matrix | 44ee695b532eb984e46de29569ce35854b37d409efaabb6bcf9f5316e2b0546d

Resubmissions

18-04-2024 18:50

240418-xha8wabh29 10

01-01-2024 15:12

240101-slnwxsfeh4 10

Analysis

max time kernel
184s
max time network
132s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-01-2024 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
Size

3.7MB
MD5

9c7e90d7637277bb4f4985405eb0ace9
SHA1

5b0899d790eb4a37260e5d9b8a2ad3f2ada55b1d
SHA256

335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf
SHA512

7b57021edfa1108558c2d02df0600de55fd9338dfebc044c03dc677072975acc216a0374cff270d9d75f20e5b92b252f75b2ad3b94f603e7a09f69c14ca888d9
SSDEEP

98304:Pvqlou/EtfzJS+1S6+T9aLcNvvj5Pudln7QktFJLRyC2hVW13:w/Q7I+T8aLcNvvjQn7QkjFkDVW

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Program Files\Google\Chrome\Application\#NOBAD_README#.rtf

Ransom Note

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected]\par [email protected]\par empty\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 4AB2BE8D9F607C9C\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b empty\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 4AB2BE8D9F607C9C\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 wvpUDSrb\cf0\f1\fs32\lang1049\par \par }

Emails

[email protected]\par

URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Microsoft Games\Purble Place\fr-FR\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1603059206-2004189698-4139800220-1000\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jc9ad0k2.default-release\settings\main\ms-language-packs\browser\newtab\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Users\Public\Desktop\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Microsoft Games\Solitaire\ja-JP\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00007CFB\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Google\Chrome\Application\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Users\Admin\Documents\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jre7\lib\security\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\modules\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Users\Admin\Downloads\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Microsoft Games\Chess\en-US\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Microsoft Games\Chess\ja-JP\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Users\Public\Music\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Safe Browsing Network\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Mozilla Firefox\browser\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Microsoft Games\Purble Place\ja-JP\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4460 bcdedit.exe
4768 bcdedit.exe
Drops file in Drivers directory 1 IoCs

Processes:

UCHMnGpZ64.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP152.SYS UCHMnGpZ64.exe

pid	process
4460	bcdedit.exe
4768	bcdedit.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	UCHMnGpZ64.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

UCHMnGpZ64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	UCHMnGpZ64.exe

Executes dropped EXE 64 IoCs

Processes:

NWfz0cez.exeUCHMnGpZ.exeUCHMnGpZ64.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.execonhost.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exetakeown.execmd.exeUCHMnGpZ.execacls.exeUCHMnGpZ.exeUCHMnGpZ.execmd.execacls.exetakeown.exeUCHMnGpZ.exeUCHMnGpZ.execmd.execmd.execacls.execonhost.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exeUCHMnGpZ.exe

pid	process
2644	NWfz0cez.exe
3120	UCHMnGpZ.exe
3416	UCHMnGpZ64.exe
2480	UCHMnGpZ.exe
632	UCHMnGpZ.exe
2500	UCHMnGpZ.exe
3704	UCHMnGpZ.exe
3684	UCHMnGpZ.exe
3632	UCHMnGpZ.exe
2324	UCHMnGpZ.exe
3668	UCHMnGpZ.exe
3728	UCHMnGpZ.exe
4372	UCHMnGpZ.exe
4200	UCHMnGpZ.exe
2132	UCHMnGpZ.exe
1372	UCHMnGpZ.exe
1932	UCHMnGpZ.exe
1992	UCHMnGpZ.exe
4292	UCHMnGpZ.exe
324	UCHMnGpZ.exe
4352	UCHMnGpZ.exe
2296	UCHMnGpZ.exe
5016	UCHMnGpZ.exe
788	UCHMnGpZ.exe
4984	UCHMnGpZ.exe
2132	UCHMnGpZ.exe
1576	UCHMnGpZ.exe
3048	UCHMnGpZ.exe
4648	UCHMnGpZ.exe
4768	UCHMnGpZ.exe
4916	UCHMnGpZ.exe
4748	UCHMnGpZ.exe
4752	UCHMnGpZ.exe
4836	UCHMnGpZ.exe
1976	UCHMnGpZ.exe
4364	UCHMnGpZ.exe
2460	UCHMnGpZ.exe
2392	UCHMnGpZ.exe
2508	UCHMnGpZ.exe
320	UCHMnGpZ.exe
3848	conhost.exe
3644	UCHMnGpZ.exe
3248	UCHMnGpZ.exe
2272	UCHMnGpZ.exe
1084	UCHMnGpZ.exe
1912	takeown.exe
2852	cmd.exe
3040	UCHMnGpZ.exe
3916	cacls.exe
1800	UCHMnGpZ.exe
3564	UCHMnGpZ.exe
272	cmd.exe
1524	cacls.exe
1964	takeown.exe
3760	UCHMnGpZ.exe
3232	UCHMnGpZ.exe
3600	cmd.exe
4376	cmd.exe
3264	cacls.exe
4024	conhost.exe
3160	UCHMnGpZ.exe
3368	UCHMnGpZ.exe
3488	UCHMnGpZ.exe
4400	UCHMnGpZ.exe

Loads dropped DLL 64 IoCs

Processes:

335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.execmd.exeUCHMnGpZ.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exeUCHMnGpZ.execmd.execmd.execmd.execmd.exeUCHMnGpZ.execonhost.execonhost.execmd.execmd.execmd.exeUCHMnGpZ.execmd.execmd.execonhost.execacls.execmd.execmd.execacls.exetakeown.execmd.exe

pid	process
2872	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
2708	cmd.exe
3120	UCHMnGpZ.exe
1884	cmd.exe
3864	cmd.exe
4452	cmd.exe
3168	cmd.exe
3144	cmd.exe
1440	cmd.exe
3880	cmd.exe
3600	cmd.exe
1708	cmd.exe
3276	cmd.exe
1152	cmd.exe
960	cmd.exe
3920	cmd.exe
752	cmd.exe
2956	cmd.exe
4416	cmd.exe
1096	cmd.exe
2472	cmd.exe
4548	cmd.exe
4520	cmd.exe
5048	cmd.exe
5004	cmd.exe
5104	cmd.exe
5012	cmd.exe
4632	cmd.exe
1916	cmd.exe
4700	cmd.exe
4664	cmd.exe
4716	cmd.exe
4928	cmd.exe
4432	cmd.exe
4772	cmd.exe
4592	cmd.exe
1168	cmd.exe
836	cmd.exe
1280	cmd.exe
1560	cmd.exe
3704	cmd.exe
3636	cmd.exe
3768	cmd.exe
2968	UCHMnGpZ.exe
276	cmd.exe
1120	cmd.exe
2516	cmd.exe
4000	cmd.exe
704	UCHMnGpZ.exe
3200	conhost.exe
2868	conhost.exe
1948	cmd.exe
2800	cmd.exe
3516	cmd.exe
3240	UCHMnGpZ.exe
2948	cmd.exe
1064	cmd.exe
1688	conhost.exe
3212	cacls.exe
3404	cmd.exe
3980	cmd.exe
3372	cacls.exe
4392	takeown.exe
3276	cmd.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
3864	takeown.exe
3956
3800	takeown.exe
2204	takeown.exe
236	takeown.exe
5040	takeown.exe
4364
272
3036	takeown.exe
3700	takeown.exe
2252
2040	takeown.exe
3036	takeown.exe
3880	takeown.exe
4076	takeown.exe
2976	takeown.exe
3032	takeown.exe
4996	takeown.exe
1500	takeown.exe
4792
2936	takeown.exe
4776	takeown.exe
4464	takeown.exe
3572	takeown.exe
3908	takeown.exe
1912	takeown.exe
3008
3324
4144	takeown.exe
4456	takeown.exe
4820	takeown.exe
1372	takeown.exe
2832	takeown.exe
1068
3596	takeown.exe
1988
2480	takeown.exe
3180	takeown.exe
3608	takeown.exe
3720	takeown.exe
1192	takeown.exe
3328	takeown.exe
4620	takeown.exe
1808	takeown.exe
3616	takeown.exe
2984
3076	takeown.exe
1736	takeown.exe
3208	takeown.exe
4084	takeown.exe
4460	takeown.exe
3740	takeown.exe
3064
3476	takeown.exe
2832
4740
1480
3256	takeown.exe
2644	takeown.exe
3612	takeown.exe
1632	takeown.exe
3976	takeown.exe
3920
1704	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe	upx
behavioral11/memory/3120-2630-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2708-2463-0x0000000000160000-0x00000000001D7000-memory.dmp	upx
behavioral11/memory/2480-5092-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/632-5546-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2500-6170-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3704-6174-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3120-6175-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3684-6236-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3632-6240-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2324-6263-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3668-6266-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3668-6267-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3728-6331-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4372-6334-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4200-6628-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2132-6712-0x0000000000400000-0x0000000000477000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe	upx
behavioral11/memory/1372-6805-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/1932-6921-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/1992-7282-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4292-7335-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/324-7352-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4352-7359-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/5016-7368-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4520-7367-0x0000000000200000-0x0000000000277000-memory.dmp	upx
behavioral11/memory/2296-7364-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/788-7373-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/788-7374-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4984-7378-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2132-7383-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/1576-7386-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4648-7392-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3048-7389-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4768-7395-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4916-7396-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4752-7398-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4748-7397-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4836-7400-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/1976-7401-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4364-7404-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2460-7405-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2508-7407-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2392-7406-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3848-7416-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/320-7414-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3644-7418-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3248-7419-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/1084-7423-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/1084-7422-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/1912-7425-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2852-7426-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2272-7421-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3040-7434-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3916-7436-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3564-7442-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3760-7449-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3232-7457-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3600-7458-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/1964-7448-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4376-7461-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3264-7463-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3160-7470-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3368-7473-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Drops desktop.ini file(s) 41 IoCs

