matrix | 5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f

Analysis

max time kernel
156s
max time network
55s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
31-07-2022 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
Size

1.3MB
MD5

7bedd0c5e4d5c7a6f5ad69898598b526
SHA1

c0263f12b942d370260cf23eddcbd34abaf8b08e
SHA256

5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f
SHA512

68e4e99155bc17e72b04ce5af4a6b86eab66ef6efae138dcdea420e93b2ccd3a01e5c1dfea278d37a0e6426c656fe5cacd008b983b24740595c647260808fc29

Score

10^/10

matrix discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exereg.exe

description	ioc	process
File created	C:\Program Files\Microsoft Games\Purble Place\de-DE\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Microsoft Games\FreeCell\es-ES\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Microsoft Games\Hearts\fr-FR\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Control Panel\Desktop\TileWallpaper = "0"	reg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Java\jre7\lib\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Microsoft Games\Chess\fr-FR\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Microsoft Games\Purble Place\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Users\Admin\Music\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Java\jre7\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Microsoft Games\FreeCell\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Java\jre7\lib\amd64\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Users\All Users\Microsoft\Assistance\Client\1.0\ja-JP\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Microsoft Games\Mahjong\de-DE\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Microsoft Games\FreeCell\de-DE\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\it-IT\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\GPUCache\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Drops file in Drivers directory 1 IoCs

Processes:

KUwSkxn464.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP152.SYS KUwSkxn464.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	KUwSkxn464.exe

Executes dropped EXE 64 IoCs

Processes:

NW38743N.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn464.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exeKUwSkxn4.exe

pid	process
2036	NW38743N.exe
1552	KUwSkxn4.exe
1068	KUwSkxn4.exe
1648	KUwSkxn4.exe
2088	KUwSkxn464.exe
2112	KUwSkxn4.exe
2236	KUwSkxn4.exe
2256	KUwSkxn4.exe
2292	KUwSkxn4.exe
2400	KUwSkxn4.exe
2428	KUwSkxn4.exe
2528	KUwSkxn4.exe
2556	KUwSkxn4.exe
2652	KUwSkxn4.exe
2680	KUwSkxn4.exe
2780	KUwSkxn4.exe
2808	KUwSkxn4.exe
3060	KUwSkxn4.exe
1472	KUwSkxn4.exe
2100	KUwSkxn4.exe
1372	KUwSkxn4.exe
1988	KUwSkxn4.exe
860	KUwSkxn4.exe
932	KUwSkxn4.exe
2020	KUwSkxn4.exe
2032	KUwSkxn4.exe
1676	KUwSkxn4.exe
2248	KUwSkxn4.exe
2276	KUwSkxn4.exe
2296	KUwSkxn4.exe
2164	KUwSkxn4.exe
2404	KUwSkxn4.exe
2408	KUwSkxn4.exe
2328	KUwSkxn4.exe
2456	KUwSkxn4.exe
2520	KUwSkxn4.exe
2564	KUwSkxn4.exe
2628	KUwSkxn4.exe
2656	KUwSkxn4.exe
2696	KUwSkxn4.exe
2748	KUwSkxn4.exe
2804	KUwSkxn4.exe
2808	KUwSkxn4.exe
1636	KUwSkxn4.exe
1996	KUwSkxn4.exe
3036	KUwSkxn4.exe
3048	KUwSkxn4.exe
2940	KUwSkxn4.exe
2120	KUwSkxn4.exe
2124	KUwSkxn4.exe
1648	KUwSkxn4.exe
1592	KUwSkxn4.exe
860	KUwSkxn4.exe
1576	KUwSkxn4.exe
1784	KUwSkxn4.exe
1444	KUwSkxn4.exe
1916	KUwSkxn4.exe
2232	KUwSkxn4.exe
2276	KUwSkxn4.exe
2316	KUwSkxn4.exe
2188	KUwSkxn4.exe
2392	KUwSkxn4.exe
2396	KUwSkxn4.exe
2432	KUwSkxn4.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\GrantRemove.tiff	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

KUwSkxn464.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	KUwSkxn464.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
behavioral1/memory/1552-92-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
behavioral1/memory/2112-111-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
behavioral1/memory/1648-105-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1068-115-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
behavioral1/memory/2236-125-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2256-126-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
behavioral1/memory/2164-129-0x0000000002010000-0x0000000002087000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
behavioral1/memory/2292-132-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1552-135-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
behavioral1/memory/2400-142-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
behavioral1/memory/2428-147-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
behavioral1/memory/2528-156-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
behavioral1/memory/2556-161-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
behavioral1/memory/2652-170-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
behavioral1/memory/2680-175-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
behavioral1/memory/2780-184-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
behavioral1/memory/2808-189-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
behavioral1/memory/3060-199-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
behavioral1/memory/1472-203-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
behavioral1/memory/2100-207-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1372-211-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx
behavioral1/memory/1988-215-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe	upx

Loads dropped DLL 64 IoCs

Processes:

