matrix | 9918e219d70d57d1459e28aeb020893e696990cd6c4367f76344308f0e7383cd

Analysis

max time kernel
75s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-03-2024 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
Size

1.2MB
MD5

504890ff01be54dfa0ce0b92624614a2
SHA1

f8ce09a61e7b131c1d48e621b65a4789f7d5feed
SHA256

5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6
SHA512

45668897546f316af5565a63015cb91b2c9f275882bb39aa1c1b113b6a544f6bfdec1270e69ec932cbdc82432e1e86ff149eaf20747600cdd35086c286187fec
SSDEEP

24576:bxcxFP+OOobRioyJR5ezu413hJE5cxoBcYE41iZb0ZtA0fSWbasM:GfzBE6xs16gQ0fd9

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx

Malware Config

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Microsoft Games\Chess\it-IT\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Microsoft Games\More Games\ja-JP\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Microsoft Games\Chess\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Microsoft Games\More Games\de-DE\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Users\Admin\AppData\Local\Adobe\Color\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\datareporting\glean\db\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Safe Browsing Network\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Microsoft Games\Solitaire\en-US\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Google\Chrome\Application\SetupMetrics\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Media Player\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Microsoft Games\Purble Place\ja-JP\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Java\jre7\lib\security\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\it-IT\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Users\Public\Videos\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files (x86)\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Users\Admin\Saved Games\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\Cache\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\storage\permanent\chrome\idb\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JQHF6B80\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Java\jre7\bin\server\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Java\jre7\lib\zi\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Users\Admin\Desktop\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1476 bcdedit.exe
3508 bcdedit.exe
Drops file in Drivers directory 1 IoCs

Processes:

eZTJ8vJB64.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP152.SYS eZTJ8vJB64.exe

pid	process
1476	bcdedit.exe
3508	bcdedit.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	eZTJ8vJB64.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

eZTJ8vJB64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	eZTJ8vJB64.exe

Executes dropped EXE 64 IoCs

Processes:

NWj6JRGk.exeeZTJ8vJB.exeeZTJ8vJB64.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exeeZTJ8vJB.exe

pid	process
2940	NWj6JRGk.exe
3984	eZTJ8vJB.exe
2208	eZTJ8vJB64.exe
2348	eZTJ8vJB.exe
2632	eZTJ8vJB.exe
1984	eZTJ8vJB.exe
2892	eZTJ8vJB.exe
3548	eZTJ8vJB.exe
3244	eZTJ8vJB.exe
2756	eZTJ8vJB.exe
1040	eZTJ8vJB.exe
888	eZTJ8vJB.exe
3664	eZTJ8vJB.exe
3320	eZTJ8vJB.exe
1924	eZTJ8vJB.exe
3776	eZTJ8vJB.exe
3424	eZTJ8vJB.exe
548	eZTJ8vJB.exe
3408	eZTJ8vJB.exe
3700	eZTJ8vJB.exe
2776	eZTJ8vJB.exe
2584	eZTJ8vJB.exe
2348	eZTJ8vJB.exe
1752	eZTJ8vJB.exe
2504	eZTJ8vJB.exe
3696	eZTJ8vJB.exe
2184	eZTJ8vJB.exe
1404	eZTJ8vJB.exe
3836	eZTJ8vJB.exe
864	eZTJ8vJB.exe
836	eZTJ8vJB.exe
1096	eZTJ8vJB.exe
2232	eZTJ8vJB.exe
1756	eZTJ8vJB.exe
2036	eZTJ8vJB.exe
3880	eZTJ8vJB.exe
4052	eZTJ8vJB.exe
1544	eZTJ8vJB.exe
784	eZTJ8vJB.exe
2768	eZTJ8vJB.exe
3868	eZTJ8vJB.exe
1496	eZTJ8vJB.exe
3740	eZTJ8vJB.exe
2104	eZTJ8vJB.exe
2032	eZTJ8vJB.exe
1156	eZTJ8vJB.exe
3156	eZTJ8vJB.exe
3916	eZTJ8vJB.exe
2888	eZTJ8vJB.exe
2040	eZTJ8vJB.exe
3640	eZTJ8vJB.exe
3296	eZTJ8vJB.exe
3148	eZTJ8vJB.exe
3688	eZTJ8vJB.exe
2756	eZTJ8vJB.exe
3600	eZTJ8vJB.exe
3520	eZTJ8vJB.exe
3396	eZTJ8vJB.exe
1564	eZTJ8vJB.exe
1924	eZTJ8vJB.exe
2724	eZTJ8vJB.exe
2508	eZTJ8vJB.exe
2556	eZTJ8vJB.exe
2848	eZTJ8vJB.exe