Processes:

335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe

description	ioc	process
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\2188SAD3\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\97G4C1D4\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\DRPRFCEW\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ETVASUKU\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Public\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exeUCHMnGpZ64.exe

description	ioc	process
File opened (read-only)	\??\S:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\R:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\K:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\J:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\H:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\Z:	UCHMnGpZ64.exe
File opened (read-only)	\??\Z:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\V:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\Q:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\U:	UCHMnGpZ64.exe
File opened (read-only)	\??\V:	UCHMnGpZ64.exe
File opened (read-only)	\??\Y:	UCHMnGpZ64.exe
File opened (read-only)	\??\E:	UCHMnGpZ64.exe
File opened (read-only)	\??\I:	UCHMnGpZ64.exe
File opened (read-only)	\??\L:	UCHMnGpZ64.exe
File opened (read-only)	\??\T:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\G:	UCHMnGpZ64.exe
File opened (read-only)	\??\N:	UCHMnGpZ64.exe
File opened (read-only)	\??\Y:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\M:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\J:	UCHMnGpZ64.exe
File opened (read-only)	\??\O:	UCHMnGpZ64.exe
File opened (read-only)	\??\T:	UCHMnGpZ64.exe
File opened (read-only)	\??\X:	UCHMnGpZ64.exe
File opened (read-only)	\??\U:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\K:	UCHMnGpZ64.exe
File opened (read-only)	\??\R:	UCHMnGpZ64.exe
File opened (read-only)	\??\W:	UCHMnGpZ64.exe
File opened (read-only)	\??\P:	UCHMnGpZ64.exe
File opened (read-only)	\??\Q:	UCHMnGpZ64.exe
File opened (read-only)	\??\X:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\P:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\N:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\L:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\A:	UCHMnGpZ64.exe
File opened (read-only)	\??\B:	UCHMnGpZ64.exe
File opened (read-only)	\??\M:	UCHMnGpZ64.exe
File opened (read-only)	\??\S:	UCHMnGpZ64.exe
File opened (read-only)	\??\W:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\O:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\I:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\G:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\E:	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened (read-only)	\??\H:	UCHMnGpZ64.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\fLANsULi.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\XmlFile.zip	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.http_8.1.14.v20131031.jar	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Campo_Grande	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\WinMail.exe.mui	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\shvlzm.exe.mui	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\jaccess.jar	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookicon.gif	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Halifax	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_zh_CN.jar	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cayman	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Thule	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jawt.h	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_zh_4.4.0.v20140623020002.jar	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Reykjavik	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_es.properties	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Aqtau	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_zh_CN.jar	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\ExpandInstall.js	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\mobile.css	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Microsoft Games\Hearts\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper.registry_1.0.300.v20130327-1442.jar	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveNoDrop32x32.gif	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\vlc.mo	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui_4.0.100.v20140401-0608.jar	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cancun	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Kerguelen	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_zh_4.4.0.v20140623020002.jar	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Urumqi	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\ChkrRes.dll.mui	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\VideoLAN\VLC\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text_3.5.300.v20130515-1451.jar	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Sydney	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Asuncion	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.bat	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Niue	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\#NOBAD_README#.rtf	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\en-US\Minesweeper.exe.mui	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-cli.jar	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_zh_4.4.0.v20140623020002.jar	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\MANIFEST.MF	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-core-windows_visualvm.jar	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\vlc.mo	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1872 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1304 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

UCHMnGpZ64.exe

pid process

3416 UCHMnGpZ64.exe
3416 UCHMnGpZ64.exe
3416 UCHMnGpZ64.exe
3416 UCHMnGpZ64.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

UCHMnGpZ64.exe

pid process

3416 UCHMnGpZ64.exe

pid	process
1872	schtasks.exe

pid	process
1304	vssadmin.exe

pid	process
3416	UCHMnGpZ64.exe
3416	UCHMnGpZ64.exe
3416	UCHMnGpZ64.exe
3416	UCHMnGpZ64.exe

pid	process
3416	UCHMnGpZ64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

UCHMnGpZ64.exevssvc.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.execonhost.exetakeown.execonhost.exeWMIC.exeUCHMnGpZ.exeUCHMnGpZ.execmd.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	3416	UCHMnGpZ64.exe
Token: SeLoadDriverPrivilege	3416	UCHMnGpZ64.exe
Token: SeBackupPrivilege	2232	vssvc.exe
Token: SeRestorePrivilege	2232	vssvc.exe
Token: SeAuditPrivilege	2232	vssvc.exe
Token: SeTakeOwnershipPrivilege	3924	takeown.exe
Token: SeTakeOwnershipPrivilege	3032	takeown.exe
Token: SeTakeOwnershipPrivilege	4560	takeown.exe
Token: SeTakeOwnershipPrivilege	5116	takeown.exe
Token: SeTakeOwnershipPrivilege	2480	takeown.exe
Token: SeTakeOwnershipPrivilege	3868	takeown.exe
Token: SeTakeOwnershipPrivilege	4696	takeown.exe
Token: SeTakeOwnershipPrivilege	4720	takeown.exe
Token: SeTakeOwnershipPrivilege	4820	takeown.exe
Token: SeTakeOwnershipPrivilege	1812	takeown.exe
Token: SeTakeOwnershipPrivilege	3280	takeown.exe
Token: SeTakeOwnershipPrivilege	3256	takeown.exe
Token: SeTakeOwnershipPrivilege	3892	conhost.exe
Token: SeTakeOwnershipPrivilege	972	takeown.exe
Token: SeTakeOwnershipPrivilege	3700	conhost.exe
Token: SeIncreaseQuotaPrivilege	4452	WMIC.exe
Token: SeSecurityPrivilege	4452	WMIC.exe
Token: SeTakeOwnershipPrivilege	4452	WMIC.exe
Token: SeLoadDriverPrivilege	4452	WMIC.exe
Token: SeSystemProfilePrivilege	4452	WMIC.exe
Token: SeSystemtimePrivilege	4452	WMIC.exe
Token: SeProfSingleProcessPrivilege	4452	WMIC.exe
Token: SeIncBasePriorityPrivilege	4452	WMIC.exe
Token: SeCreatePagefilePrivilege	4452	WMIC.exe
Token: SeBackupPrivilege	4452	WMIC.exe
Token: SeRestorePrivilege	4452	WMIC.exe
Token: SeShutdownPrivilege	4452	WMIC.exe
Token: SeDebugPrivilege	4452	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4452	WMIC.exe
Token: SeRemoteShutdownPrivilege	4452	WMIC.exe
Token: SeUndockPrivilege	4452	WMIC.exe
Token: SeManageVolumePrivilege	4452	WMIC.exe
Token: 33	4452	WMIC.exe
Token: 34	4452	WMIC.exe
Token: 35	4452	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4452	WMIC.exe
Token: SeSecurityPrivilege	4452	WMIC.exe
Token: SeTakeOwnershipPrivilege	4452	WMIC.exe
Token: SeLoadDriverPrivilege	4452	WMIC.exe
Token: SeSystemProfilePrivilege	4452	WMIC.exe
Token: SeSystemtimePrivilege	4452	WMIC.exe
Token: SeProfSingleProcessPrivilege	4452	WMIC.exe
Token: SeIncBasePriorityPrivilege	4452	WMIC.exe
Token: SeCreatePagefilePrivilege	4452	WMIC.exe
Token: SeBackupPrivilege	4452	WMIC.exe
Token: SeRestorePrivilege	4452	WMIC.exe
Token: SeShutdownPrivilege	4452	WMIC.exe
Token: SeDebugPrivilege	4452	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4452	WMIC.exe
Token: SeRemoteShutdownPrivilege	4452	WMIC.exe
Token: SeUndockPrivilege	4452	WMIC.exe
Token: SeManageVolumePrivilege	4452	WMIC.exe
Token: 33	4452	WMIC.exe
Token: 34	4452	WMIC.exe
Token: 35	4452	WMIC.exe
Token: SeTakeOwnershipPrivilege	1544	UCHMnGpZ.exe
Token: SeTakeOwnershipPrivilege	2212	UCHMnGpZ.exe
Token: SeTakeOwnershipPrivilege	2040	cmd.exe
Token: SeTakeOwnershipPrivilege	2196	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.execmd.execmd.execmd.exewscript.execmd.execmd.exeUCHMnGpZ.exe