5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.execmd.execmd.execmd.exeKUwSkxn4.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

pid	process
1780	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
1780	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
592	cmd.exe
1104	cmd.exe
1092	cmd.exe
1552	KUwSkxn4.exe
1628	cmd.exe
1596	cmd.exe
2220	cmd.exe
2164	cmd.exe
2388	cmd.exe
2328	cmd.exe
2516	cmd.exe
2460	cmd.exe
2640	cmd.exe
2584	cmd.exe
2768	cmd.exe
2708	cmd.exe
3052	cmd.exe
2940	cmd.exe
1748	cmd.exe
1648	cmd.exe
1196	cmd.exe
544	cmd.exe
1664	cmd.exe
1796	cmd.exe
768	cmd.exe
2140	cmd.exe
2232	cmd.exe
2204	cmd.exe
2312	cmd.exe
1640	cmd.exe
2396	cmd.exe
2320	cmd.exe
2440	cmd.exe
1264	cmd.exe
2532	cmd.exe
2500	cmd.exe
2620	cmd.exe
2572	cmd.exe
2692	cmd.exe
2660	cmd.exe
2772	cmd.exe
2760	cmd.exe
564	cmd.exe
1292	cmd.exe
2948	cmd.exe
2872	cmd.exe
2944	cmd.exe
3064	cmd.exe
584	cmd.exe
108	cmd.exe
696	cmd.exe
1356	cmd.exe
1032	cmd.exe
1288	cmd.exe
1284	cmd.exe
2056	cmd.exe
2244	cmd.exe
1332	cmd.exe
2308	cmd.exe
2196	cmd.exe
2380	cmd.exe
2260	cmd.exe

Modifies file permissions 1 TTPs 55 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
2504	takeown.exe
2380	takeown.exe
3044	takeown.exe
2628	takeown.exe
1776	takeown.exe
1492	takeown.exe
572	takeown.exe
3004	takeown.exe
1724	takeown.exe
1596	takeown.exe
2584	takeown.exe
2536	takeown.exe
2120	takeown.exe
2412	takeown.exe
1472	takeown.exe
2288	takeown.exe
916	takeown.exe
2452	takeown.exe
1516	takeown.exe
304	takeown.exe
2752	takeown.exe
108	takeown.exe
2568	takeown.exe
1556	takeown.exe
1648	takeown.exe
1944	takeown.exe
2684	takeown.exe
2760	takeown.exe
2080	takeown.exe
1896	takeown.exe
2816	takeown.exe
2440	takeown.exe
3040	takeown.exe
308	takeown.exe
2936	takeown.exe
588	takeown.exe
2376	takeown.exe
1068	takeown.exe
1536	takeown.exe
1036	takeown.exe
2432	takeown.exe
2624	takeown.exe
2540	takeown.exe
1200	takeown.exe
2208	takeown.exe
1688	takeown.exe
2796	takeown.exe
2300	takeown.exe
2596	takeown.exe
2384	takeown.exe
2020	takeown.exe
2556	takeown.exe
2488	takeown.exe
2208	takeown.exe
1508	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 41 IoCs

Processes:

5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe

description	ioc	process
File opened for modification	C:\Program Files\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\N7QPJOQI\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\Y4L7EXDB\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Public\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\4SXR972F\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\70L7AE9U\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exeKUwSkxn464.exe

description	ioc	process
File opened (read-only)	\??\Z:	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened (read-only)	\??\A:	KUwSkxn464.exe
File opened (read-only)	\??\G:	KUwSkxn464.exe
File opened (read-only)	\??\Q:	KUwSkxn464.exe
File opened (read-only)	\??\X:	KUwSkxn464.exe
File opened (read-only)	\??\W:	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened (read-only)	\??\O:	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened (read-only)	\??\J:	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened (read-only)	\??\L:	KUwSkxn464.exe
File opened (read-only)	\??\V:	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened (read-only)	\??\G:	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened (read-only)	\??\N:	KUwSkxn464.exe
File opened (read-only)	\??\P:	KUwSkxn464.exe
File opened (read-only)	\??\V:	KUwSkxn464.exe
File opened (read-only)	\??\T:	KUwSkxn464.exe
File opened (read-only)	\??\T:	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened (read-only)	\??\I:	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened (read-only)	\??\H:	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened (read-only)	\??\E:	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened (read-only)	\??\K:	KUwSkxn464.exe
File opened (read-only)	\??\Y:	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened (read-only)	\??\S:	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened (read-only)	\??\R:	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened (read-only)	\??\O:	KUwSkxn464.exe
File opened (read-only)	\??\S:	KUwSkxn464.exe
File opened (read-only)	\??\F:	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened (read-only)	\??\B:	KUwSkxn464.exe
File opened (read-only)	\??\E:	KUwSkxn464.exe
File opened (read-only)	\??\X:	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened (read-only)	\??\U:	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened (read-only)	\??\N:	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened (read-only)	\??\M:	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened (read-only)	\??\L:	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened (read-only)	\??\F:	KUwSkxn464.exe
File opened (read-only)	\??\H:	KUwSkxn464.exe
File opened (read-only)	\??\J:	KUwSkxn464.exe
File opened (read-only)	\??\Z:	KUwSkxn464.exe
File opened (read-only)	\??\Q:	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened (read-only)	\??\P:	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened (read-only)	\??\U:	KUwSkxn464.exe
File opened (read-only)	\??\W:	KUwSkxn464.exe
File opened (read-only)	\??\K:	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened (read-only)	\??\I:	KUwSkxn464.exe
File opened (read-only)	\??\M:	KUwSkxn464.exe
File opened (read-only)	\??\R:	KUwSkxn464.exe
File opened (read-only)	\??\Y:	KUwSkxn464.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\YA6J3nuN.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\vlc.mo	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Accra	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mauritius	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_ja.jar	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+6	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\dt.jar	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.inject_1.0.0.v20091030.jar	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\New_Skins.url	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfigInternal.zip	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\89.0.4389.114.manifest	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Detroit	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\US_export_policy.jar	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_zh_4.4.0.v20140623020002.jar	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyrun.jar	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\localedata.jar	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\platform.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.command_0.10.0.v201209301215.jar	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\calendars.properties	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_ja_4.4.0.v20140623020002.jar	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Reykjavik	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_zh_CN.jar	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\vlc.mo	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh89	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zaporozhye	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\it-IT\Chess.exe.mui	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\sound.properties	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Windows Journal\Journal.exe	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_ja_4.4.0.v20140623020002.jar	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui_2.3.0.v20140404-1657.jar	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\jconsole.jar	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Taipei	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_ja.jar	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\#MMTA_README#.rtf	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SplashScreen.zip	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\msoeres.dll.mui	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\larrow.gif	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Chicago	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Adelaide	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\smtp.jar	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.event_1.3.100.v20140115-1647.jar	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe.sig	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cambridge_Bay	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1292 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1164 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