Loads dropped DLL 64 IoCs

Processes:

5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.execmd.exeeZTJ8vJB.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

pid	process
2500	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
2500	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
1536	cmd.exe
3984	eZTJ8vJB.exe
1624	cmd.exe
2456	cmd.exe
2264	cmd.exe
328	cmd.exe
3676	cmd.exe
1908	cmd.exe
1820	cmd.exe
3924	cmd.exe
3668	cmd.exe
2788	cmd.exe
1432	cmd.exe
868	cmd.exe
1020	cmd.exe
840	cmd.exe
2000	cmd.exe
3252	cmd.exe
3508	cmd.exe
1628	cmd.exe
4068	cmd.exe
3180	cmd.exe
4076	cmd.exe
1624	cmd.exe
2876	cmd.exe
2760	cmd.exe
1512	cmd.exe
3928	cmd.exe
1572	cmd.exe
3552	cmd.exe
932	cmd.exe
3112	cmd.exe
1068	cmd.exe
472	cmd.exe
2312	cmd.exe
2332	cmd.exe
2800	cmd.exe
4072	cmd.exe
1984	cmd.exe
2052	cmd.exe
1724	cmd.exe
2316	cmd.exe
1184	cmd.exe
816	cmd.exe
3516	cmd.exe
2448	cmd.exe
3096	cmd.exe
3136	cmd.exe
1216	cmd.exe
1744	cmd.exe
3536	cmd.exe
3336	cmd.exe
3416	cmd.exe
3656	cmd.exe
1324	cmd.exe
3620	cmd.exe
2788	cmd.exe
296	cmd.exe
2240	cmd.exe
1584	cmd.exe
3236	cmd.exe
2676	cmd.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
1328	takeown.exe
2724	takeown.exe
3760	takeown.exe
1824	takeown.exe
2640	takeown.exe
1068	takeown.exe
4044	takeown.exe
2552	takeown.exe
1332	takeown.exe
3304	takeown.exe
2836	takeown.exe
3536	takeown.exe
3784	takeown.exe
3068	takeown.exe
1200	takeown.exe
1732	takeown.exe
3320	takeown.exe
3644	takeown.exe
2580	takeown.exe
3264	takeown.exe
2632	takeown.exe
3028	takeown.exe
1704	takeown.exe
3980	takeown.exe
2320	takeown.exe
1712	takeown.exe
2016	takeown.exe
3564	takeown.exe
616	takeown.exe
2700	takeown.exe
1752	takeown.exe
2780	takeown.exe
4028	takeown.exe
1148	takeown.exe
2868	takeown.exe
1632	takeown.exe
588	takeown.exe
1616	takeown.exe
3792	takeown.exe
3016	takeown.exe
1704	takeown.exe
2168	takeown.exe
868	takeown.exe
2632	takeown.exe
3040	takeown.exe
1952	takeown.exe
484	takeown.exe
1804	takeown.exe
2592	takeown.exe
472	takeown.exe
3416	takeown.exe
2196	takeown.exe
1336	takeown.exe
928	takeown.exe
2096	takeown.exe
296	takeown.exe
3832	takeown.exe
2132	takeown.exe
2248	takeown.exe
1880	takeown.exe
2672	takeown.exe
2940	takeown.exe
2580	takeown.exe
3104	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe	upx
behavioral1/memory/3984-1649-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2348-5761-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2456-5805-0x0000000001F70000-0x0000000001FE7000-memory.dmp	upx
behavioral1/memory/2632-5807-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1984-5939-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2892-6057-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1984-5951-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3548-6251-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3244-6441-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3244-6505-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2756-7308-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1040-7311-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/888-7318-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/888-7319-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3664-7323-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3320-7329-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1924-7334-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3776-7340-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3424-7344-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/548-7351-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3408-7355-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3700-7359-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2776-7363-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2584-7366-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2348-7370-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1752-7374-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2504-7380-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3696-7384-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2184-7388-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1404-7391-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3836-7394-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/864-7398-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/836-7400-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1096-7404-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2232-7406-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1756-7407-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/472-7408-0x0000000000220000-0x0000000000297000-memory.dmp	upx
behavioral1/memory/2036-7409-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3880-7412-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/4052-7413-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1544-7415-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/784-7418-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/4072-7417-0x0000000000290000-0x0000000000307000-memory.dmp	upx
behavioral1/memory/2768-7419-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3868-7420-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1496-7423-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3740-7424-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2104-7429-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2032-7430-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1156-7433-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3156-7434-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3916-7437-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2888-7438-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2040-7439-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2040-7440-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3640-7442-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3296-7444-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3148-7446-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3688-7447-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2756-7448-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3520-7454-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3600-7452-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3396-7456-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Drops desktop.ini file(s) 41 IoCs