description	pid	process	target process
PID 2872 wrote to memory of 1192	2872	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2872 wrote to memory of 1192	2872	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2872 wrote to memory of 1192	2872	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2872 wrote to memory of 1192	2872	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2872 wrote to memory of 2644	2872	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	NWfz0cez.exe
PID 2872 wrote to memory of 2644	2872	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	NWfz0cez.exe
PID 2872 wrote to memory of 2644	2872	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	NWfz0cez.exe
PID 2872 wrote to memory of 2644	2872	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	NWfz0cez.exe
PID 2872 wrote to memory of 824	2872	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2872 wrote to memory of 824	2872	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2872 wrote to memory of 824	2872	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2872 wrote to memory of 824	2872	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2872 wrote to memory of 592	2872	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2872 wrote to memory of 592	2872	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2872 wrote to memory of 592	2872	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2872 wrote to memory of 592	2872	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 824 wrote to memory of 1440	824	cmd.exe	reg.exe
PID 824 wrote to memory of 1440	824	cmd.exe	reg.exe
PID 824 wrote to memory of 1440	824	cmd.exe	reg.exe
PID 824 wrote to memory of 1440	824	cmd.exe	reg.exe
PID 824 wrote to memory of 1756	824	cmd.exe	reg.exe
PID 824 wrote to memory of 1756	824	cmd.exe	reg.exe
PID 824 wrote to memory of 1756	824	cmd.exe	reg.exe
PID 824 wrote to memory of 1756	824	cmd.exe	reg.exe
PID 592 wrote to memory of 2320	592	cmd.exe	wscript.exe
PID 592 wrote to memory of 2320	592	cmd.exe	wscript.exe
PID 592 wrote to memory of 2320	592	cmd.exe	wscript.exe
PID 592 wrote to memory of 2320	592	cmd.exe	wscript.exe
PID 824 wrote to memory of 2148	824	cmd.exe	reg.exe
PID 824 wrote to memory of 2148	824	cmd.exe	reg.exe
PID 824 wrote to memory of 2148	824	cmd.exe	reg.exe
PID 824 wrote to memory of 2148	824	cmd.exe	reg.exe
PID 2872 wrote to memory of 2344	2872	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2872 wrote to memory of 2344	2872	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2872 wrote to memory of 2344	2872	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2872 wrote to memory of 2344	2872	335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe	cmd.exe
PID 2344 wrote to memory of 1988	2344	cmd.exe	cacls.exe
PID 2344 wrote to memory of 1988	2344	cmd.exe	cacls.exe
PID 2344 wrote to memory of 1988	2344	cmd.exe	cacls.exe
PID 2344 wrote to memory of 1988	2344	cmd.exe	cacls.exe
PID 2344 wrote to memory of 2832	2344	cmd.exe	takeown.exe
PID 2344 wrote to memory of 2832	2344	cmd.exe	takeown.exe
PID 2344 wrote to memory of 2832	2344	cmd.exe	takeown.exe
PID 2344 wrote to memory of 2832	2344	cmd.exe	takeown.exe
PID 2320 wrote to memory of 3156	2320	wscript.exe	cmd.exe
PID 2320 wrote to memory of 3156	2320	wscript.exe	cmd.exe
PID 2320 wrote to memory of 3156	2320	wscript.exe	cmd.exe
PID 2320 wrote to memory of 3156	2320	wscript.exe	cmd.exe
PID 2344 wrote to memory of 2708	2344	cmd.exe	cmd.exe
PID 2344 wrote to memory of 2708	2344	cmd.exe	cmd.exe
PID 2344 wrote to memory of 2708	2344	cmd.exe	cmd.exe
PID 2344 wrote to memory of 2708	2344	cmd.exe	cmd.exe
PID 3156 wrote to memory of 1872	3156	cmd.exe	schtasks.exe
PID 3156 wrote to memory of 1872	3156	cmd.exe	schtasks.exe
PID 3156 wrote to memory of 1872	3156	cmd.exe	schtasks.exe
PID 3156 wrote to memory of 1872	3156	cmd.exe	schtasks.exe
PID 2708 wrote to memory of 3120	2708	cmd.exe	UCHMnGpZ.exe
PID 2708 wrote to memory of 3120	2708	cmd.exe	UCHMnGpZ.exe
PID 2708 wrote to memory of 3120	2708	cmd.exe	UCHMnGpZ.exe
PID 2708 wrote to memory of 3120	2708	cmd.exe	UCHMnGpZ.exe
PID 3120 wrote to memory of 3416	3120	UCHMnGpZ.exe	UCHMnGpZ64.exe
PID 3120 wrote to memory of 3416	3120	UCHMnGpZ.exe	UCHMnGpZ64.exe
PID 3120 wrote to memory of 3416	3120	UCHMnGpZ.exe	UCHMnGpZ64.exe
PID 3120 wrote to memory of 3416	3120	UCHMnGpZ.exe	UCHMnGpZ64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
"C:\Users\Admin\AppData\Local\Temp\335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe"
1⤵
- Matrix Ransomware
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe" "C:\Users\Admin\AppData\Local\Temp\NWfz0cez.exe"
  2⤵
  PID:1192
- C:\Users\Admin\AppData\Local\Temp\NWfz0cez.exe
  "C:\Users\Admin\AppData\Local\Temp\NWfz0cez.exe" -n
  2⤵
  - Executes dropped EXE
  PID:2644
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula "AUMProduct.cer" -nobanner
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2212
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\Mia9doP5.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:592
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\Mia9doP5.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\Zhwpojmj.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3156
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\Zhwpojmj.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:1872
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:4360
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:4856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\fLANsULi.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\fLANsULi.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:1440
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Shorthand.jtp" /E /G Admin:F /C
    3⤵
    PID:3584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "Shorthand.jtp" -nobanner
    3⤵
    PID:4076
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "Shorthand.jtp" -nobanner
      4⤵
      PID:1440
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Shorthand.jtp"
    3⤵
    - Modifies file permissions
    PID:3208
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3260
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"
    3⤵
    - Modifies file permissions
    PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "AdobeID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "AdobeID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3120
    - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ64.exe
        
        UCHMnGpZ.exe -accepteula "AdobeID.pdf" -nobanner
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:3416
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""
  2⤵
  - Loads dropped DLL
  PID:3864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
    3⤵
    - Modifies file permissions
    PID:4464
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C
    3⤵
    PID:3464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "DefaultID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1884
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""
  2⤵
  - Loads dropped DLL
  PID:3168
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C
    3⤵
    PID:4036
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "Dynamic.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4452
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"
    3⤵
    PID:3280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""
  2⤵
  - Loads dropped DLL
  PID:1440
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
    3⤵
    PID:3516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3144
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:3684
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""
  2⤵
  - Loads dropped DLL
  PID:3600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "StandardBusiness.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3880
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "StandardBusiness.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:2324
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""
  2⤵
  - Loads dropped DLL
  PID:3276
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C
    3⤵
    PID:3384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "SignHere.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1708
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "SignHere.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:3728
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""
  2⤵
  - Loads dropped DLL
  PID:960
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C
    3⤵
    PID:2240
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /F "C:\Program Files\Windows Journal\fr-FR\JNTFiltr.dll.mui"
      4⤵
      PID:1544
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Program Files\Windows Journal\fr-FR\JNTFiltr.dll.mui" /E /G Admin:F /C
      4⤵
      PID:4356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:2276
    - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
        
        UCHMnGpZ.exe -accepteula "JNTFiltr.dll.mui" -nobanner
        5⤵
        
        PID:2052
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
      4⤵
      PID:3492
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
    3⤵
    - Modifies file permissions
    PID:4460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "ENUtxt.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1152
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:752
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3920
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:1372
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png""
  2⤵
  - Loads dropped DLL
  PID:4416
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png" /E /G Admin:F /C
    3⤵
    PID:4400
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "FreeCellMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "FreeCellMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1992
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png""
  2⤵
  - Loads dropped DLL
  PID:2472
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png" /E /G Admin:F /C
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3032
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc" /E /G Admin:F /C
      4⤵
      PID:324
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc"
      4⤵
      PID:4352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "HeartsMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1096
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "HeartsMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:324
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:4520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4540
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4560
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif"
      4⤵
      PID:4200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "forms_distributed.gif" -nobanner
      4⤵
      PID:4544
    - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
        
        UCHMnGpZ.exe -accepteula "forms_distributed.gif" -nobanner
        5⤵
        
        PID:4552
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
      4⤵
      PID:5052
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif" /E /G Admin:F /C
      4⤵
      PID:5080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4548
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2296
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\es-ES\NBMapTIP.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:5004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4580
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\NBMapTIP.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:5048
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\it-IT\jnwdui.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:5012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\jnwdui.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:5104
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2132
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui""
  2⤵
  - Loads dropped DLL
  PID:1916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4632
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\Templates\Memo.jtp""
  2⤵
  - Loads dropped DLL
  PID:4664
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Memo.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4696
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Memo.jtp" /E /G Admin:F /C
    3⤵
    PID:4680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "Memo.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4700
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "Memo.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:4768
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Mail\es-ES\msoeres.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:4928
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\es-ES\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\es-ES\msoeres.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4716
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4748
    - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
        