KUwSkxn464.exe

pid process

2088 KUwSkxn464.exe
2088 KUwSkxn464.exe
2088 KUwSkxn464.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

KUwSkxn464.exe

pid process

2088 KUwSkxn464.exe

pid	process
1292	schtasks.exe

pid	process
1164	vssadmin.exe

pid	process
2088	KUwSkxn464.exe
2088	KUwSkxn464.exe
2088	KUwSkxn464.exe

pid	process
2088	KUwSkxn464.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

KUwSkxn464.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	2088	KUwSkxn464.exe
Token: SeLoadDriverPrivilege	2088	KUwSkxn464.exe
Token: SeTakeOwnershipPrivilege	2752	takeown.exe
Token: SeTakeOwnershipPrivilege	108	takeown.exe
Token: SeTakeOwnershipPrivilege	1508	takeown.exe
Token: SeTakeOwnershipPrivilege	1688	takeown.exe
Token: SeTakeOwnershipPrivilege	1036	takeown.exe
Token: SeTakeOwnershipPrivilege	308	takeown.exe
Token: SeTakeOwnershipPrivilege	2288	takeown.exe
Token: SeTakeOwnershipPrivilege	2380	takeown.exe
Token: SeTakeOwnershipPrivilege	2432	takeown.exe
Token: SeTakeOwnershipPrivilege	2540	takeown.exe
Token: SeTakeOwnershipPrivilege	2624	takeown.exe
Token: SeTakeOwnershipPrivilege	2584	takeown.exe
Token: SeTakeOwnershipPrivilege	572	takeown.exe
Token: SeTakeOwnershipPrivilege	3004	takeown.exe
Token: SeTakeOwnershipPrivilege	1516	takeown.exe
Token: SeTakeOwnershipPrivilege	3044	takeown.exe
Token: SeTakeOwnershipPrivilege	2120	takeown.exe
Token: SeTakeOwnershipPrivilege	1536	takeown.exe
Token: SeTakeOwnershipPrivilege	1944	takeown.exe
Token: SeTakeOwnershipPrivilege	1724	takeown.exe
Token: SeTakeOwnershipPrivilege	2020	takeown.exe
Token: SeTakeOwnershipPrivilege	2208	takeown.exe
Token: SeTakeOwnershipPrivilege	1596	takeown.exe
Token: SeTakeOwnershipPrivilege	2412	takeown.exe
Token: SeTakeOwnershipPrivilege	2440	takeown.exe
Token: SeTakeOwnershipPrivilege	2556	takeown.exe
Token: SeTakeOwnershipPrivilege	2684	takeown.exe
Token: SeTakeOwnershipPrivilege	2760	takeown.exe
Token: SeTakeOwnershipPrivilege	1556	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.execmd.execmd.exewscript.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1780 wrote to memory of 960	1780	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe	cmd.exe
PID 1780 wrote to memory of 960	1780	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe	cmd.exe
PID 1780 wrote to memory of 960	1780	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe	cmd.exe
PID 1780 wrote to memory of 960	1780	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe	cmd.exe
PID 1780 wrote to memory of 2036	1780	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe	NW38743N.exe
PID 1780 wrote to memory of 2036	1780	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe	NW38743N.exe
PID 1780 wrote to memory of 2036	1780	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe	NW38743N.exe
PID 1780 wrote to memory of 2036	1780	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe	NW38743N.exe
PID 1780 wrote to memory of 932	1780	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe	cmd.exe
PID 1780 wrote to memory of 932	1780	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe	cmd.exe
PID 1780 wrote to memory of 932	1780	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe	cmd.exe
PID 1780 wrote to memory of 932	1780	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe	cmd.exe
PID 1780 wrote to memory of 1996	1780	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe	cmd.exe
PID 1780 wrote to memory of 1996	1780	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe	cmd.exe
PID 1780 wrote to memory of 1996	1780	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe	cmd.exe
PID 1780 wrote to memory of 1996	1780	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe	cmd.exe
PID 932 wrote to memory of 1528	932	cmd.exe	reg.exe
PID 932 wrote to memory of 1528	932	cmd.exe	reg.exe
PID 932 wrote to memory of 1528	932	cmd.exe	reg.exe
PID 932 wrote to memory of 1528	932	cmd.exe	reg.exe
PID 932 wrote to memory of 764	932	cmd.exe	reg.exe
PID 932 wrote to memory of 764	932	cmd.exe	reg.exe
PID 932 wrote to memory of 764	932	cmd.exe	reg.exe
PID 932 wrote to memory of 764	932	cmd.exe	reg.exe
PID 1996 wrote to memory of 1004	1996	cmd.exe	wscript.exe
PID 1996 wrote to memory of 1004	1996	cmd.exe	wscript.exe
