714cf9a95a239ff26bb8a2024b91e2a83fe6

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx

Malware Config

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Microsoft Games\Solitaire\fr-FR\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\storage\default\moz-extension+++fa070f1c-a2b4-4179-b766-c7aa09203140^userContextId=4294967295\idb\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Users\Admin\Pictures\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Microsoft Games\Hearts\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Java\jre7\lib\ext\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Java\jre7\lib\security\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Java\jre7\lib\amd64\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Microsoft Games\FreeCell\fr-FR\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\000076D4\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\storage\permanent\chrome\idb\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Microsoft Games\More Games\de-DE\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Microsoft Games\Chess\it-IT\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Users\All Users\Microsoft\Assistance\Client\1.0\ja-JP\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Java\jre7\lib\management\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\M7YMRK48\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\faxxuvis.default-release\OfflineCache\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Java\jre7\lib\jfr\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Users\Admin\Documents\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Users\Admin\AppData\LocalLow\Sun\Java\jdk1.7.0_80_x64\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Users\Admin\Favorites\Links for United States\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

916 bcdedit.exe
1964 bcdedit.exe
Drops file in Drivers directory 1 IoCs

Processes:

y9wQgCdE64.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP152.SYS y9wQgCdE64.exe

pid	process
916	bcdedit.exe
1964	bcdedit.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	y9wQgCdE64.exe

Executes dropped EXE 64 IoCs

Processes:

NWkXmBnQ.exey9wQgCdE.exey9wQgCdE64.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exey9wQgCdE.exe

pid	process
560	NWkXmBnQ.exe
756	y9wQgCdE.exe
976	y9wQgCdE64.exe
2004	y9wQgCdE.exe
888	y9wQgCdE.exe
536	y9wQgCdE.exe
1560	y9wQgCdE.exe
1664	y9wQgCdE.exe
732	y9wQgCdE.exe
544	y9wQgCdE.exe
2044	y9wQgCdE.exe
1760	y9wQgCdE.exe
1648	y9wQgCdE.exe
664	y9wQgCdE.exe
1756	y9wQgCdE.exe
1608	y9wQgCdE.exe
1048	y9wQgCdE.exe
1624	y9wQgCdE.exe
544	y9wQgCdE.exe
1076	y9wQgCdE.exe
1760	y9wQgCdE.exe
1984	y9wQgCdE.exe
812	y9wQgCdE.exe
732	y9wQgCdE.exe
1272	y9wQgCdE.exe
1736	y9wQgCdE.exe
1640	y9wQgCdE.exe
1180	y9wQgCdE.exe
1944	y9wQgCdE.exe
748	y9wQgCdE.exe
1988	y9wQgCdE.exe
1380	y9wQgCdE.exe
1648	y9wQgCdE.exe
1624	y9wQgCdE.exe
1664	y9wQgCdE.exe
2044	y9wQgCdE.exe
364	y9wQgCdE.exe
544	y9wQgCdE.exe
1716	y9wQgCdE.exe
1624	y9wQgCdE.exe
956	y9wQgCdE.exe
1760	y9wQgCdE.exe
1964	y9wQgCdE.exe
232	y9wQgCdE.exe
864	y9wQgCdE.exe
1984	y9wQgCdE.exe
1036	y9wQgCdE.exe
812	y9wQgCdE.exe
1296	y9wQgCdE.exe
236	y9wQgCdE.exe
224	y9wQgCdE.exe
1648	y9wQgCdE.exe
956	y9wQgCdE.exe
1672	y9wQgCdE.exe
1920	y9wQgCdE.exe
1668	y9wQgCdE.exe
236	y9wQgCdE.exe
1548	y9wQgCdE.exe
1648	y9wQgCdE.exe
1760	y9wQgCdE.exe
1672	y9wQgCdE.exe
2044	y9wQgCdE.exe
1692	y9wQgCdE.exe
364	y9wQgCdE.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe	upx

Loads dropped DLL 64 IoCs

Processes:

a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.execmd.exey9wQgCdE.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

pid	process
1144	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
1144	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
1148	cmd.exe
756	y9wQgCdE.exe
1736	cmd.exe
1836	cmd.exe
1600	cmd.exe
1052	cmd.exe
1984	cmd.exe
884	cmd.exe
1756	cmd.exe
1628	cmd.exe
2020	cmd.exe
1736	cmd.exe
956	cmd.exe
1180	cmd.exe
748	cmd.exe
2044	cmd.exe
1716	cmd.exe
1672	cmd.exe
1088	cmd.exe
956	cmd.exe
1036	cmd.exe
1648	cmd.exe
1588	cmd.exe
664	cmd.exe
1668	cmd.exe
1608	cmd.exe
1296	cmd.exe
520	cmd.exe
1692	cmd.exe
1076	cmd.exe
1716	cmd.exe
1736	cmd.exe
520	cmd.exe
1568	cmd.exe
1740	cmd.exe
1760	cmd.exe
1608	cmd.exe
1272	cmd.exe
664	cmd.exe
1648	cmd.exe
1988	cmd.exe
1296	cmd.exe
224	cmd.exe
1608	cmd.exe
956	cmd.exe
732	cmd.exe
364	cmd.exe
1796	cmd.exe
212	cmd.exe
748	cmd.exe
664	cmd.exe
864	cmd.exe
1076	cmd.exe
1036	cmd.exe
860	cmd.exe
364	cmd.exe
1664	cmd.exe
1600	cmd.exe
532	cmd.exe
1604	cmd.exe
216	cmd.exe
1988	cmd.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
884	takeown.exe
1296	takeown.exe
1736	takeown.exe
1568
888
228	takeown.exe
1624	takeown.exe
1740	takeown.exe
1624	takeown.exe
748	takeown.exe
1548	takeown.exe
1664
956	takeown.exe
956	takeown.exe
1608	takeown.exe
1732
1668	takeown.exe
1624	takeown.exe
1896	takeown.exe
1692
236	takeown.exe
816	takeown.exe
2004	takeown.exe
236
1208
1692	takeown.exe
1648	takeown.exe
1568	takeown.exe
1488	takeown.exe
1648
220
888
1628	takeown.exe
1692	takeown.exe
1688
1048	takeown.exe
864
220
1668
1680	takeown.exe
1920	takeown.exe
2024
1568
220
1608
1628
560	takeown.exe
1272	takeown.exe
864	takeown.exe
520	takeown.exe
1984	takeown.exe
1628
888
1588	takeown.exe
1936	takeown.exe
1672
1168
2004
1688
1760	takeown.exe
1648	takeown.exe
1160
1048
220