        UCHMnGpZ.exe -accepteula "ZX______.PFB" -nobanner
        5⤵
        
        PID:4716
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Mail\WinMail.exe""
  2⤵
  - Loads dropped DLL
  PID:4772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\WinMail.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "WinMail.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4432
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:1168
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1812
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif""
  2⤵
  - Loads dropped DLL
  PID:1280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif""
  2⤵
  - Loads dropped DLL
  PID:3704
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:3740
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif"
    3⤵
    - Modifies file permissions
    PID:3908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "reviewers.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1560
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "reviewers.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:320
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif""
  2⤵
  - Loads dropped DLL
  PID:3768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif" /E /G Admin:F /C
    3⤵
    PID:3780
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif"
    3⤵
    PID:3672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "server_lg.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3636
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "server_lg.gif" -nobanner
      4⤵
      PID:3644
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif""
  2⤵
  - Loads dropped DLL
  PID:276
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif" /E /G Admin:F /C
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "turnOnNotificationInTray.gif" -nobanner
    3⤵
    PID:2968
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "turnOnNotificationInTray.gif" -nobanner
      4⤵
      PID:2272
    - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
        
        UCHMnGpZ.exe -accepteula "Workflow.Targets" -nobanner
        5⤵
        Loads dropped DLL
        
        PID:2968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif"
    3⤵
    - Modifies file permissions
    PID:3036
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf""
  2⤵
  - Loads dropped DLL
  PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "MinionPro-Bold.otf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "MinionPro-Bold.otf" -nobanner
      4⤵
      PID:1912
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm""
  2⤵
  PID:704
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm" /E /G Admin:F /C
    3⤵
    PID:4500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "zy______.pfm" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4000
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "zy______.pfm" -nobanner
      4⤵
      Executes dropped EXE
      PID:3040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm"
    3⤵
    PID:692
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca""
  2⤵
  PID:2868
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca" /E /G Admin:F /C
    3⤵
    PID:3184
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca"
    3⤵
    - Modifies file permissions
    PID:3328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "brt.fca" -nobanner
    3⤵
    PID:3200
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "brt.fca" -nobanner
      4⤵
      PID:1800
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp""
  2⤵
  - Loads dropped DLL
  PID:2800
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp" /E /G Admin:F /C
    3⤵
    PID:2348
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp"
    3⤵
    PID:3620
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "eng.hyp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Windows Mail\es-ES\WinMail.exe.mui""
  2⤵
  PID:3212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\es-ES\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3284
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\es-ES\WinMail.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:1688
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:4376
    - - C:\Windows\SysWOW64\cacls.exe
        
        cacls "C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui" /E /G Admin:F /C
        5⤵
        Executes dropped EXE
        
        PID:3264
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /F "C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui"
        5⤵
        Modifies file permissions
        
        PID:3180
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "PDIALOG.exe.mui" -nobanner
        5⤵
        
        PID:3172
      - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
        
        UCHMnGpZ.exe -accepteula "PDIALOG.exe.mui" -nobanner
        6⤵
        
        PID:4036
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT""
  2⤵
  - Loads dropped DLL
  PID:1064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:3980
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4084
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3404
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:4024
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3160
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""
  2⤵
  PID:4392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:3372
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt""
  2⤵
  PID:3240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\de-DE\jnwdui.dll.mui""
  2⤵
  PID:3412
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3728
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\jnwdui.dll.mui"
    3⤵
    PID:972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3276
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:4400
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui""
  2⤵
  PID:3976
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui"
    3⤵
    - Modifies file permissions
    PID:3700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\it-IT\Journal.exe.mui""
  2⤵
  PID:1744
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4464
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\Journal.exe.mui"
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    PID:2400
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      PID:3544
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\Templates\Music.jtp""
  2⤵
  PID:2076
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Music.jtp" /E /G Admin:F /C
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "Music.jtp" -nobanner
    3⤵
    PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "Music.jtp" -nobanner
      4⤵
      PID:2180
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3292
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Music.jtp"
    3⤵
    PID:2196
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui""
  2⤵
  PID:4288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:4176
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:4128
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui"
    3⤵
    PID:4184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini""
  2⤵
  PID:4240
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini"
    3⤵
    PID:4112
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "eula.ini" -nobanner
    3⤵
    PID:4284
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini" /E /G Admin:F /C
    3⤵
    PID:4412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui""
  2⤵
  PID:4020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Mail\fr-FR\msoeres.dll.mui""
  2⤵
  PID:2336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\ja-JP\PDIALOG.exe.mui""
  2⤵
  PID:2628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\fr-FR\JNTFiltr.dll.mui""
  2⤵
  PID:2240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc""
  2⤵
  PID:3032
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4616
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp" /E /G Admin:F /C
      4⤵
      PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "AcroSign.prc" -nobanner
    3⤵
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif""
  2⤵
  PID:4560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif""
  2⤵
  PID:5112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif"
    3⤵
    PID:2136
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT" /E /G Admin:F /C
      4⤵
      PID:5048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "reviews_sent.gif" -nobanner
    3⤵
    PID:5048
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "reviews_sent.gif" -nobanner
      4⤵
      PID:4876
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif" /E /G Admin:F /C
    3⤵
    PID:4972
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4896
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "ROMANIAN.TXT" -nobanner
      4⤵
      PID:5032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif""
  2⤵
  PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "stop_collection_data.gif" -nobanner
    3⤵
    PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "stop_collection_data.gif" -nobanner
      4⤵
      PID:4960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif"
    3⤵
    PID:5092
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1252
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif" /E /G Admin:F /C
    3⤵
    PID:4888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm""
  2⤵
  PID:5012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm" /E /G Admin:F /C
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "ReadMe.htm" -nobanner
    3⤵
    PID:4588
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm"
    3⤵
    - Modifies file permissions
    PID:4620
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf""
  2⤵
  PID:2900
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:4704
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf"
    3⤵
    PID:4900
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "MinionPro-It.otf" -nobanner
    3⤵
    PID:4272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB""
  2⤵
  PID:4868
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB" /E /G Admin:F /C
    3⤵
    PID:4688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB"
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "ZX______.PFB" -nobanner
    3⤵
    PID:4748
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp""
  2⤵
  PID:4836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp"
    3⤵
    PID:4776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "brt04.hsp" -nobanner
    3⤵
    PID:1076
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "brt04.hsp" -nobanner
      4⤵
      PID:1104
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp" /E /G Admin:F /C
    3⤵
    PID:4800
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env""
  2⤵
  PID:4592
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env" /E /G Admin:F /C
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env"
    3⤵
    PID:4360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "engphon.env" -nobanner
    3⤵
    PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "engphon.env" -nobanner
      4⤵
      PID:108
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT""
  2⤵
  PID:2508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "CORPCHAR.TXT" -nobanner
    3⤵
    PID:2804
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "CORPCHAR.TXT" -nobanner
      4⤵
      PID:2732
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT""
  2⤵
  PID:4860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat""
  2⤵
  PID:3820
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat" /E /G Admin:F /C
    3⤵
    PID:956
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat"
    3⤵
    - Modifies file permissions
    PID:3800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "qmgr0.dat" -nobanner
    3⤵
    PID:3672
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "qmgr0.dat" -nobanner
      4⤵
      Executes dropped EXE
      PID:3644
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Windows Mail\fr-FR\WinMail.exe.mui""
  2⤵
  PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:3896
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:2852
    - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
        