PID 1996 wrote to memory of 1004	1996	cmd.exe	wscript.exe
PID 1996 wrote to memory of 1004	1996	cmd.exe	wscript.exe
PID 932 wrote to memory of 1740	932	cmd.exe	reg.exe
PID 932 wrote to memory of 1740	932	cmd.exe	reg.exe
PID 932 wrote to memory of 1740	932	cmd.exe	reg.exe
PID 932 wrote to memory of 1740	932	cmd.exe	reg.exe
PID 1004 wrote to memory of 1976	1004	wscript.exe	cmd.exe
PID 1004 wrote to memory of 1976	1004	wscript.exe	cmd.exe
PID 1004 wrote to memory of 1976	1004	wscript.exe	cmd.exe
PID 1004 wrote to memory of 1976	1004	wscript.exe	cmd.exe
PID 1976 wrote to memory of 1292	1976	cmd.exe	schtasks.exe
PID 1976 wrote to memory of 1292	1976	cmd.exe	schtasks.exe
PID 1976 wrote to memory of 1292	1976	cmd.exe	schtasks.exe
PID 1976 wrote to memory of 1292	1976	cmd.exe	schtasks.exe
PID 1780 wrote to memory of 1568	1780	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe	cmd.exe
PID 1780 wrote to memory of 1568	1780	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe	cmd.exe
PID 1780 wrote to memory of 1568	1780	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe	cmd.exe
PID 1780 wrote to memory of 1568	1780	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe	cmd.exe
PID 1780 wrote to memory of 1596	1780	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe	cmd.exe
PID 1780 wrote to memory of 1596	1780	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe	cmd.exe
PID 1780 wrote to memory of 1596	1780	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe	cmd.exe
PID 1780 wrote to memory of 1596	1780	5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe	cmd.exe
PID 1568 wrote to memory of 1952	1568	cmd.exe	cacls.exe
PID 1568 wrote to memory of 1952	1568	cmd.exe	cacls.exe
PID 1568 wrote to memory of 1952	1568	cmd.exe	cacls.exe
PID 1568 wrote to memory of 1952	1568	cmd.exe	cacls.exe
PID 1596 wrote to memory of 108	1596	cmd.exe	cacls.exe
PID 1596 wrote to memory of 108	1596	cmd.exe	cacls.exe
PID 1596 wrote to memory of 108	1596	cmd.exe	cacls.exe
PID 1596 wrote to memory of 108	1596	cmd.exe	cacls.exe
PID 1568 wrote to memory of 1896	1568	cmd.exe	takeown.exe
PID 1568 wrote to memory of 1896	1568	cmd.exe	takeown.exe
PID 1568 wrote to memory of 1896	1568	cmd.exe	takeown.exe
PID 1568 wrote to memory of 1896	1568	cmd.exe	takeown.exe
PID 1596 wrote to memory of 1648	1596	cmd.exe	takeown.exe
PID 1596 wrote to memory of 1648	1596	cmd.exe	takeown.exe
PID 1596 wrote to memory of 1648	1596	cmd.exe	takeown.exe
PID 1596 wrote to memory of 1648	1596	cmd.exe	takeown.exe

C:\Users\Admin\AppData\Local\Temp\5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
"C:\Users\Admin\AppData\Local\Temp\5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe"
1⤵
- Matrix Ransomware
- Modifies extensions of user files
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe" "C:\Users\Admin\AppData\Local\Temp\NW38743N.exe"
  2⤵
  PID:960
- C:\Users\Admin\AppData\Local\Temp\NW38743N.exe
  "C:\Users\Admin\AppData\Local\Temp\NW38743N.exe" -n
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\YA6J3nuN.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\YA6J3nuN.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:1528
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:764
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    - Matrix Ransomware
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\KvYsC84p.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\KvYsC84p.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\GTUmg57X.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1976
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\GTUmg57X.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:1292
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:2840
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:2868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
    3⤵
    - Modifies file permissions
    PID:1896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "StandardBusiness.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:592
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "StandardBusiness.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1552
    - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn464.exe
        