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 41 IoCs

Processes:

a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe

description	ioc	process
File opened for modification	C:\Users\Public\Videos\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AGWPI80M\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AZW6OKHO\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Public\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\72C1GWO9\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\M7YMRK48\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exey9wQgCdE64.exe

description	ioc	process
File opened (read-only)	\??\M:	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened (read-only)	\??\H:	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened (read-only)	\??\L:	y9wQgCdE64.exe
File opened (read-only)	\??\O:	y9wQgCdE64.exe
File opened (read-only)	\??\R:	y9wQgCdE64.exe
File opened (read-only)	\??\Q:	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened (read-only)	\??\Y:	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened (read-only)	\??\X:	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened (read-only)	\??\I:	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened (read-only)	\??\M:	y9wQgCdE64.exe
File opened (read-only)	\??\N:	y9wQgCdE64.exe
File opened (read-only)	\??\T:	y9wQgCdE64.exe
File opened (read-only)	\??\Y:	y9wQgCdE64.exe
File opened (read-only)	\??\Z:	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened (read-only)	\??\E:	y9wQgCdE64.exe
File opened (read-only)	\??\I:	y9wQgCdE64.exe
File opened (read-only)	\??\U:	y9wQgCdE64.exe
File opened (read-only)	\??\Z:	y9wQgCdE64.exe
File opened (read-only)	\??\K:	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened (read-only)	\??\T:	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened (read-only)	\??\S:	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened (read-only)	\??\R:	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened (read-only)	\??\N:	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened (read-only)	\??\K:	y9wQgCdE64.exe
File opened (read-only)	\??\P:	y9wQgCdE64.exe
File opened (read-only)	\??\W:	y9wQgCdE64.exe
File opened (read-only)	\??\W:	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened (read-only)	\??\L:	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened (read-only)	\??\J:	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened (read-only)	\??\G:	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened (read-only)	\??\F:	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened (read-only)	\??\A:	y9wQgCdE64.exe
File opened (read-only)	\??\H:	y9wQgCdE64.exe
File opened (read-only)	\??\V:	y9wQgCdE64.exe
File opened (read-only)	\??\P:	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened (read-only)	\??\E:	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened (read-only)	\??\S:	y9wQgCdE64.exe
File opened (read-only)	\??\X:	y9wQgCdE64.exe
File opened (read-only)	\??\U:	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened (read-only)	\??\B:	y9wQgCdE64.exe
File opened (read-only)	\??\F:	y9wQgCdE64.exe
File opened (read-only)	\??\V:	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened (read-only)	\??\G:	y9wQgCdE64.exe
File opened (read-only)	\??\J:	y9wQgCdE64.exe
File opened (read-only)	\??\Q:	y9wQgCdE64.exe
File opened (read-only)	\??\O:	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\vReO1OmD.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-heapwalker.jar	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Tallinn	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Microsoft Games\Purble Place\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Vladivostok	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Budapest	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_ja.jar	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh88	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Los_Angeles	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Kiritimati	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Petersburg	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nipigon	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_zh_4.4.0.v20140623020002.jar	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\mobile.css	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_zh_CN.jar	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Checkers.api	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-options.jar	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_ja.jar	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jre7\lib\charsets.jar	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\EmptyDatabase.zip	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.properties	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActions.exsd	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_zh_CN.jar	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Istanbul	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Microsoft Games\FreeCell\en-US\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\shvlzm.exe.mui	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.zh_CN_5.5.0.165303.jar	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\DumontDUrville	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Java\jre7\bin\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+5	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\ChkrRes.dll.mui	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Resolute	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\jnwdui.dll.mui	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Caracas	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_ja_4.4.0.v20140623020002.jar	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Windows Journal\de-DE\Journal.exe.mui	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\Shorthand.jtp	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabmig.exe	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File created	C:\Program Files\Microsoft Games\FreeCell\fr-FR\#README_CTRM#.rtf	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\uk.pak	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.shell_0.10.0.v201212101605.jar	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\vlc.mo	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

864 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2024 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

y9wQgCdE64.exe

pid process

976 y9wQgCdE64.exe
976 y9wQgCdE64.exe
976 y9wQgCdE64.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

y9wQgCdE64.exe

pid process

976 y9wQgCdE64.exe

pid	process
864	schtasks.exe

pid	process
2024	vssadmin.exe

pid	process
976	y9wQgCdE64.exe
976	y9wQgCdE64.exe
976	y9wQgCdE64.exe

pid	process
976	y9wQgCdE64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

y9wQgCdE64.exevssvc.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeWMIC.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	976	y9wQgCdE64.exe
Token: SeLoadDriverPrivilege	976	y9wQgCdE64.exe
Token: SeBackupPrivilege	568	vssvc.exe
Token: SeRestorePrivilege	568	vssvc.exe
Token: SeAuditPrivilege	568	vssvc.exe
Token: SeTakeOwnershipPrivilege	884	takeown.exe
Token: SeTakeOwnershipPrivilege	1896	takeown.exe
Token: SeTakeOwnershipPrivilege	1908	takeown.exe
Token: SeTakeOwnershipPrivilege	748	takeown.exe
Token: SeTakeOwnershipPrivilege	1648	takeown.exe
Token: SeTakeOwnershipPrivilege	560	takeown.exe
Token: SeTakeOwnershipPrivilege	1608	takeown.exe
Token: SeTakeOwnershipPrivilege	884	takeown.exe
Token: SeTakeOwnershipPrivilege	816	takeown.exe
Token: SeTakeOwnershipPrivilege	1220	takeown.exe
Token: SeTakeOwnershipPrivilege	1048	takeown.exe
Token: SeIncreaseQuotaPrivilege	1960	WMIC.exe
Token: SeSecurityPrivilege	1960	WMIC.exe
Token: SeTakeOwnershipPrivilege	1960	WMIC.exe
Token: SeLoadDriverPrivilege	1960	WMIC.exe
Token: SeSystemProfilePrivilege	1960	WMIC.exe
Token: SeSystemtimePrivilege	1960	WMIC.exe
Token: SeProfSingleProcessPrivilege	1960	WMIC.exe
Token: SeIncBasePriorityPrivilege	1960	WMIC.exe
Token: SeCreatePagefilePrivilege	1960	WMIC.exe
Token: SeBackupPrivilege	1960	WMIC.exe
Token: SeRestorePrivilege	1960	WMIC.exe
Token: SeShutdownPrivilege	1960	WMIC.exe
Token: SeDebugPrivilege	1960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1960	WMIC.exe
Token: SeRemoteShutdownPrivilege	1960	WMIC.exe
Token: SeUndockPrivilege	1960	WMIC.exe
Token: SeManageVolumePrivilege	1960	WMIC.exe
Token: 33	1960	WMIC.exe
Token: 34	1960	WMIC.exe
Token: 35	1960	WMIC.exe
Token: SeTakeOwnershipPrivilege	816	takeown.exe
Token: SeIncreaseQuotaPrivilege	1960	WMIC.exe
Token: SeSecurityPrivilege	1960	WMIC.exe
Token: SeTakeOwnershipPrivilege	1960	WMIC.exe
Token: SeLoadDriverPrivilege	1960	WMIC.exe
Token: SeSystemProfilePrivilege	1960	WMIC.exe
Token: SeSystemtimePrivilege	1960	WMIC.exe
Token: SeProfSingleProcessPrivilege	1960	WMIC.exe
Token: SeIncBasePriorityPrivilege	1960	WMIC.exe
Token: SeCreatePagefilePrivilege	1960	WMIC.exe
Token: SeBackupPrivilege	1960	WMIC.exe
Token: SeRestorePrivilege	1960	WMIC.exe
Token: SeShutdownPrivilege	1960	WMIC.exe
Token: SeDebugPrivilege	1960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1960	WMIC.exe
Token: SeRemoteShutdownPrivilege	1960	WMIC.exe
Token: SeUndockPrivilege	1960	WMIC.exe
Token: SeManageVolumePrivilege	1960	WMIC.exe
Token: 33	1960	WMIC.exe
Token: 34	1960	WMIC.exe
Token: 35	1960	WMIC.exe
Token: SeTakeOwnershipPrivilege	212	takeown.exe
Token: SeTakeOwnershipPrivilege	664	takeown.exe
Token: SeTakeOwnershipPrivilege	532	takeown.exe
Token: SeTakeOwnershipPrivilege	1548	takeown.exe
Token: SeTakeOwnershipPrivilege	1760	takeown.exe
Token: SeTakeOwnershipPrivilege	1692	takeown.exe
Token: SeTakeOwnershipPrivilege	1624	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.execmd.execmd.execmd.execmd.exewscript.exey9wQgCdE.execmd.exe