        UCHMnGpZ.exe -accepteula "Journal.exe.mui" -nobanner
        5⤵
        
        PID:3896
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\fr-FR\WinMail.exe.mui"
    3⤵
    - Executes dropped EXE
    - Modifies file permissions
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""
  2⤵
  PID:3688
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:936
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:3612
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:1660
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    PID:3592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:3792
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:1800
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:3288
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  PID:2228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    - Modifies file permissions
    PID:3608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "background.png" -nobanner
    3⤵
    PID:3400
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:3952
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:3716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    - Executes dropped EXE
    PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:3596
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui""
  2⤵
  PID:908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3900
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui"
    3⤵
    - Modifies file permissions
    PID:3880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:3524
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:3668
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  PID:3856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\es-ES\Journal.exe.mui""
  2⤵
  - Executes dropped EXE
  PID:3600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\Journal.exe.mui"
    3⤵
    - Modifies file permissions
    PID:4076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    PID:4440
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      PID:3324
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui""
  2⤵
  - Executes dropped EXE
  PID:4376
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\ja-JP\jnwmon.dll.mui""
  2⤵
  PID:3300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\jnwmon.dll.mui"
    3⤵
    - Modifies file permissions
    PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    PID:4476
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3160
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4424
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\Templates\Genko_2.jtp""
  2⤵
  PID:592
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Genko_2.jtp" /E /G Admin:F /C
    3⤵
    PID:3892
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "Genko_2.jtp" -nobanner
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Genko_2.jtp"
    3⤵
    PID:3376
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui""
  2⤵
  PID:4404
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:3964
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4008
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Mail\wab.exe""
  2⤵
  PID:232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wab.exe"
    3⤵
    - Modifies file permissions
    PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:4468
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "wab.exe" -nobanner
      4⤵
      PID:3396
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:3968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""
  2⤵
  PID:3424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:3480
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:3344
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:568
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:2052
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1756
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer""
  2⤵
  PID:3484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif""
  2⤵
  PID:4456
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif"
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif" /E /G Admin:F /C
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "email_all.gif" -nobanner
    3⤵
    PID:4040
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif""
  2⤵
  PID:2084
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif" /E /G Admin:F /C
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "open_original_form.gif" -nobanner
    3⤵
    PID:1208
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "open_original_form.gif" -nobanner
      4⤵
      PID:4100
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif""
  2⤵
  PID:2016
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif"
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif" /E /G Admin:F /C
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "rss.gif" -nobanner
    3⤵
    PID:2436
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "rss.gif" -nobanner
      4⤵
      PID:3068
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif""
  2⤵
  PID:2664
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif" /E /G Admin:F /C
    3⤵
    PID:620
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif"
    3⤵
    - Modifies file permissions
    PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
    3⤵
    PID:4160
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
      4⤵
      PID:4152
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf""
  2⤵
  PID:4124
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf" /E /G Admin:F /C
    3⤵
    PID:4108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf"
    3⤵
    PID:4128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "CourierStd-Oblique.otf" -nobanner
    3⤵
    PID:4176
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "CourierStd-Oblique.otf" -nobanner
      4⤵
      PID:2952
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM""
  2⤵
  PID:4304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "SY______.PFM" -nobanner
    3⤵
    PID:4864
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "SY______.PFM" -nobanner
      4⤵
      PID:4284
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM"
    3⤵
    - Modifies file permissions
    PID:1736
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM" /E /G Admin:F /C
    3⤵
    PID:4112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp""
  2⤵
  PID:4616
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp"
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "can129.hsp" -nobanner
    3⤵
    PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "can129.hsp" -nobanner
      4⤵
      PID:4596
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt""
  2⤵
  PID:2360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat""
  2⤵
  PID:5008
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat" /E /G Admin:F /C
    3⤵
    PID:5028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "icudt26l.dat" -nobanner
    3⤵
    PID:4560
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "icudt26l.dat" -nobanner
      4⤵
      PID:2296
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat"
    3⤵
    PID:5036
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT""
  2⤵
  PID:2136
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT"
    3⤵
    PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "ROMANIAN.TXT" -nobanner
    3⤵
    PID:4896
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT""
  2⤵
  PID:4888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT"
    3⤵
    PID:4992
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT" /E /G Admin:F /C
    3⤵
    PID:5056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "CP1258.TXT" -nobanner
    3⤵
    PID:5040
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "CP1258.TXT" -nobanner
      4⤵
      PID:4996
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui""
  2⤵
  PID:4632
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:5100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:2632
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:1428
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui"
    3⤵
    PID:2248
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Windows Mail\wabmig.exe""
  2⤵
  PID:4712
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:4644
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wabmig.exe"
    3⤵
    PID:4932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:4920
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      PID:4640
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""
  2⤵
  PID:4688
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"
    3⤵
    PID:4736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:4780
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:4928
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png""
  2⤵
  PID:4432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png"
    3⤵
    - Modifies file permissions
    PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "MahjongMCE.png" -nobanner
    3⤵
    PID:4360
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "MahjongMCE.png" -nobanner
      4⤵
      PID:2560
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3096
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png" /E /G Admin:F /C
    3⤵
    PID:2600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png""
  2⤵
  PID:1168
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png" /E /G Admin:F /C
    3⤵
    PID:1280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "PurblePlaceMCE.png" -nobanner
    3⤵
    PID:2788
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "PurblePlaceMCE.png" -nobanner
      4⤵
      PID:2860
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png"
    3⤵
    - Modifies file permissions
    PID:1372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png""
  2⤵
  PID:5060
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png"
    3⤵
    PID:3796
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "SpiderSolitaireMCE.png" -nobanner
    3⤵
    PID:3824
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png" /E /G Admin:F /C
    3⤵
    PID:1560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png""
  2⤵
  PID:2080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Java\jre7\bin\server\classes.jsa""
  2⤵
  PID:1448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""
  2⤵
  PID:2648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui""
  2⤵
  PID:3920
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui"
    3⤵
    PID:1456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    - Executes dropped EXE
    PID:2852
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui""
  2⤵
  PID:3420
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui"
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    PID:2280
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      Loads dropped DLL
      PID:704
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    - Executes dropped EXE
    PID:3916
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui""
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui"
    3⤵
    PID:3320
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    PID:2340
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      PID:1292
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\PDIALOG.exe""
  2⤵
  PID:3192
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\Templates\Shorthand.jtp""
  2⤵
  PID:824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui""
  2⤵
  PID:1636
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui"
    3⤵
    - Modifies file permissions
    PID:4084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:4036
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:3172
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4256
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:4420
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3384
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:2828
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""
  2⤵
  PID:3360
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    - Loads dropped DLL
    PID:3372
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"
    3⤵
    - Loads dropped DLL
    PID:4392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3336
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:3312
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\it-IT\NBMapTIP.dll.mui""
  2⤵
  - Executes dropped EXE
  PID:272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe""
  2⤵
  PID:3268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui""
  2⤵
  PID:1336
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1304
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui"
    3⤵
    - Modifies file permissions
    PID:236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:1920
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:1896
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui""
  2⤵
  PID:3480
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui"
    3⤵
    PID:3424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:4356
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1544
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui""
  2⤵
  PID:3492
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui"
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:2940
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:2216
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui""
  2⤵
  PID:1480
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui"
    3⤵
    PID:584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:3052
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp""
  2⤵
  PID:776
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp" /E /G Admin:F /C
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp"
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "Dotted_Line.jtp" -nobanner
    3⤵
    PID:4100
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "Dotted_Line.jtp" -nobanner
      4⤵
      PID:1208
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui""
  2⤵
  PID:2884
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui"
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:2436
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui""
  2⤵
  PID:4312
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4320
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui"
    3⤵
    PID:4152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:2960
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:2144
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4168
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:4792
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3660
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    PID:4132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:4192
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:4232
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""
  2⤵
  PID:4204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:4268
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:4116
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4416
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini""
  2⤵
  PID:4120
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini" /E /G Admin:F /C
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini"
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "AGMGPUOptIn.ini" -nobanner
    3⤵
    PID:4352
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "AGMGPUOptIn.ini" -nobanner
      4⤵
      PID:324
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif""
  2⤵
  PID:4316
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif" /E /G Admin:F /C
    3⤵
    PID:996
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif"
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "bl.gif" -nobanner
    3⤵
    PID:4556
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "bl.gif" -nobanner
      4⤵
      PID:4540
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4200
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif""
  2⤵
  PID:4616
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif" /E /G Admin:F /C
    3⤵
    PID:4600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif"
    3⤵
    PID:5036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "forms_super.gif" -nobanner
    3⤵
    PID:4572
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "forms_super.gif" -nobanner
      4⤵
      PID:2296
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif""
  2⤵
  PID:4872
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif" /E /G Admin:F /C
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif"
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "review_browser.gif" -nobanner
    3⤵
    PID:5044
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "review_browser.gif" -nobanner
      4⤵
      PID:2136
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif""
  2⤵
  PID:5064
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif" /E /G Admin:F /C
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif"
    3⤵
    - Modifies file permissions
    PID:4996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "tl.gif" -nobanner
    3⤵
    PID:5040
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "tl.gif" -nobanner
      4⤵
      PID:4620
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V""
  2⤵
  PID:4648
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V" /E /G Admin:F /C
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V"
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "Identity-V" -nobanner
    3⤵
    PID:4636
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "Identity-V" -nobanner
      4⤵
      PID:3048
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf""
  2⤵
  PID:4932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:4920
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf"
    3⤵
    PID:4924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "MyriadPro-Bold.otf" -nobanner
    3⤵
    PID:4660
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "MyriadPro-Bold.otf" -nobanner
      4⤵
      PID:4900
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe""
  2⤵
  PID:4912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe" /E /G Admin:F /C
    3⤵
    PID:4804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe"
    3⤵
    - Modifies file permissions
    PID:3476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "SC_Reader.exe" -nobanner
    3⤵
    PID:4652
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "SC_Reader.exe" -nobanner
      4⤵
      PID:4724
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths""
  2⤵
  PID:560
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths" /E /G Admin:F /C
    3⤵
    PID:4836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths"
    3⤵
    PID:4756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "brt55.ths" -nobanner
    3⤵
    PID:4364
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "brt55.ths" -nobanner
      4⤵
      PID:4852
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp""
  2⤵
  PID:4708
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp" /E /G Admin:F /C
    3⤵
    PID:3096
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp"
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "usa03.hsp" -nobanner
    3⤵
    PID:2100
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "usa03.hsp" -nobanner
      4⤵
      PID:3560
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT""
  2⤵
  PID:3836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT" /E /G Admin:F /C
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT"
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "CYRILLIC.TXT" -nobanner
    3⤵
    PID:3008
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "CYRILLIC.TXT" -nobanner
      4⤵
      PID:3140
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT""
  2⤵
  PID:2508
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT" /E /G Admin:F /C
    3⤵
    PID:3148
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT"
    3⤵
    PID:3228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "CP1252.TXT" -nobanner
    3⤵
    PID:3624
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "CP1252.TXT" -nobanner
      4⤵
      PID:3796
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf""
  2⤵
  PID:3644
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf" /E /G Admin:F /C
    3⤵
    PID:3768
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf"
    3⤵
    PID:548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "MyriadCAD.otf" -nobanner
    3⤵
    PID:1344
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "MyriadCAD.otf" -nobanner
      4⤵
      PID:1084
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif""
  2⤵
  PID:3248
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif" /E /G Admin:F /C
    3⤵
    PID:1356
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif"
    3⤵
    - Modifies file permissions
    PID:1500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "create_form.gif" -nobanner
    3⤵
    PID:3960
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "create_form.gif" -nobanner
      4⤵
      PID:2424
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif""
  2⤵
  PID:3692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif" /E /G Admin:F /C
    3⤵
    PID:564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif"
    3⤵
    PID:3920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "info.gif" -nobanner
    3⤵
    PID:2896
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "info.gif" -nobanner
      4⤵
      PID:692
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif""
  2⤵
  PID:704
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif"
    3⤵
    PID:3612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "review_same_reviewers.gif" -nobanner
    3⤵
    PID:3420
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "review_same_reviewers.gif" -nobanner
      4⤵
      PID:1496
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif""
  2⤵
  PID:1660
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif"
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "trash.gif" -nobanner
    3⤵
    PID:3620
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "trash.gif" -nobanner
      4⤵
      PID:3944
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif" /E /G Admin:F /C
    3⤵
    PID:1608
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf""
  2⤵
  PID:1524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf"
    3⤵
    - Modifies file permissions
    PID:3596
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:3108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "CourierStd-Bold.otf" -nobanner
    3⤵
    PID:3756
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf""
  2⤵
  PID:3204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:4044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf"
    3⤵
    - Modifies file permissions
    PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "MyriadPro-It.otf" -nobanner
    3⤵
    PID:3524
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "MyriadPro-It.otf" -nobanner
      4⤵
      PID:3144
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt""
  2⤵
  PID:3280
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt" /E /G Admin:F /C
    3⤵
    PID:4076
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt"
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
    3⤵
    PID:4428
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
      4⤵
      PID:1600
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp""
  2⤵
  PID:4084
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp" /E /G Admin:F /C
    3⤵
    PID:3172
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp"
    3⤵
    PID:4380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "can.hyp" -nobanner
    3⤵
    PID:3264
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "can.hyp" -nobanner
      4⤵
      PID:1636
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4424
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp""
  2⤵
  PID:1956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp" /E /G Admin:F /C
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp"
    3⤵
    PID:3404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "usa37.hyp" -nobanner
    3⤵
    PID:4024
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "usa37.hyp" -nobanner
      4⤵
      PID:4016
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT""
  2⤵
  PID:4392
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT" /E /G Admin:F /C
    3⤵
    PID:3312
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT"
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "ICELAND.TXT" -nobanner
    3⤵
    PID:4372
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "ICELAND.TXT" -nobanner
      4⤵
      PID:592
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT""
  2⤵
  PID:224
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT" /E /G Admin:F /C
    3⤵
    PID:3412
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT"
    3⤵
    - Modifies file permissions
    PID:4144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "CP1254.TXT" -nobanner
    3⤵
    PID:4008
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "CP1254.TXT" -nobanner
      4⤵
      PID:972
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2148
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui""
  2⤵
  PID:236
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    PID:3976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:1100
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:2500
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui""
  2⤵
  PID:1112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui"
    3⤵
    PID:4368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:4492
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:2492
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:3452
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""
  2⤵
  PID:1220
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:4456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3316
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:1480
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\de-DE\JNTFiltr.dll.mui""
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\JNTFiltr.dll.mui"
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:2912
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\en-US\Journal.exe.mui""
  2⤵
  PID:3924
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\Journal.exe.mui"
    3⤵
    PID:852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    PID:400
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      PID:2016
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui""
  2⤵
  PID:4324
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui"
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    PID:2960
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      PID:2760
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\it-IT\jnwmon.dll.mui""
  2⤵
  PID:3660
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\jnwmon.dll.mui"
    3⤵
    PID:4192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      PID:4792
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\ja-JP\NBMapTIP.dll.mui""
  2⤵
  PID:4300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\NBMapTIP.dll.mui"
    3⤵
    PID:4116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:2316
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:4276
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp""
  2⤵
  PID:4208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp" /E /G Admin:F /C
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp"
    3⤵
    PID:4352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "Month_Calendar.jtp" -nobanner
    3⤵
    PID:4336
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "Month_Calendar.jtp" -nobanner
      4⤵
      PID:4248
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui""
  2⤵
  PID:1968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui"
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:4444
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:4200
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""
  2⤵
  PID:4972
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4572
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"
    3⤵
    PID:5024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:5008
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:4552
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""
  2⤵
  PID:4896
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"
    3⤵
    PID:4968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:960
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:1584
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Microsoft Games\Chess\ChessMCE.png""
  2⤵
  PID:2720
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Chess\ChessMCE.png" /E /G Admin:F /C
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Chess\ChessMCE.png"
    3⤵
    - Modifies file permissions
    PID:5040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "ChessMCE.png" -nobanner
    3⤵
    PID:5084
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "ChessMCE.png" -nobanner
      4⤵
      PID:2224
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui""
  2⤵
  PID:1312
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4692
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui"
    3⤵
    PID:4588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:3048
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      PID:4636
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\es-ES\MSPVWCTL.DLL.mui""
  2⤵
  PID:4696
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:4920
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\MSPVWCTL.DLL.mui"
    3⤵
    PID:4732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:4900
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:4660
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\it-IT\JNTFiltr.dll.mui""
  2⤵
  PID:1012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\JNTFiltr.dll.mui"
    3⤵
    PID:4644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:4720
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:4724
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui""
  2⤵
  PID:4944
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui"
    3⤵
    PID:4808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      PID:4756
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Journal\Templates\Graph.jtp""
  2⤵
  PID:3088
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Graph.jtp" /E /G Admin:F /C
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Graph.jtp"
    3⤵
    PID:836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "Graph.jtp" -nobanner
    3⤵
    PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "Graph.jtp" -nobanner
      4⤵
      PID:2184
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui""
  2⤵
  PID:4800
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4360
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui"
    3⤵
    PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:1632
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:3532
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Mail\wabmig.exe""
  2⤵
  PID:616
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wabmig.exe"
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:4592
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      PID:2924
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""
  2⤵
  PID:3796
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:3740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:3640
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:3828
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""
  2⤵
  PID:1676
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"
    3⤵
    PID:4860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:3528
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:3224
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig""
  2⤵
  PID:2424
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig" /E /G Admin:F /C
    3⤵
    PID:1456
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig"
    3⤵
    PID:276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "cryptocme2.sig" -nobanner
    3⤵
    PID:1448
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "cryptocme2.sig" -nobanner
      4⤵
      PID:2756
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Windows Mail\it-IT\WinMail.exe.mui""
  2⤵
  PID:2896
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\it-IT\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\it-IT\WinMail.exe.mui"
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:2888
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:3328
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:2604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:3556
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""
  2⤵
  PID:1292
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"
    3⤵
    PID:3508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:3948
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:2716
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer""
  2⤵
  PID:3240
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer" /E /G Admin:F /C
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer"
    3⤵
    - Modifies file permissions
    PID:3864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "pmd.cer" -nobanner
    3⤵
    PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "pmd.cer" -nobanner
      4⤵
      PID:2948
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif""
  2⤵
  PID:908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif" /E /G Admin:F /C
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif"
    3⤵
    - Modifies file permissions
    PID:3616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "email_initiator.gif" -nobanner
    3⤵
    PID:4440
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "email_initiator.gif" -nobanner
      4⤵
      PID:3408
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif""
  2⤵
  PID:3304
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif" /E /G Admin:F /C
    3⤵
    PID:2312
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif"
    3⤵
    PID:4036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "pdf.gif" -nobanner
    3⤵
    PID:4380
  - - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
      UCHMnGpZ.exe -accepteula "pdf.gif" -nobanner
      4⤵
      PID:3632
- - C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
    UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif""
  2⤵
  PID:4084