        KUwSkxn4.exe -accepteula "StandardBusiness.pdf" -nobanner
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Sets service image path in registry
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files\Java\jre7\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre7\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1104
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:1068
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""
  2⤵
  - Loads dropped DLL
  PID:1628
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
    3⤵
    - Modifies file permissions
    PID:1472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1092
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1648
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""
  2⤵
  - Loads dropped DLL
  PID:2164
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"
    3⤵
    - Modifies file permissions
    PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "SignHere.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2220
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "SignHere.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:2256
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""
  2⤵
  - Loads dropped DLL
  PID:2328
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
    3⤵
    - Modifies file permissions
    PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "DefaultID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "DefaultID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:2400
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""
  2⤵
  - Loads dropped DLL
  PID:2460
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"
    3⤵
    - Modifies file permissions
    PID:2504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "Dynamic.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2516
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "Dynamic.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:2528
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""
  2⤵
  - Loads dropped DLL
  PID:2584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
    3⤵
    - Modifies file permissions
    PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "ENUtxt.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "ENUtxt.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:2652
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png""
  2⤵
  - Loads dropped DLL
  PID:2708
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png" /E /G Admin:F /C
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "HeartsMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2768
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "HeartsMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:2780
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""
  2⤵
  - Loads dropped DLL
  PID:2940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"
    3⤵
    - Modifies file permissions
    PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "AdobeID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3052
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "AdobeID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:3060
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1648
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1748
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2100
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:544
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1196
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1988
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files\Windows Journal\fr-FR\JNTFiltr.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1796
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:832
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\JNTFiltr.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1664
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:932
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files\Windows Journal\it-IT\jnwdui.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:2140
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1284
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\jnwdui.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:768
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2032
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files\Windows Journal\ja-JP\jnwmon.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:2204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\jnwmon.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2232
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2248
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp""
  2⤵
  - Loads dropped DLL
  PID:1640
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp" /E /G Admin:F /C
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "Dotted_Line.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2312
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "Dotted_Line.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:2296
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files\Windows Journal\Templates\Shorthand.jtp""
  2⤵
  - Loads dropped DLL
  PID:2320
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Shorthand.jtp" /E /G Admin:F /C
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Shorthand.jtp"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "Shorthand.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2396
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "Shorthand.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:2404
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files\Windows Mail\fr-FR\msoeres.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1264
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\fr-FR\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\fr-FR\msoeres.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2440
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2328
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files\Windows Mail\WinMail.exe""
  2⤵
  - Loads dropped DLL
  PID:2500
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\WinMail.exe" /E /G Admin:F /C
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\WinMail.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "WinMail.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2532
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "WinMail.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:2520
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:2572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2628
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:2660
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2696
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf""
  2⤵
  - Loads dropped DLL
  PID:2760
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf" /E /G Admin:F /C
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf"
    3⤵
    - Modifies file permissions
    PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "MyriadCAD.otf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "MyriadCAD.otf" -nobanner
      4⤵
      Executes dropped EXE
      PID:2804
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif""
  2⤵
  - Loads dropped DLL
  PID:1292
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif" /E /G Admin:F /C
    3⤵
    PID:908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif"
    3⤵
    - Modifies file permissions
    PID:1200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "bl.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:564
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "bl.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1636
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif""
  2⤵
  - Loads dropped DLL
  PID:2872
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif" /E /G Admin:F /C
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif"
    3⤵
    - Modifies file permissions
    PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "forms_distributed.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2948
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "forms_distributed.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:3036
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif""
  2⤵
  - Loads dropped DLL
  PID:3064
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif"
    3⤵
    - Modifies file permissions
    PID:1776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "reviewers.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2944
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "reviewers.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:2940
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif""
  2⤵
  - Loads dropped DLL
  PID:108
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif" /E /G Admin:F /C
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif"
    3⤵
    - Modifies file permissions
    PID:916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "rss.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:584
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "rss.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:2124
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif""
  2⤵
  - Loads dropped DLL
  PID:1356
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif" /E /G Admin:F /C
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif"
    3⤵
    - Modifies file permissions
    PID:1492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "trash.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:696
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "trash.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1592