description	pid	process	target process
PID 1144 wrote to memory of 1760	1144	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe	cmd.exe
PID 1144 wrote to memory of 1760	1144	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe	cmd.exe
PID 1144 wrote to memory of 1760	1144	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe	cmd.exe
PID 1144 wrote to memory of 1760	1144	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe	cmd.exe
PID 1144 wrote to memory of 560	1144	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe	NWkXmBnQ.exe
PID 1144 wrote to memory of 560	1144	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe	NWkXmBnQ.exe
PID 1144 wrote to memory of 560	1144	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe	NWkXmBnQ.exe
PID 1144 wrote to memory of 560	1144	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe	NWkXmBnQ.exe
PID 1144 wrote to memory of 1052	1144	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe	cmd.exe
PID 1144 wrote to memory of 1052	1144	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe	cmd.exe
PID 1144 wrote to memory of 1052	1144	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe	cmd.exe
PID 1144 wrote to memory of 1052	1144	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe	cmd.exe
PID 1144 wrote to memory of 660	1144	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe	cmd.exe
PID 1144 wrote to memory of 660	1144	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe	cmd.exe
PID 1144 wrote to memory of 660	1144	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe	cmd.exe
PID 1144 wrote to memory of 660	1144	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe	cmd.exe
PID 1052 wrote to memory of 1988	1052	cmd.exe	reg.exe
PID 1052 wrote to memory of 1988	1052	cmd.exe	reg.exe
PID 1052 wrote to memory of 1988	1052	cmd.exe	reg.exe
PID 1052 wrote to memory of 1988	1052	cmd.exe	reg.exe
PID 660 wrote to memory of 1056	660	cmd.exe	wscript.exe
PID 660 wrote to memory of 1056	660	cmd.exe	wscript.exe
PID 660 wrote to memory of 1056	660	cmd.exe	wscript.exe
PID 660 wrote to memory of 1056	660	cmd.exe	wscript.exe
PID 1052 wrote to memory of 2044	1052	cmd.exe	reg.exe
PID 1052 wrote to memory of 2044	1052	cmd.exe	reg.exe
PID 1052 wrote to memory of 2044	1052	cmd.exe	reg.exe
PID 1052 wrote to memory of 2044	1052	cmd.exe	reg.exe
PID 1052 wrote to memory of 2016	1052	cmd.exe	reg.exe
PID 1052 wrote to memory of 2016	1052	cmd.exe	reg.exe
PID 1052 wrote to memory of 2016	1052	cmd.exe	reg.exe
PID 1052 wrote to memory of 2016	1052	cmd.exe	reg.exe
PID 1144 wrote to memory of 324	1144	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe	cmd.exe
PID 1144 wrote to memory of 324	1144	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe	cmd.exe
PID 1144 wrote to memory of 324	1144	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe	cmd.exe
PID 1144 wrote to memory of 324	1144	a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe	cmd.exe
PID 324 wrote to memory of 1592	324	cmd.exe	cacls.exe
PID 324 wrote to memory of 1592	324	cmd.exe	cacls.exe
PID 324 wrote to memory of 1592	324	cmd.exe	cacls.exe
PID 324 wrote to memory of 1592	324	cmd.exe	cacls.exe
PID 324 wrote to memory of 1784	324	cmd.exe	takeown.exe
PID 324 wrote to memory of 1784	324	cmd.exe	takeown.exe
PID 324 wrote to memory of 1784	324	cmd.exe	takeown.exe
PID 324 wrote to memory of 1784	324	cmd.exe	takeown.exe
PID 324 wrote to memory of 1148	324	cmd.exe	cmd.exe
PID 324 wrote to memory of 1148	324	cmd.exe	cmd.exe
PID 324 wrote to memory of 1148	324	cmd.exe	cmd.exe
PID 324 wrote to memory of 1148	324	cmd.exe	cmd.exe
PID 1148 wrote to memory of 756	1148	cmd.exe	y9wQgCdE.exe
PID 1148 wrote to memory of 756	1148	cmd.exe	y9wQgCdE.exe
PID 1148 wrote to memory of 756	1148	cmd.exe	y9wQgCdE.exe
PID 1148 wrote to memory of 756	1148	cmd.exe	y9wQgCdE.exe
PID 1056 wrote to memory of 884	1056	wscript.exe	cmd.exe
PID 1056 wrote to memory of 884	1056	wscript.exe	cmd.exe
PID 1056 wrote to memory of 884	1056	wscript.exe	cmd.exe
PID 1056 wrote to memory of 884	1056	wscript.exe	cmd.exe
PID 756 wrote to memory of 976	756	y9wQgCdE.exe	y9wQgCdE64.exe
PID 756 wrote to memory of 976	756	y9wQgCdE.exe	y9wQgCdE64.exe
PID 756 wrote to memory of 976	756	y9wQgCdE.exe	y9wQgCdE64.exe
PID 756 wrote to memory of 976	756	y9wQgCdE.exe	y9wQgCdE64.exe
PID 884 wrote to memory of 864	884	cmd.exe	schtasks.exe
PID 884 wrote to memory of 864	884	cmd.exe	schtasks.exe
PID 884 wrote to memory of 864	884	cmd.exe	schtasks.exe
PID 884 wrote to memory of 864	884	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe
"C:\Users\Admin\AppData\Local\Temp\a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe"
1⤵
- Matrix Ransomware
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3.exe" "C:\Users\Admin\AppData\Local\Temp\NWkXmBnQ.exe"
  2⤵
  PID:1760
- C:\Users\Admin\AppData\Local\Temp\NWkXmBnQ.exe
  "C:\Users\Admin\AppData\Local\Temp\NWkXmBnQ.exe" -n
  2⤵
  - Executes dropped EXE
  PID:560
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\vReO1OmD.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\vReO1OmD.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:1988
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:2016
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\fEIcyGIa.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:660
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\fEIcyGIa.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1056
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\LpSl5E7h.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:884
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\LpSl5E7h.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:864
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:1748
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:324
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "DefaultID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "DefaultID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:756
    - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE64.exe
        