C:\Windows\system32\taskeng.exe
taskeng.exe {8ACF18E0-6FE6-42EF-8170-18F12B3AA326} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]
1⤵
PID:4072
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Zhwpojmj.bat"
  2⤵
  PID:3784
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1304
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4452
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4460
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Delete /TN DSHCA /F
    3⤵
    PID:4700
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4768

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula "DefaultID.pdf" -nobanner
1⤵
- Executes dropped EXE
PID:2480

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula "Dynamic.pdf" -nobanner
1⤵
- Executes dropped EXE
PID:2500

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula "ENUtxt.pdf" -nobanner
1⤵
- Executes dropped EXE
PID:4200

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula "NBMapTIP.dll.mui" -nobanner
1⤵
- Executes dropped EXE
PID:788

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
1⤵
- Executes dropped EXE
PID:3048

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Mail\WinMail.exe" /E /G Admin:F /C
1⤵
PID:4832

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula "WinMail.exe" -nobanner
1⤵
- Executes dropped EXE
PID:4836

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula "ImagingDevices.exe.mui" -nobanner
1⤵
- Executes dropped EXE
PID:4364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-722199867-1641373550-572264417-972841702757401937-2026657046-20749018001267283894"
1⤵
PID:1632

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif"
1⤵
- Modifies file permissions
PID:3076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "ended_review_or_form.gif" -nobanner
1⤵
- Loads dropped DLL
PID:836
- C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
  UCHMnGpZ.exe -accepteula "ended_review_or_form.gif" -nobanner
  2⤵
  - Executes dropped EXE
  PID:2392

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
1⤵
- Executes dropped EXE
PID:2508
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT"
  2⤵
  - Modifies file permissions
  PID:3572
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT" /E /G Admin:F /C
  2⤵
  PID:1372