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V""
  2⤵
  - Loads dropped DLL
  PID:1288
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V" /E /G Admin:F /C
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "Identity-V" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1032
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "Identity-V" -nobanner
      4⤵
      Executes dropped EXE
      PID:1576
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1784
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf""
  2⤵
  - Loads dropped DLL
  PID:2056
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf"
    3⤵
    - Modifies file permissions
    PID:588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "MinionPro-It.otf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1284
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "MinionPro-It.otf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1444
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm""
  2⤵
  - Loads dropped DLL
  PID:1332
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm" /E /G Admin:F /C
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm"
    3⤵
    - Modifies file permissions
    PID:1068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "zy______.pfm" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2244
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "zy______.pfm" -nobanner
      4⤵
      Executes dropped EXE
      PID:2232
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt""
  2⤵
  - Loads dropped DLL
  PID:2196
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt" /E /G Admin:F /C
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt"
    3⤵
    - Modifies file permissions
    PID:2300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2308
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
      4⤵
      Executes dropped EXE
      PID:2316
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp""
  2⤵
  - Loads dropped DLL
  PID:2260
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp" /E /G Admin:F /C
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp"
    3⤵
    - Modifies file permissions
    PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "can.hyp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2380
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "can.hyp" -nobanner
      4⤵
      Executes dropped EXE
      PID:2392
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2396
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp""
  2⤵
  PID:2408
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp" /E /G Admin:F /C
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp"
    3⤵
    - Modifies file permissions
    PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "usa03.hsp" -nobanner
    3⤵
    PID:2448
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "usa03.hsp" -nobanner
      4⤵
      Executes dropped EXE
      PID:2432
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT""
  2⤵
  PID:2456
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT" /E /G Admin:F /C
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT"
    3⤵
    - Modifies file permissions
    PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "CORPCHAR.TXT" -nobanner
    3⤵
    PID:2512
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "CORPCHAR.TXT" -nobanner
      4⤵
      PID:2544
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT""
  2⤵
  PID:2576
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT" /E /G Admin:F /C
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT"
    3⤵
    - Modifies file permissions
    PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "TURKISH.TXT" -nobanner
    3⤵
    PID:2600
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "TURKISH.TXT" -nobanner
      4⤵
      PID:2612
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT""
  2⤵
  PID:2652
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT" /E /G Admin:F /C
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT"
    3⤵
    - Modifies file permissions
    PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "CP1258.TXT" -nobanner
    3⤵
    PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "CP1258.TXT" -nobanner
      4⤵
      PID:2692
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""
  2⤵
  PID:2660
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:2804
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "classes.jsa" -nobanner
      4⤵
      PID:2772
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui""
  2⤵
  PID:2776
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:1840
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui""
  2⤵
  PID:908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:2848
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:1292
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:2956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:2868
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:1472
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:2052
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      PID:1528
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui""
  2⤵
  PID:916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:540
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    PID:108
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      PID:2096
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui""
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:1508
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:544
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui""
  2⤵
  PID:1544
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      PID:1788
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files\Windows Journal\it-IT\jnwmon.dll.mui""
  2⤵
  PID:1036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\jnwmon.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    PID:472
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      PID:1572
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui""
  2⤵
  PID:2252
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      PID:996
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files\Windows Journal\Templates\Genko_1.jtp""
  2⤵
  PID:2224
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Genko_1.jtp" /E /G Admin:F /C
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Genko_1.jtp"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "Genko_1.jtp" -nobanner
    3⤵
    PID:2188
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "Genko_1.jtp" -nobanner
      4⤵
      PID:2192
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2168
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp""
  2⤵
  PID:2376
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp" /E /G Admin:F /C
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "To_Do_List.jtp" -nobanner
    3⤵
    PID:2176
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "To_Do_List.jtp" -nobanner
      4⤵
      PID:2260
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui""
  2⤵
  PID:2452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:2372
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:2000
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""
  2⤵
  PID:2552
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:2456
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:2044
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata""
  2⤵
  PID:2648
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"
    3⤵
    - Modifies file permissions
    PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "directories.acrodata" -nobanner
    3⤵
    PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "directories.acrodata" -nobanner
      4⤵
      PID:2564
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""
  2⤵
  PID:2584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:2748
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:2656
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""
  2⤵
  PID:2828
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:2792
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:2660
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
  2⤵
  PID:2984
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
    3⤵
    PID:1348
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "superbar.png" -nobanner
    3⤵
    PID:3008
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "superbar.png" -nobanner
      4⤵
      PID:2776
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif""
  2⤵
  PID:1132
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif" /E /G Admin:F /C
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif"
    3⤵
    - Modifies file permissions
    PID:304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "br.gif" -nobanner
    3⤵
    PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "br.gif" -nobanner
      4⤵
      PID:1636
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif""
  2⤵
  PID:3040
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif" /E /G Admin:F /C
    3⤵
    PID:2840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif"
    3⤵
    - Modifies file permissions
    PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c KUwSkxn4.exe -accepteula "forms_received.gif" -nobanner
    3⤵
    PID:2072
  - - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
      KUwSkxn4.exe -accepteula "forms_received.gif" -nobanner
      4⤵
      PID:2936
- - C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe
    KUwSkxn4.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2960