        y9wQgCdE.exe -accepteula "DefaultID.pdf" -nobanner
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""
  2⤵
  - Loads dropped DLL
  PID:1836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C
    3⤵
    PID:364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
    3⤵
    PID:1164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:2004
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""
  2⤵
  - Loads dropped DLL
  PID:1052
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "Dynamic.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1600
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "Dynamic.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:536
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""
  2⤵
  - Loads dropped DLL
  PID:884
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"
    3⤵
    PID:848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "SignHere.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "SignHere.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1664
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""
  2⤵
  - Loads dropped DLL
  PID:1628
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C
    3⤵
    PID:812
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "StandardBusiness.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1756
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "StandardBusiness.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:544
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""
  2⤵
  - Loads dropped DLL
  PID:1736
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C
    3⤵
    PID:1460
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"
    3⤵
    - Modifies file permissions
    PID:748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "AdobeID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "AdobeID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1760
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:1180
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:520
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:956
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:664
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""
  2⤵
  - Loads dropped DLL
  PID:2044
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
    3⤵
    PID:1460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "ENUtxt.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:748
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "ENUtxt.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1608
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Java\jre7\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:1672
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre7\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:1624
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png""
  2⤵
  - Loads dropped DLL
  PID:956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png" /E /G Admin:F /C
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "MahjongMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1088
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "MahjongMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1076
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  - Loads dropped DLL
  PID:1648
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1036
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:1984
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png""
  2⤵
  - Loads dropped DLL
  PID:664
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png" /E /G Admin:F /C
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "PurblePlaceMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "PurblePlaceMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:732
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png" /E /G Admin:F /C
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "SolitaireMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1668
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "SolitaireMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1736
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png""
  2⤵
  - Loads dropped DLL
  PID:520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png" /E /G Admin:F /C
    3⤵
    PID:1380
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "SpiderSolitaireMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1296
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "SpiderSolitaireMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1180
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Microsoft Games\Chess\ChessMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1076
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Chess\ChessMCE.png" /E /G Admin:F /C
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Chess\ChessMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "ChessMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "ChessMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:748
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:1736
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1380
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:520
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1624
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1760
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2044
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1272
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:544
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\Templates\Genko_1.jtp""
  2⤵
  - Loads dropped DLL
  PID:1648
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Genko_1.jtp" /E /G Admin:F /C
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Genko_1.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "Genko_1.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:664
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "Genko_1.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:1624
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Mail\de-DE\WinMail.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:1296
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\de-DE\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\de-DE\WinMail.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1760
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Mail\ja-JP\WinMail.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:1608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\ja-JP\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\ja-JP\WinMail.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:224
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:232
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:732
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:956
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1984
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:1796
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:364
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:812
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc""
  2⤵
  - Loads dropped DLL
  PID:748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc" /E /G Admin:F /C
    3⤵
    PID:860
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc"
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "adobepdf.xdc" -nobanner
    3⤵
    - Loads dropped DLL
    PID:212
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "adobepdf.xdc" -nobanner
      4⤵
      Executes dropped EXE
      PID:236
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:884
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:664
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1648
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1076
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1672
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:364
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:860
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1668
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui""
  2⤵
  - Loads dropped DLL
  PID:1600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1664
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1548
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\Journal.exe""
  2⤵
  - Loads dropped DLL
  PID:1604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Journal.exe" /E /G Admin:F /C
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Journal.exe"
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "Journal.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:532
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "Journal.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:1760
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\Templates\Seyes.jtp""
  2⤵
  - Loads dropped DLL
  PID:1988
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Seyes.jtp" /E /G Admin:F /C
    3⤵
    PID:520
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Seyes.jtp"
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "Seyes.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:216
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "Seyes.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:2044
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui""
  2⤵
  PID:1768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui"
    3⤵
    PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:364
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""
  2⤵
  PID:1732
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"
    3⤵
    PID:664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:748
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1600
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:1272
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:1088
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      PID:956
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html""
  2⤵
  PID:520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html" /E /G Admin:F /C
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html"
    3⤵
    - Modifies file permissions
    PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "license.html" -nobanner
    3⤵
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "license.html" -nobanner
      4⤵
      PID:1588
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif""
  2⤵
  PID:860
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif" /E /G Admin:F /C
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif"
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "distribute_form.gif" -nobanner
    3⤵
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "distribute_form.gif" -nobanner
      4⤵
      PID:232
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css""
  2⤵
  PID:1664
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css" /E /G Admin:F /C
    3⤵
    PID:224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css"
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "main.css" -nobanner
    3⤵
    PID:864
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "main.css" -nobanner
      4⤵
      PID:1608
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif""
  2⤵
  PID:1488
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif" /E /G Admin:F /C
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif"
    3⤵
    - Modifies file permissions
    PID:956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "review_shared.gif" -nobanner
    3⤵
    PID:1088
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "review_shared.gif" -nobanner
      4⤵
      PID:1296
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif""
  2⤵
  PID:1184
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif" /E /G Admin:F /C
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif"
    3⤵
    - Modifies file permissions
    PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
    3⤵
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
      4⤵
      PID:1168
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf""
  2⤵
  PID:1100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf" /E /G Admin:F /C
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf"
    3⤵
    PID:232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
    3⤵
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
      4⤵
      PID:1176
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf""
  2⤵
  PID:236
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf"
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "MyriadPro-Regular.otf" -nobanner
    3⤵
    PID:864
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "MyriadPro-Regular.otf" -nobanner
      4⤵
      PID:884
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt""
  2⤵
  PID:1548
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt" /E /G Admin:F /C
    3⤵
    PID:956
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt"
    3⤵
    - Modifies file permissions
    PID:1296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
    3⤵
    PID:1088
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
      4⤵
      PID:1272
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths""
  2⤵
  PID:532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths" /E /G Admin:F /C
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths"
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "can03.ths" -nobanner
    3⤵
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "can03.ths" -nobanner
      4⤵
      PID:520
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp""
  2⤵
  PID:216
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp" /E /G Admin:F /C
    3⤵
    PID:232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp"
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
    3⤵
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
      4⤵
      PID:860
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT""