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif" /E /G Admin:F /C
1⤵
PID:3088

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf"
1⤵
PID:3132

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf" /E /G Admin:F /C
1⤵
PID:564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "zdingbat.txt" -nobanner
1⤵
- Loads dropped DLL
PID:3516
- C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
  UCHMnGpZ.exe -accepteula "zdingbat.txt" -nobanner
  2⤵
  PID:1964

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
1⤵
- Executes dropped EXE
PID:3760

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT" /E /G Admin:F /C
1⤵
PID:1740

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT"
1⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "TURKISH.TXT" -nobanner
1⤵
- Loads dropped DLL
PID:2948
- C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
  UCHMnGpZ.exe -accepteula "TURKISH.TXT" -nobanner
  2⤵
  PID:3232

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:3600

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt"
1⤵
- Modifies file permissions
PID:3720

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C
1⤵
PID:1564

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"
1⤵
PID:3892

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
1⤵
- Executes dropped EXE
PID:3368

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt" /E /G Admin:F /C
1⤵
PID:3752

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui" /E /G Admin:F /C
1⤵
PID:4472

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\ja-JP\PDIALOG.exe.mui" /E /G Admin:F /C
1⤵
PID:3052

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\ja-JP\PDIALOG.exe.mui"
1⤵
- Modifies file permissions
PID:2040

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula "PDIALOG.exe.mui" -nobanner
1⤵
PID:576

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:2156

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Mail\fr-FR\msoeres.dll.mui" /E /G Admin:F /C
1⤵
PID:2748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "msoeres.dll.mui" -nobanner
1⤵
PID:3068
- C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
  UCHMnGpZ.exe -accepteula "msoeres.dll.mui" -nobanner
  2⤵
  PID:2436

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui" /E /G Admin:F /C
1⤵
PID:2660

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui"
1⤵
PID:2144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
1⤵
PID:4152
- C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
  UCHMnGpZ.exe -accepteula "PhotoAcq.dll.mui" -nobanner
  2⤵
  PID:4160

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui" /E /G Admin:F /C
1⤵
PID:3176

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula "eula.ini" -nobanner
1⤵
PID:4864

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:4320

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:2840

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Mail\fr-FR\msoeres.dll.mui"
1⤵
PID:2332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "PDIALOG.exe.mui" -nobanner
1⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
1⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula "eng.hyp" -nobanner
1⤵
PID:272
- C:\Windows\SysWOW64\cacls.exe
  cacls "C:\Program Files\Windows Journal\it-IT\NBMapTIP.dll.mui" /E /G Admin:F /C
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
  UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
  2⤵
  - Loads dropped DLL
  PID:3240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "NBMapTIP.dll.mui" -nobanner
  2⤵
  PID:3108
- C:\Windows\SysWOW64\takeown.exe
  takeown /F "C:\Program Files\Windows Journal\it-IT\NBMapTIP.dll.mui"
  2⤵
  PID:2092

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula "AcroSign.prc" -nobanner
1⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula "ReadMe.htm" -nobanner
1⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula "MinionPro-It.otf" -nobanner
1⤵
PID:4644

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT" /E /G Admin:F /C
1⤵
PID:3140

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula "CP1250.TXT" -nobanner
1⤵
PID:3724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "CP1250.TXT" -nobanner
1⤵
PID:4796

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:3740

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT"
1⤵
PID:2920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3719101711882347306-483321979-691445778159520756712349411111360108214494467234"
1⤵
- Executes dropped EXE
PID:3848

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
1⤵
- Modifies file permissions
PID:3036

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Mail\fr-FR\WinMail.exe.mui" /E /G Admin:F /C
1⤵
PID:2896

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
1⤵
PID:2124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-115238188312302771-21866642-95143427850921822820763685871412877783249952919"
1⤵
- Loads dropped DLL
PID:2868

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula "background.png" -nobanner
1⤵
PID:3628

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
1⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "Workflow.Targets" -nobanner
1⤵
PID:2272

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
1⤵
PID:1344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-93806188620016051431672322329-1255079574-1403695679-1545407439-10604972051628844132"
1⤵
- Loads dropped DLL
PID:1688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1947166720-61987354-7347439861945473313-26715540-1958716398-12713043881378600938"
1⤵
- Executes dropped EXE
PID:4024

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula "msoeres.dll.mui" -nobanner
1⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula "Genko_2.jtp" -nobanner
1⤵
- Executes dropped EXE
PID:3488

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C
1⤵
PID:4068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18985617451019874443196721038-142684826-1243434816-533730504-1134079902-822810711"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"
1⤵
PID:3464

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer" /E /G Admin:F /C
1⤵
PID:4484

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-802357176184164744114221721631429851346-13026422717576202461390602686103819970"
1⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:2252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "AUMProduct.cer" -nobanner
1⤵
PID:2644

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer"
1⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula "email_all.gif" -nobanner
1⤵
PID:3156

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "55141473-902980343116839283915811897111286202962563188446416319363-1590198425"
1⤵
PID:2660

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt" /E /G Admin:F /C
1⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
1⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
1⤵
PID:4348

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:4512

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt"
1⤵
PID:4340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "217037301305642207782325481-413063317-408232124-745598271-550652172221251985"
1⤵
PID:4552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1924764164-648632903-1613441585-12302560412095924186-1668132901668755886-1271141027"
1⤵
PID:5092

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6422171542005719322321345671-182172522412963176001075130260509736143853385482"
1⤵
PID:4628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1181531842-452955229-10774338451374151768-951826788-713336759-5773846491674388348"
1⤵
PID:4720

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C
1⤵
PID:4788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
1⤵
PID:2688
- C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
  UCHMnGpZ.exe -accepteula "PhotoViewer.dll.mui" -nobanner
  2⤵
  PID:1900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1533235412-1223725453308808801-16834064561036067508-72831238-9861137811845525079"
1⤵
PID:4592

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png" /E /G Admin:F /C
1⤵
PID:3008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "SolitaireMCE.png" -nobanner
1⤵
PID:2056
- C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
  UCHMnGpZ.exe -accepteula "SolitaireMCE.png" -nobanner
  2⤵
  PID:3712

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:3908

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png"
1⤵
PID:3536

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula "SpiderSolitaireMCE.png" -nobanner
1⤵
PID:956

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Java\jre7\bin\server\classes.jsa" /E /G Admin:F /C
1⤵
PID:3848

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula "classes.jsa" -nobanner
1⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "classes.jsa" -nobanner
1⤵
PID:1000

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
1⤵
- Executes dropped EXE
PID:2272

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"
1⤵
- Modifies file permissions
PID:2204

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:1812

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"
1⤵
- Modifies file permissions
PID:4776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1022553686-106759450178161256388744220914903581977133487089821651641805118453"
1⤵
PID:2896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17474412949372062251648446852-134291266811524056121430042560-766589877-192811521"
1⤵
- Loads dropped DLL
PID:3200

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "952320831-963340837-977549388-699400545-1648765855593042840670034616-775024454"
1⤵
PID:3684

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\PDIALOG.exe"
1⤵
PID:3972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "PDIALOG.exe" -nobanner
1⤵
PID:4044
- C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
  UCHMnGpZ.exe -accepteula "PDIALOG.exe" -nobanner
  2⤵
  PID:3880

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\PDIALOG.exe" /E /G Admin:F /C
1⤵
PID:1512

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui" /E /G Admin:F /C
1⤵
- Loads dropped DLL
PID:3212

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula "NBMapTIP.dll.mui" -nobanner
1⤵
PID:3716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-564151139114061127417193144481346161424174473979517905313726991415-1062462313"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe" /E /G Admin:F /C
1⤵
PID:208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c UCHMnGpZ.exe -accepteula "LogTransport2.exe" -nobanner
1⤵
PID:3964
- C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
  UCHMnGpZ.exe -accepteula "LogTransport2.exe" -nobanner
  2⤵
  PID:228

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula -c Run -y -p extract -nobanner
1⤵
PID:1708

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe"
1⤵
PID:3888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1623992944-153089442111613471891864340039-741515695967948312560434511837946625"
1⤵
PID:3396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1461169778-1181971490-141039959210579491990692845-1788001164993219207-1576533680"
1⤵
PID:3484

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "236127099-356364789-838548451-17303023082074725818-20331387652043760739-666999578"
1⤵
PID:2076

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1465650136-13134067601693095947-918516321-643488468-646386326-308218481699836461"
1⤵
PID:620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-496599335-960081012-108422059-5989996262084636344-179924509811883215041060416007"
1⤵
PID:4700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-726300849-135206921-309954349507719063-15166741911680914583853184169-649302090"
1⤵
PID:4304

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "96203279815522105091800131817-1495427957-922546313541825267-250429635-1992115560"
1⤵
PID:1900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "188347036247481022-4516483431841265461-202877358118923922671633121544524916021"
1⤵
PID:1168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1326947840-1548115684-17493439441475442897-1711717835-9974643021512098829-1419816553"
1⤵
PID:3896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2087699714-13519844303854528677695805331710917912-136192125138339860-1255307041"
1⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe
UCHMnGpZ.exe -accepteula "CourierStd-Bold.otf" -nobanner
1⤵
PID:3696