C:\Windows\system32\taskeng.exe
taskeng.exe {5C6AEC2D-F1C8-45C9-8AF3-33C652DD5CFE} S-1-5-21-3762437355-3468409815-1164039494-1000:TZEOUYSL\Admin:Interactive:[1]
1⤵
PID:2892
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\GTUmg57X.bat"
  2⤵
  PID:2928
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf

Filesize
107KB

MD5
11e92b03fc4bf64afa9e7f56b87ee77d

SHA1
2e99b661a027052dd74ec83b8e947720ec30e07b

SHA256
8e48d5d278ffbf3edff79fe011485acf6d3a602393ff5ee511c44a1cf2ac4b6f

SHA512
3783674ef538e3a935a73876d7f09fea885f768213029e06dcbbb67835b3c0fcedd4486eb1e6697a0cb2f85d834b9901e711e57cca0dfe57e1ebeee554d165d3

Download Submit
C:\Program Files\Java\jre7\bin\server\classes.jsa

Filesize
20.1MB

MD5
db6243af54169015aef8755f8550650f

SHA1
54132c690c611f6130b338a5a1bd9502baedad96

SHA256
273b41aaf5e86da815104f236a9cf073bf14fa1c9c8eecc3a217fd940d659a61

SHA512
d61c646e4873ca8c7bd414ca29f452045aca2fb138013ecf1cdabca8ceee7a3aad6474ceb40723fc64b4f252c3062dbe80bc4ed2750a697f76b480e419d89d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5UroSFUh.bat

Filesize
226B

MD5
6e8d0a5085da916369321911811ff233

SHA1
56f23ac7f21d27baceaa006de093723ef1871264

SHA256
c3ab4c02994054b96cbb73315e35a07030ba8b6dccb597c1f7b8ddaf22c116b2

SHA512
ca82fabbed0c13929d5faaf074e5a741305961ceb48282b90085e95c71242c14e7606099bc17d95d0f9ec768bfbc70f11c629852353fb0867f343573b4dd528f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwSkxn464.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\NW38743N.exe

Filesize
1.3MB

MD5
7bedd0c5e4d5c7a6f5ad69898598b526

SHA1
c0263f12b942d370260cf23eddcbd34abaf8b08e

SHA256
5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f

SHA512
68e4e99155bc17e72b04ce5af4a6b86eab66ef6efae138dcdea420e93b2ccd3a01e5c1dfea278d37a0e6426c656fe5cacd008b983b24740595c647260808fc29

Download Submit
C:\Users\Admin\AppData\Local\Temp\NW38743N.exe

Filesize
1.3MB

MD5
7bedd0c5e4d5c7a6f5ad69898598b526

SHA1
c0263f12b942d370260cf23eddcbd34abaf8b08e

SHA256
5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f

SHA512
68e4e99155bc17e72b04ce5af4a6b86eab66ef6efae138dcdea420e93b2ccd3a01e5c1dfea278d37a0e6426c656fe5cacd008b983b24740595c647260808fc29

Download Submit
C:\Users\Admin\AppData\Roaming\KvYsC84p.vbs

Filesize
260B

MD5
4e3566587c511046fdaee2ba373ee508

SHA1
3441e53c9fee63fd6e9f7af822c18626d5be216b

SHA256
76d1e48a36f0f9bc8f423a1590e3ac31d414ef00befebc99119bdd20536c7ff2

SHA512
c36d7fb7191952d31f7c10cf9ea829cbe469cf91681759ab0113cdc6ba1e486c04ca0b5bebb90419f47422591db019780b52a77584134b26f24b7d81647a001b

Download Submit
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\KUwSkxn4.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\KUwSkxn464.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
\Users\Admin\AppData\Local\Temp\NW38743N.exe

Filesize
1.3MB

MD5
7bedd0c5e4d5c7a6f5ad69898598b526

SHA1
c0263f12b942d370260cf23eddcbd34abaf8b08e

SHA256
5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f

SHA512
68e4e99155bc17e72b04ce5af4a6b86eab66ef6efae138dcdea420e93b2ccd3a01e5c1dfea278d37a0e6426c656fe5cacd008b983b24740595c647260808fc29

Download Submit
\Users\Admin\AppData\Local\Temp\NW38743N.exe

Filesize
1.3MB

MD5
7bedd0c5e4d5c7a6f5ad69898598b526

SHA1
c0263f12b942d370260cf23eddcbd34abaf8b08e

SHA256
5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f

SHA512
68e4e99155bc17e72b04ce5af4a6b86eab66ef6efae138dcdea420e93b2ccd3a01e5c1dfea278d37a0e6426c656fe5cacd008b983b24740595c647260808fc29

Download Submit
memory/108-76-0x0000000000000000-mapping.dmp

Download
memory/592-90-0x00000000002F0000-0x0000000000367000-memory.dmp

Filesize
476KB

Download
memory/592-82-0x0000000000000000-mapping.dmp

Download
memory/764-65-0x0000000000000000-mapping.dmp

Download
memory/860-219-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/860-293-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/932-223-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/932-62-0x0000000000000000-mapping.dmp

Download
memory/960-55-0x0000000000000000-mapping.dmp

Download
memory/1004-66-0x0000000000000000-mapping.dmp

Download
memory/1068-86-0x0000000000000000-mapping.dmp

Download
memory/1068-115-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1092-96-0x0000000000000000-mapping.dmp

Download
memory/1104-91-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1104-81-0x0000000000000000-mapping.dmp