  2⤵
  PID:364
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT" /E /G Admin:F /C
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT"
    3⤵
    PID:884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "ROMAN.TXT" -nobanner
    3⤵
    PID:864
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "ROMAN.TXT" -nobanner
      4⤵
      PID:1664
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT""
  2⤵
  PID:1600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT" /E /G Admin:F /C
    3⤵
    PID:1296
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT"
    3⤵
    - Modifies file permissions
    PID:1272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "CP1257.TXT" -nobanner
    3⤵
    PID:1088
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "CP1257.TXT" -nobanner
      4⤵
      PID:1488
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    PID:520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    PID:1596
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      PID:1948
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui""
  2⤵
  PID:1768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui"
    3⤵
    PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:1100
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:1960
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui""
  2⤵
  PID:1836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui"
    3⤵
    - Modifies file permissions
    PID:864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:1944
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui""
  2⤵
  PID:1672
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui"
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    PID:1036
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      PID:1600
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui""
  2⤵
  PID:1168
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui"
    3⤵
    - Modifies file permissions
    PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    PID:220
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      PID:1988
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:232
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula "ZY______.PFB" -nobanner
    3⤵
    PID:212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\Templates\blank.jtp""
  2⤵
  PID:1796
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\blank.jtp" /E /G Admin:F /C
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\blank.jtp"
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "blank.jtp" -nobanner
    3⤵
    PID:1176
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "blank.jtp" -nobanner
      4⤵
      PID:1568
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp""
  2⤵
  PID:1208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp" /E /G Admin:F /C
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp"
    3⤵
    PID:816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "To_Do_List.jtp" -nobanner
    3⤵
    PID:748
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "To_Do_List.jtp" -nobanner
      4⤵
      PID:1608
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Mail\it-IT\WinMail.exe.mui""
  2⤵
  PID:1488
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\it-IT\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\it-IT\WinMail.exe.mui"
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:1296
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:520
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:1920
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:204
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:212
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"
    3⤵
    PID:216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1160
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:864
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif""
  2⤵
  PID:816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif" /E /G Admin:F /C
    3⤵
    PID:916
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif"
    3⤵
    PID:1460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "add_reviewer.gif" -nobanner
    3⤵
    PID:224
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "add_reviewer.gif" -nobanner
      4⤵
      PID:1208
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif""
  2⤵
  PID:2024
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif" /E /G Admin:F /C
    3⤵
    PID:1296
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif"
    3⤵
    - Modifies file permissions
    PID:956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "forms_received.gif" -nobanner
    3⤵
    PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "forms_received.gif" -nobanner
      4⤵
      PID:1488
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif""
  2⤵
  PID:1680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif" /E /G Admin:F /C
    3⤵
    PID:204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif"
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "reviews_super.gif" -nobanner
    3⤵
    PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "reviews_super.gif" -nobanner
      4⤵
      PID:1604
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif""
  2⤵
  PID:1716
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif" /E /G Admin:F /C
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif"
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "submission_history.gif" -nobanner
    3⤵
    PID:1176
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "submission_history.gif" -nobanner
      4⤵
      PID:228
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H""
  2⤵
  PID:916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H" /E /G Admin:F /C
    3⤵
    PID:236
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H"
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "Identity-H" -nobanner
    3⤵
    PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "Identity-H" -nobanner
      4⤵
      PID:884
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf""
  2⤵
  PID:1896
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf"
    3⤵
    PID:860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "MinionPro-Regular.otf" -nobanner
    3⤵
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "MinionPro-Regular.otf" -nobanner
      4⤵
      PID:1672
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB""
  2⤵
  PID:220
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB" /E /G Admin:F /C
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB"
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "ZY______.PFB" -nobanner
    3⤵
    PID:1168
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx""
  2⤵
  PID:1944
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx" /E /G Admin:F /C
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx"
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "brt32.clx" -nobanner
    3⤵
    PID:1908
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "brt32.clx" -nobanner
      4⤵
      PID:864
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca""
  2⤵
  PID:748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca" /E /G Admin:F /C
    3⤵
    PID:816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca"
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "usa.fca" -nobanner
    3⤵
    PID:1208
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "usa.fca" -nobanner
      4⤵
      PID:1460
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT""
  2⤵
  PID:1548
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT" /E /G Admin:F /C
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT"
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "CROATIAN.TXT" -nobanner
    3⤵
    PID:956
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "CROATIAN.TXT" -nobanner
      4⤵
      PID:1896
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT""
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT" /E /G Admin:F /C
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT"
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "CP1251.TXT" -nobanner
    3⤵
    PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "CP1251.TXT" -nobanner
      4⤵
      PID:220
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui""
  2⤵
  PID:1176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui"
    3⤵
    PID:224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:1624
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Windows Mail\wab.exe""
  2⤵
  PID:532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wab.exe"
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:748
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "wab.exe" -nobanner
      4⤵
      PID:1600
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""
  2⤵
  PID:1612
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1184
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:732
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""
  2⤵
  PID:1568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1688
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:1908
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:1596
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      PID:1668
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif""
  2⤵
  PID:204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif" /E /G Admin:F /C
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif"
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "br.gif" -nobanner
    3⤵
    PID:532
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "br.gif" -nobanner
      4⤵
      PID:1896
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif""
  2⤵
  PID:1672
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif" /E /G Admin:F /C
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif"
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "form_responses.gif" -nobanner
    3⤵
    PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "form_responses.gif" -nobanner
      4⤵
      PID:1760
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif""
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif" /E /G Admin:F /C
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif"
    3⤵
    - Modifies file permissions
    PID:228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "review_email.gif" -nobanner
    3⤵
    PID:1088
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "review_email.gif" -nobanner
      4⤵
      PID:1604
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif""
  2⤵
  PID:864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif" /E /G Admin:F /C
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif"
    3⤵
    PID:884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "tr.gif" -nobanner
    3⤵
    PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "tr.gif" -nobanner
      4⤵
      PID:1596
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf""
  2⤵
  PID:2024
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf" /E /G Admin:F /C
    3⤵
    PID:916
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf"
    3⤵
    - Modifies file permissions
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "AdobePiStd.otf" -nobanner
    3⤵
    PID:748
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "AdobePiStd.otf" -nobanner
      4⤵
      PID:204
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Windows Mail\it-IT\msoeres.dll.mui""
  2⤵
  PID:1160
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\it-IT\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:956
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\it-IT\msoeres.dll.mui"
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:860
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf""
  2⤵
  PID:812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf"
    3⤵
    PID:1296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
    3⤵
    PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
      4⤵
      PID:1908
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:536
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    PID:664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:864
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt""
  2⤵
  PID:1548
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt" /E /G Admin:F /C
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt"
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
    3⤵
    PID:2024
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
      4⤵
      PID:1048
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca""
  2⤵
  PID:1768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca" /E /G Admin:F /C
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca"
    3⤵
    PID:208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "can.fca" -nobanner
    3⤵
    PID:232
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "can.fca" -nobanner
      4⤵
      PID:1760
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths""
  2⤵
  PID:1036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths" /E /G Admin:F /C
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths"
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "usa03.ths" -nobanner
    3⤵
    PID:228
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "usa03.ths" -nobanner
      4⤵
      PID:1568
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT""
  2⤵
  PID:1748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT" /E /G Admin:F /C
    3⤵
    PID:560
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT"
    3⤵
    PID:864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "GREEK.TXT" -nobanner
    3⤵
    PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "GREEK.TXT" -nobanner
      4⤵
      PID:916
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT""