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1921374478-2013120936114209042380615973521818917-1061905678-3831642321783509739"
1⤵
PID:2216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-332793335-1788308547-733011575-17871119392141497565635414848-471431104-2134679443"
1⤵
PID:3016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "451575768-223701474-13593026781690802832-960370317-1623842933-9854009591270582659"
1⤵
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\#NOBAD_README#.rtf

Filesize
8KB

MD5
0afd576a847f11bbbad22764d1a8c667

SHA1
5cba1af56d896a01c3e2039050a910cc9fa418e3

SHA256
5c9d00260b96443680ff7b604313a81ea789eb0f71e60ac465c77061cbd6eea9

SHA512
eaa7f4f2328d1e1e63d9bc04a3dadab74b888225a7ed53b0eb89460084886d81549593ae07170e8c7fce693ec077509fac16ee453eda34b829ce835ade2a38c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\G4Aw1EPS.bat

Filesize
226B

MD5
f56f448a5530bad19a80062e73dac8ed

SHA1
cb77b25423949447f0ebee9619330b4f7071d4d6

SHA256
014d982446c940c41217cb5de1869cbfad2f96f8946beb3b6c79d5c60c843880

SHA512
394ab857c2998c40383931130c75eae0fe9ea6910ecf476eddbea5ee72725297a29611d7d898638db4f768a6e0a207116d9b792f1931c1d59e1770048fc93fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWfz0cez.exe

Filesize
412KB

MD5
684d1e2587001912dfa644d9e9d9bcd1

SHA1
c3fb6df0b5d648beabb87cb6a0f0b9cc57a89dc3

SHA256
5bf7539c345ff7a3d88cbf193793daeeccab709407bfb1e6f8ee30edfd653787

SHA512
17d3e416e285b7546648216652ba3caf2193ece6fac83bc1ab0bd41a2e62a317fdd3198f0236139e347fb5659448b9bbbab1c85ecd500716d6c7193f3c2abee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWfz0cez.exe

Filesize
339KB

MD5
752ff3b6fab876fcd62d6241de3c1fab

SHA1
a5a6d6a4ce0b4828d0e3b83b2300c0cd10588525

SHA256
707481f44e6d1c6585ab9f5899b8a5000456fa183d05ef166a50dac7f861d14e

SHA512
5945ce719afbeb49061a1ca2b3ef9f2956baf484dbd9a84bf8499dd74d18cd43f825384827f3d311daaff54edc11b83baeca487e583ae990b7ffa178062d666f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bad_4AB2BE8D9F607C9C.txt

Filesize
4KB

MD5
a190d0ed1fdadea7eca9288bf83e554a

SHA1
dca2553f3ed1e994cdd2c681e94a5f098b4e2c4e

SHA256
e55ed9facde7073ad4cbb0ee320385e311caee2850a0fa8f3d9421f6a95b5ee6

SHA512
167801d7dcf06823fd6f63c25645b9d07e24c8b733fc6eeecbfd1dad7a568a44899002ae0b5971466051963096dd9c736e8cf863e1a1ac8e99e0755355ba9c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\elog_4AB2BE8D9F607C9C.txt

Filesize
32KB

MD5
49688d31103714c4e0cc9b8ff422ac60

SHA1
9b714e418d8cc56b8698dd87921c2595e8d5a0e0

SHA256
ad8ce2f9fd25ca9def6c46ee1b69a1300063bd6e95a9cd2875f464d01d3c179c

SHA512
4fd8fd74607df570fdefb4179c6bdd5d8a54ae9f47369de848016dc348c6bb89557cdf206e0015d4fed251a5ec6f57ac62bd96b55092c77ed962b091e9050b21

Download Submit
C:\Users\Admin\AppData\Roaming\Mia9doP5.vbs

Filesize
260B

MD5
65bd648fb8ebef0f8eb8a59335a0e116

SHA1
2bcd8aeb0d68629d2c2b14283745d79794c0576e

SHA256
b5d3e3276929a204f2788120d69d68a97e8de79edc09144c7cee3382d8d636ab

SHA512
2cc1999c65d620f506884fcb78bc4595bad2e41d910cfbb080d969dd8bd277d5ef07ba6f26622fb6957f2ef0d0133096e8158268c6aa8082e1178ec08a4be9f1

Download Submit
C:\Users\Admin\AppData\Roaming\Zhwpojmj.bat

Filesize
265B

MD5
225130ca45596490abe3a155011a2fc6

SHA1
ebd1effec748f8740070121d4a6bd1c6f24dccac

SHA256
045323cc784f3158c63a4d36c510b35c353a2b0e2a8447bb47843c26e34153a5

SHA512
051ef0a5c31aaa5cd2ea9f04e706fb4a01accac08f5528a8456db6dc648adf51a3cea75186745a163c0e54407a0373e051f06eded07a87015eba6984817dd536

Download Submit
\Users\Admin\AppData\Local\Temp\NWfz0cez.exe

Filesize
575KB

MD5
3da06bbf6f30fbc4d2e33404b2271934

SHA1
20fd66b34ccafcddb9d3abe949573ba95efd5a72

SHA256
2d464700afccd78384fff5cda9cce2cbc5bf8cf5ae2132590bf518fbe41e65e7

SHA512
a6d8c713c8a499efc9a67d941289c2a86dbe07653542cfa97829f489b9f0ec013f83951589268b733fef725e928b6ed6f74a230ff702b1a5e0fa945c89c8e79e

Download Submit
\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\UCHMnGpZ.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\UCHMnGpZ64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
memory/272-7445-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/272-7444-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/320-7414-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/324-7352-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/576-7500-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/632-5546-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/704-7435-0x0000000000420000-0x0000000000497000-memory.dmp

Filesize
476KB

Download
memory/752-6931-0x00000000001A0000-0x0000000000217000-memory.dmp

Filesize
476KB

Download
memory/788-7373-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/788-7374-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/960-6713-0x0000000001FA0000-0x0000000002017000-memory.dmp

Filesize
476KB

Download
memory/1084-7422-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1084-7423-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1372-6805-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1372-7362-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1440-6238-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1524-7446-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1576-7386-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1800-7441-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1884-5007-0x0000000001FE0000-0x0000000002057000-memory.dmp

Filesize
476KB

Download
memory/1896-7483-0x0000000000470000-0x00000000004E7000-memory.dmp

Filesize
476KB

Download
memory/1912-7425-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1932-6921-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1964-7448-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1976-7401-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1992-7282-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2052-7488-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2132-7383-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2132-6712-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2132-7357-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2156-7502-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2180-7504-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2272-7421-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2296-7364-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2324-6263-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2392-7406-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2436-7510-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2460-7405-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2480-5092-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2500-6260-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2500-6170-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2508-7407-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2644-10-0x0000000000400000-0x0000000000A78000-memory.dmp

Filesize
6.5MB

Download
memory/2676-7494-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2708-6172-0x0000000000160000-0x00000000001D7000-memory.dmp

Filesize
476KB

Download
memory/2708-2463-0x0000000000160000-0x00000000001D7000-memory.dmp

Filesize
476KB

Download
memory/2840-7512-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2852-7426-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2872-0-0x0000000000400000-0x0000000000A78000-memory.dmp

Filesize
6.5MB

Download
memory/2956-7281-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3040-7434-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3048-7389-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3120-6175-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3120-2630-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3144-6234-0x00000000001F0000-0x0000000000267000-memory.dmp

Filesize
476KB

Download
memory/3160-7470-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3200-7438-0x0000000000380000-0x00000000003F7000-memory.dmp

Filesize
476KB

Download
memory/3232-7457-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3248-7419-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3264-7463-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3292-7506-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3368-7473-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3404-7465-0x0000000001F50000-0x0000000001FC7000-memory.dmp

Filesize
476KB

Download
memory/3480-7486-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3488-7475-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3492-7490-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3544-7492-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3564-7442-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3600-7458-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3632-6240-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3644-7418-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3668-6266-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3668-6267-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3684-6236-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3684-6714-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3704-6174-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3728-6331-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3760-7449-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3848-7416-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3864-5328-0x0000000000430000-0x00000000004A7000-memory.dmp

Filesize
476KB

Download
memory/3916-7436-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3920-6804-0x0000000001F90000-0x0000000002007000-memory.dmp

Filesize
476KB

Download
memory/3968-7481-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3980-7468-0x0000000001F80000-0x0000000001FF7000-memory.dmp

Filesize
476KB

Download
memory/4000-7433-0x0000000000160000-0x00000000001D7000-memory.dmp

Filesize
476KB

Download
memory/4024-7467-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4068-7484-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4128-7518-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4160-7514-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4200-6628-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4280-7498-0x0000000001F30000-0x0000000001FA7000-memory.dmp

Filesize
476KB

Download
memory/4292-7335-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4292-7377-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4320-7516-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4352-7359-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4364-7404-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4372-6334-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4376-7461-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4400-7479-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4416-7344-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4452-5758-0x0000000000140000-0x00000000001B7000-memory.dmp

Filesize
476KB

Download
memory/4520-7367-0x0000000000200000-0x0000000000277000-memory.dmp

Filesize
476KB

Download
memory/4648-7392-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4748-7397-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4752-7398-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4768-7395-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4836-7400-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4916-7396-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4984-7378-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5016-7368-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5016-7394-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5048-7372-0x0000000000170000-0x00000000001E7000-memory.dmp

Filesize
476KB

Download