Download
memory/1292-71-0x0000000000000000-mapping.dmp

Download
memory/1372-211-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1444-299-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1472-203-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1472-95-0x0000000000000000-mapping.dmp

Download
memory/1528-64-0x0000000000000000-mapping.dmp

Download
memory/1528-94-0x0000000000000000-mapping.dmp

Download
memory/1552-92-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1552-135-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1552-87-0x0000000000000000-mapping.dmp

Download
memory/1568-72-0x0000000000000000-mapping.dmp

Download
memory/1576-295-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1592-291-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1596-74-0x0000000000000000-mapping.dmp

Download
memory/1628-93-0x0000000000000000-mapping.dmp

Download
memory/1636-274-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1648-105-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1648-80-0x0000000000000000-mapping.dmp

Download
memory/1648-289-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1648-98-0x0000000000000000-mapping.dmp

Download
memory/1676-235-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1740-67-0x0000000000000000-mapping.dmp

Download
memory/1780-54-0x00000000760F1000-0x00000000760F3000-memory.dmp

Filesize
8KB

Download
memory/1784-297-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1896-79-0x0000000000000000-mapping.dmp

Download
memory/1916-301-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1952-75-0x0000000000000000-mapping.dmp

Download
memory/1976-70-0x0000000000000000-mapping.dmp

Download
memory/1988-215-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1996-276-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1996-63-0x0000000000000000-mapping.dmp

Download
memory/2020-227-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2032-231-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2036-59-0x0000000000000000-mapping.dmp

Download
memory/2088-104-0x0000000000000000-mapping.dmp

Download
memory/2100-207-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2112-111-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2112-108-0x0000000000000000-mapping.dmp

Download
memory/2120-285-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2124-287-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2164-129-0x0000000002010000-0x0000000002087000-memory.dmp

Filesize
476KB

Download
memory/2164-112-0x0000000000000000-mapping.dmp

Download
memory/2164-246-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2192-113-0x0000000000000000-mapping.dmp

Download
memory/2208-114-0x0000000000000000-mapping.dmp

Download
memory/2220-116-0x0000000000000000-mapping.dmp

Download
memory/2232-303-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2236-125-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2236-118-0x0000000000000000-mapping.dmp

Download
memory/2248-239-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2256-122-0x0000000000000000-mapping.dmp

Download
memory/2256-126-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2276-242-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2276-305-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2292-132-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2292-128-0x0000000000000000-mapping.dmp

Download
memory/2296-244-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2328-133-0x0000000000000000-mapping.dmp

Download
memory/2328-252-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2356-134-0x0000000000000000-mapping.dmp

Download
memory/2376-136-0x0000000000000000-mapping.dmp

Download
memory/2388-137-0x0000000000000000-mapping.dmp

Download
memory/2400-142-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2400-139-0x0000000000000000-mapping.dmp

Download
memory/2404-248-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2408-250-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2428-144-0x0000000000000000-mapping.dmp

Download
memory/2428-147-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2456-254-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2460-148-0x0000000000000000-mapping.dmp

Download
memory/2488-149-0x0000000000000000-mapping.dmp

Download
memory/2504-150-0x0000000000000000-mapping.dmp

Download
memory/2516-151-0x0000000000000000-mapping.dmp

Download
memory/2520-256-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2528-153-0x0000000000000000-mapping.dmp

Download
memory/2528-156-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2556-158-0x0000000000000000-mapping.dmp

Download
memory/2556-161-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2564-258-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2584-162-0x0000000000000000-mapping.dmp

Download
memory/2612-163-0x0000000000000000-mapping.dmp

Download
memory/2628-260-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2628-164-0x0000000000000000-mapping.dmp

Download
memory/2640-165-0x0000000000000000-mapping.dmp

Download
memory/2652-167-0x0000000000000000-mapping.dmp

Download
memory/2652-170-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2656-262-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2680-172-0x0000000000000000-mapping.dmp

Download
memory/2680-175-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2696-264-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2708-176-0x0000000000000000-mapping.dmp

Download
memory/2736-177-0x0000000000000000-mapping.dmp

Download
memory/2748-266-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2752-178-0x0000000000000000-mapping.dmp

Download
memory/2760-270-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2768-179-0x0000000000000000-mapping.dmp

Download
memory/2780-181-0x0000000000000000-mapping.dmp

Download
memory/2780-184-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2804-268-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2808-189-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2808-186-0x0000000000000000-mapping.dmp

Download
memory/2808-272-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2808-271-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2840-190-0x0000000000000000-mapping.dmp

Download
memory/2868-191-0x0000000000000000-mapping.dmp

Download
memory/2928-192-0x0000000000000000-mapping.dmp

Download
memory/2940-283-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2940-193-0x0000000000000000-mapping.dmp

Download
memory/2948-279-0x0000000000260000-0x00000000002D7000-memory.dmp

Filesize
476KB

Download
memory/3020-194-0x0000000000000000-mapping.dmp

Download
memory/3036-278-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3040-195-0x0000000000000000-mapping.dmp

Download
memory/3048-281-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3060-199-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download