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT" /E /G Admin:F /C
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT"
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "CP1253.TXT" -nobanner
    3⤵
    PID:2024
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "CP1253.TXT" -nobanner
      4⤵
      PID:956
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""
  2⤵
  PID:2032
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:1088
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:216
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Windows Mail\de-DE\msoeres.dll.mui""
  2⤵
  PID:1716
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\de-DE\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\de-DE\msoeres.dll.mui"
    3⤵
    PID:812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:1784
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:1908
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Windows Mail\ja-JP\msoeres.dll.mui""
  2⤵
  PID:1732
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\ja-JP\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:532
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\ja-JP\msoeres.dll.mui"
    3⤵
    - Modifies file permissions
    PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:884
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:1936
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:1100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:956
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1460
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1624
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""
  2⤵
  PID:208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"
    3⤵
    PID:236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:2032
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png""
  2⤵
  PID:816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png" /E /G Admin:F /C
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png"
    3⤵
    - Modifies file permissions
    PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "FreeCellMCE.png" -nobanner
    3⤵
    PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "FreeCellMCE.png" -nobanner
      4⤵
      PID:1716
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png""
  2⤵
  PID:532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png" /E /G Admin:F /C
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png"
    3⤵
    PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "HeartsMCE.png" -nobanner
    3⤵
    PID:1596
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "HeartsMCE.png" -nobanner
      4⤵
      PID:560
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui""
  2⤵
  PID:956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui"
    3⤵
    PID:220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:748
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      PID:1100
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\es-ES\MSPVWCTL.DLL.mui""
  2⤵
  PID:216
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\MSPVWCTL.DLL.mui"
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:1672
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:812
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\it-IT\JNTFiltr.dll.mui""
  2⤵
  PID:1668
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:916
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\JNTFiltr.dll.mui"
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:1296
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:1648
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui""
  2⤵
  PID:364
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui"
    3⤵
    - Modifies file permissions
    PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    PID:532
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      PID:1984
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\Templates\Graph.jtp""
  2⤵
  PID:1488
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Graph.jtp" /E /G Admin:F /C
    3⤵
    PID:748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Graph.jtp"
    3⤵
    - Modifies file permissions
    PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "Graph.jtp" -nobanner
    3⤵
    PID:956
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "Graph.jtp" -nobanner
      4⤵
      PID:1600
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui""
  2⤵
  PID:232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui"
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:216
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:860
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Mail\wabmig.exe""
  2⤵
  PID:228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:1296
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wabmig.exe"
    3⤵
    PID:664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      PID:1668
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui""
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:532
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui"
    3⤵
    PID:204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:364
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:1732
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui""
  2⤵
  PID:1680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:956
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui"
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:1488
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      PID:1896
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui""
  2⤵
  PID:1688
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui"
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:232
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:2004
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:884
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:228
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui""
  2⤵
  PID:560
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui"
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:1952
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:1460
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp""
  2⤵
  PID:220
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp" /E /G Admin:F /C
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp"
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "Dotted_Line.jtp" -nobanner
    3⤵
    PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "Dotted_Line.jtp" -nobanner
      4⤵
      PID:1680
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""
  2⤵
  PID:812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1176
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1688
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig""
  2⤵
  PID:1648
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig" /E /G Admin:F /C
    3⤵
    PID:884
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig"
    3⤵
    - Modifies file permissions
    PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "cryptocme2.sig" -nobanner
    3⤵
    PID:664
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "cryptocme2.sig" -nobanner
      4⤵
      PID:1668
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui""
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui"
    3⤵
    PID:956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:204
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui""
  2⤵
  PID:732
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui"
    3⤵
    PID:216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:1100
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:860
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:2004
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1664
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""
  2⤵
  PID:1736
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:664
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"
    3⤵
    PID:748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:224
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini""
  2⤵
  PID:208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini" /E /G Admin:F /C
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini"
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "AGMGPUOptIn.ini" -nobanner
    3⤵
    PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "AGMGPUOptIn.ini" -nobanner
      4⤵
      PID:1460
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf""
  2⤵
  PID:1896
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf" /E /G Admin:F /C
    3⤵
    PID:220
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf"
    3⤵
    - Modifies file permissions
    PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "MyriadCAD.otf" -nobanner
    3⤵
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "MyriadCAD.otf" -nobanner
      4⤵
      PID:732
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif""
  2⤵
  PID:1908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif" /E /G Admin:F /C
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif"
    3⤵
    PID:884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "create_form.gif" -nobanner
    3⤵
    PID:532
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "create_form.gif" -nobanner
      4⤵
      PID:1688
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer""
  2⤵
  PID:364
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer" /E /G Admin:F /C
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer"
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "pmd.cer" -nobanner
    3⤵
    PID:1748
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "pmd.cer" -nobanner
      4⤵
      PID:1668
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif""
  2⤵
  PID:1768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif" /E /G Admin:F /C
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif"
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "info.gif" -nobanner
    3⤵
    PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "info.gif" -nobanner
      4⤵
      PID:204
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif""
  2⤵
  PID:232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif" /E /G Admin:F /C
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif"
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "email_initiator.gif" -nobanner
    3⤵
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "email_initiator.gif" -nobanner
      4⤵
      PID:1208
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif""
  2⤵
  PID:2004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif" /E /G Admin:F /C
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif"
    3⤵
    PID:532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "pdf.gif" -nobanner
    3⤵
    PID:2024
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "pdf.gif" -nobanner
      4⤵
      PID:1628
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif""
  2⤵
  PID:228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif"
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "review_same_reviewers.gif" -nobanner
    3⤵
    PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "review_same_reviewers.gif" -nobanner
      4⤵
      PID:1920
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif""
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif" /E /G Admin:F /C
    3⤵
    PID:956
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif"
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "server_issue.gif" -nobanner
    3⤵
    PID:1784
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "server_issue.gif" -nobanner
      4⤵
      PID:1672
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif""
  2⤵
  PID:1600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif" /E /G Admin:F /C
    3⤵
    PID:916
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif"
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
    3⤵
    PID:216
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
      4⤵
      PID:1608
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif""
  2⤵
  PID:520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif" /E /G Admin:F /C
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif"
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "trash.gif" -nobanner
    3⤵
    PID:536
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "trash.gif" -nobanner
      4⤵
      PID:884
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1168
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf""
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf" /E /G Admin:F /C
    3⤵
    PID:664
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf"
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "CourierStd.otf" -nobanner
    3⤵
    PID:1184
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "CourierStd.otf" -nobanner
      4⤵
      PID:1648
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf""
  2⤵
  PID:1272
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf"
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "CourierStd-Bold.otf" -nobanner
    3⤵
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "CourierStd-Bold.otf" -nobanner
      4⤵
      PID:208
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm""
  2⤵
  PID:1596
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm" /E /G Admin:F /C
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm"
    3⤵
    PID:216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "zx______.pfm" -nobanner
    3⤵
    PID:220
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "zx______.pfm" -nobanner
      4⤵
      PID:1680
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt""
  2⤵
  PID:860
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt" /E /G Admin:F /C
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt"
    3⤵
    PID:536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
    3⤵
    PID:1664
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
      4⤵
      PID:532
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf""
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf"
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "MyriadPro-It.otf" -nobanner
    3⤵
    PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "MyriadPro-It.otf" -nobanner
      4⤵
      PID:364
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx""
  2⤵
  PID:1088
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx" /E /G Admin:F /C
    3⤵
    PID:1460
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx"
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "can32.clx" -nobanner
    3⤵
    PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "can32.clx" -nobanner
      4⤵
      PID:1568
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt""
  2⤵
  PID:1100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt" /E /G Admin:F /C
    3⤵
    PID:732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt"
    3⤵
    PID:220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
    3⤵
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
      4⤵
      PID:232
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt""
  2⤵
  PID:812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt" /E /G Admin:F /C
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt"
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "symbol.txt" -nobanner
    3⤵
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "symbol.txt" -nobanner
      4⤵
      PID:2004
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT""
  2⤵
  PID:748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT" /E /G Admin:F /C
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT"
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "SYMBOL.TXT" -nobanner
    3⤵
    PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "SYMBOL.TXT" -nobanner
      4⤵
      PID:1612
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp""
  2⤵
  PID:208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp" /E /G Admin:F /C
    3⤵
    PID:204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp"
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "can.hyp" -nobanner
    3⤵
    PID:956
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "can.hyp" -nobanner
      4⤵
      PID:1784
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp""
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp" /E /G Admin:F /C
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp"
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "usa37.hyp" -nobanner
    3⤵
    PID:916
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "usa37.hyp" -nobanner
      4⤵
      PID:1608
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT""
  2⤵
  PID:532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT" /E /G Admin:F /C
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT"
    3⤵
    - Modifies file permissions
    PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "ICELAND.TXT" -nobanner
    3⤵
    PID:1160
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "ICELAND.TXT" -nobanner
      4⤵
      PID:536
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT""
  2⤵
  PID:1736
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT" /E /G Admin:F /C
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT"
    3⤵
    - Modifies file permissions
    PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "CP1254.TXT" -nobanner
    3⤵
    PID:664
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "CP1254.TXT" -nobanner
      4⤵
      PID:1952
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui""
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui"
    3⤵
    PID:956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      PID:1768
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1460
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui""
  2⤵
  PID:232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui"
    3⤵
    PID:864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    PID:1596
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      PID:1588
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui""
  2⤵
  PID:1628
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui"
    3⤵
    - Modifies file permissions
    PID:1936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      PID:860
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\it-IT\NBMapTIP.dll.mui""
  2⤵
  PID:1296
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:664
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\NBMapTIP.dll.mui"
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:1668
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\PDIALOG.exe""
  2⤵
  PID:212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\PDIALOG.exe" /E /G Admin:F /C
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\PDIALOG.exe"
    3⤵
    PID:1460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "PDIALOG.exe" -nobanner
    3⤵
    PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "PDIALOG.exe" -nobanner
      4⤵
      PID:204
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\Templates\Shorthand.jtp""
  2⤵
  PID:216
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Shorthand.jtp" /E /G Admin:F /C
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Shorthand.jtp"
    3⤵
    PID:560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "Shorthand.jtp" -nobanner
    3⤵
    PID:232
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "Shorthand.jtp" -nobanner
      4⤵
      PID:1036
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1160
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui""
  2⤵
  PID:520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui"
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:1692
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:364
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:1296
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:748
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Windows Mail\es-ES\msoeres.dll.mui""
  2⤵
  PID:1836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\es-ES\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\es-ES\msoeres.dll.mui"
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:212
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:1272
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Windows Mail\WinMail.exe""
  2⤵
  PID:1208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\WinMail.exe" /E /G Admin:F /C
    3⤵
    PID:232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\WinMail.exe"
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "WinMail.exe" -nobanner
    3⤵
    PID:216
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "WinMail.exe" -nobanner
      4⤵
      PID:732
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""
  2⤵
  PID:884
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:520
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:888
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata""
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C
    3⤵
    PID:1296
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"
    3⤵
    - Modifies file permissions
    PID:1896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "directories.acrodata" -nobanner
    3⤵
    PID:1184
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "directories.acrodata" -nobanner
      4⤵
      PID:1668
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""
  2⤵
  PID:956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:1460
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:1088
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui""
  2⤵
  PID:864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui"
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:560
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:1036
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\es-ES\Journal.exe.mui""
  2⤵
  PID:1936
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:532
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\Journal.exe.mui"
    3⤵
    - Modifies file permissions
    PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    PID:536
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      PID:1748
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui""
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui"
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    PID:1952
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      PID:1548
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe""
  2⤵
  PID:2004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe" /E /G Admin:F /C
    3⤵
    PID:1460
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe"
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "LogTransport2.exe" -nobanner
    3⤵
    PID:1272
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "LogTransport2.exe" -nobanner
      4⤵
      PID:1768
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\ja-JP\jnwmon.dll.mui""
  2⤵
  PID:1612
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\jnwmon.dll.mui"
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      PID:1688
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Journal\Templates\Genko_2.jtp""
  2⤵
  PID:1692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Genko_2.jtp" /E /G Admin:F /C
    3⤵
    PID:224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Genko_2.jtp"
    3⤵
    - Modifies file permissions
    PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "Genko_2.jtp" -nobanner
    3⤵
    PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "Genko_2.jtp" -nobanner
      4⤵
      PID:860
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui""
  2⤵
  PID:228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui"
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:364
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:1896
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Mail\wab.exe""
  2⤵
  PID:220
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wab.exe"
    3⤵
    - Modifies file permissions
    PID:236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:2004
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "wab.exe" -nobanner
      4⤵
      PID:812
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""
  2⤵
  PID:664
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:1612
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1668
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:1604
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer""
  2⤵
  PID:1272
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer" /E /G Admin:F /C
    3⤵
    PID:812
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer"
    3⤵
    PID:732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "AUMProduct.cer" -nobanner
    3⤵
    PID:560
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "AUMProduct.cer" -nobanner
      4⤵
      PID:1768
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui""
  2⤵
  PID:532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui"
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:1296
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:864
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui""
  2⤵
  PID:1740
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui"
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:1908
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:1568
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1784
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""
  2⤵
  PID:1088
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:1272
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""
  2⤵
  PID:208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:1036
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif""
  2⤵
  PID:1896
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif" /E /G Admin:F /C
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif"
    3⤵
    - Modifies file permissions
    PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "bl.gif" -nobanner
    3⤵
    PID:1784
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "bl.gif" -nobanner
      4⤵
      PID:1664
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif""
  2⤵
  PID:560
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif" /E /G Admin:F /C
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif"
    3⤵
    - Modifies file permissions
    PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "forms_super.gif" -nobanner
    3⤵
    PID:1600
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "forms_super.gif" -nobanner
      4⤵
      PID:2024
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif""
  2⤵
  PID:1296
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif" /E /G Admin:F /C
    3⤵
    PID:532
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif"
    3⤵
    PID:536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "review_browser.gif" -nobanner
    3⤵
    PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "review_browser.gif" -nobanner
      4⤵
      PID:212
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif""
  2⤵
  PID:1668
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif" /E /G Admin:F /C
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif"
    3⤵
    - Modifies file permissions
    PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c y9wQgCdE.exe -accepteula "tl.gif" -nobanner
    3⤵
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
      y9wQgCdE.exe -accepteula "tl.gif" -nobanner
      4⤵
      PID:1100
- - C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe
    y9wQgCdE.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V""
  2⤵
  PID:1160

C:\Windows\system32\taskeng.exe
taskeng.exe {51676834-8BB7-43E8-8FB4-39AF520E8E3E} S-1-5-21-1405931862-909307831-4085185274-1000:GZAATBZA\Admin:Interactive:[1]
1⤵
PID:1484
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\LpSl5E7h.bat"
  2⤵
  PID:1176
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2024
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:916
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1964
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Delete /TN DSHCA /F
    3⤵
    PID:2044

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0YBJ21S9.bat

MD5
ea444f47b42c45531b016a9ad992addb

SHA1
26140ed1f1db3ed67a0d6936a1470ad117bd8af8

SHA256
82714e791fbd84d87366eec618027541cb45531bda5d78210a0ae9b1e378ba1e

SHA512
12d9bb4871b97bcc74c9bdeac3e78147c7fb87a3d6b888f20b13d80353b2ad6f938c48592e0c71e0f761e0cb0f659efe2ce13dd3c7be1cdd54283d534c6ec712

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWkXmBnQ.exe

MD5
b9b5c6c4e7704fddd39f46d293f2ca08

SHA1
7f8d2d8af69405bc5feab6621aea70bc34dd8eb4

SHA256
a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3

SHA512
aee5caaa7fc5c94741fc44f8a1615fe874c70d95a6be4249433d403d669e1f03fd0dbcfa9926b8897d4237d91ca8714cf9a95a239ff26bb8a2024b91e2a83fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWkXmBnQ.exe

MD5
b9b5c6c4e7704fddd39f46d293f2ca08

SHA1
7f8d2d8af69405bc5feab6621aea70bc34dd8eb4

SHA256
a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3

SHA512
aee5caaa7fc5c94741fc44f8a1615fe874c70d95a6be4249433d403d669e1f03fd0dbcfa9926b8897d4237d91ca8714cf9a95a239ff26bb8a2024b91e2a83fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9wQgCdE64.exe

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Roaming\LpSl5E7h.bat

MD5
09ddd87a6526691baba669d6d5bd3fe4

SHA1
6a2e6b8fc6e63f861424fbfe48d6ba5bb1359352

SHA256
96b3989d38de5de3b688d169a8e796bea11a6651851471de1314a05548bef223

SHA512
405db87b5c64ba4a6899c26ca6f284db8e97590994f926f477846b5d7688120087d2b1cea118c1ea5a644ca556bb46f211d4f69a1e23f397432cad914e6ac19a

Download Submit
C:\Users\Admin\AppData\Roaming\fEIcyGIa.vbs

MD5
ea6f0a9b06cb07aff33d53e634f128f8

SHA1
9ca0b74fca073ca28c2b5e5e1be3947ce1b6cd42

SHA256
7d2906b832986e75b99bf9b8efbccb682513b8fda60cab94433d2fd86875dfde

SHA512
993d051d80bd35394a36100ab02e41d3dc6a41c11855bf07a44f412a8c9f9ac1fd57523122d1d83b250db52e52fdb8b0c5a1b55dff3d168a14d61a6ba47d672d

Download Submit
\Users\Admin\AppData\Local\Temp\NWkXmBnQ.exe

MD5
b9b5c6c4e7704fddd39f46d293f2ca08

SHA1
7f8d2d8af69405bc5feab6621aea70bc34dd8eb4

SHA256
a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3

SHA512
aee5caaa7fc5c94741fc44f8a1615fe874c70d95a6be4249433d403d669e1f03fd0dbcfa9926b8897d4237d91ca8714cf9a95a239ff26bb8a2024b91e2a83fe6

Download Submit
\Users\Admin\AppData\Local\Temp\NWkXmBnQ.exe

MD5
b9b5c6c4e7704fddd39f46d293f2ca08

SHA1
7f8d2d8af69405bc5feab6621aea70bc34dd8eb4

SHA256
a6df222572f57fabf6896d7dd6cca8e9ed8941e896b3094f7707ad9a700696c3

SHA512
aee5caaa7fc5c94741fc44f8a1615fe874c70d95a6be4249433d403d669e1f03fd0dbcfa9926b8897d4237d91ca8714cf9a95a239ff26bb8a2024b91e2a83fe6

Download Submit
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\y9wQgCdE.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\y9wQgCdE64.exe

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
memory/1144-54-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download