Processes:

5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JQHF6B80\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CJQLK5UF\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\5B8DS9TT\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Public\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\Y3HLRHFA\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exeeZTJ8vJB64.exe

description	ioc	process
File opened (read-only)	\??\S:	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened (read-only)	\??\O:	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened (read-only)	\??\X:	eZTJ8vJB64.exe
File opened (read-only)	\??\R:	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened (read-only)	\??\M:	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened (read-only)	\??\H:	eZTJ8vJB64.exe
File opened (read-only)	\??\M:	eZTJ8vJB64.exe
File opened (read-only)	\??\N:	eZTJ8vJB64.exe
File opened (read-only)	\??\R:	eZTJ8vJB64.exe
File opened (read-only)	\??\X:	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened (read-only)	\??\Q:	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened (read-only)	\??\P:	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened (read-only)	\??\L:	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened (read-only)	\??\E:	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened (read-only)	\??\B:	eZTJ8vJB64.exe
File opened (read-only)	\??\K:	eZTJ8vJB64.exe
File opened (read-only)	\??\Z:	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened (read-only)	\??\I:	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened (read-only)	\??\J:	eZTJ8vJB64.exe
File opened (read-only)	\??\V:	eZTJ8vJB64.exe
File opened (read-only)	\??\W:	eZTJ8vJB64.exe
File opened (read-only)	\??\H:	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened (read-only)	\??\E:	eZTJ8vJB64.exe
File opened (read-only)	\??\O:	eZTJ8vJB64.exe
File opened (read-only)	\??\Q:	eZTJ8vJB64.exe
File opened (read-only)	\??\Y:	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened (read-only)	\??\W:	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened (read-only)	\??\V:	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened (read-only)	\??\T:	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened (read-only)	\??\G:	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened (read-only)	\??\G:	eZTJ8vJB64.exe
File opened (read-only)	\??\S:	eZTJ8vJB64.exe
File opened (read-only)	\??\U:	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened (read-only)	\??\N:	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened (read-only)	\??\A:	eZTJ8vJB64.exe
File opened (read-only)	\??\I:	eZTJ8vJB64.exe
File opened (read-only)	\??\L:	eZTJ8vJB64.exe
File opened (read-only)	\??\Z:	eZTJ8vJB64.exe
File opened (read-only)	\??\K:	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened (read-only)	\??\J:	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened (read-only)	\??\P:	eZTJ8vJB64.exe
File opened (read-only)	\??\T:	eZTJ8vJB64.exe
File opened (read-only)	\??\U:	eZTJ8vJB64.exe
File opened (read-only)	\??\Y:	eZTJ8vJB64.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\4uItOBND.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.properties	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tbilisi	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_sv.properties	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.security_8.1.14.v20131031.jar	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-search.jar	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_ja.jar	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_zh_CN.jar	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Taipei	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.io_8.1.14.v20131031.jar	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\vlc.mo	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedback.gif	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Copenhagen	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Uzhgorod	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\abcpy.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookicon.gif	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Eucla	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\en-US\Solitaire.exe.mui	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Nairobi	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_ja.jar	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\vlc.mo	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_ja.jar	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_zh_CN.jar	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms_3.6.100.v20140422-1825.jar	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-api-caching.jar	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\appletrailers.luac	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Dawson_Creek	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Marengo	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Madrid	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_zh_CN.jar	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cayman	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_ja.jar	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vincennes	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Explorer.zip	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\UCT	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\main.css	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\#SNT2_INFO#.rtf	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-4	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Almaty	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\plugins.dat	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\org-openide-filesystems_zh_CN.jar	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\bckgzm.exe.mui	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Belgrade	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Easter	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\shvlzm.exe.mui	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2852 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2588 vssadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
2852	schtasks.exe

pid	process
2588	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

3616 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

eZTJ8vJB64.exe

pid process

2208 eZTJ8vJB64.exe
2208 eZTJ8vJB64.exe
2208 eZTJ8vJB64.exe
2208 eZTJ8vJB64.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

eZTJ8vJB64.exe

pid process

2208 eZTJ8vJB64.exe

pid	process
3616	WINWORD.EXE

pid	process
2208	eZTJ8vJB64.exe
2208	eZTJ8vJB64.exe
2208	eZTJ8vJB64.exe
2208	eZTJ8vJB64.exe

pid	process
2208	eZTJ8vJB64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

eZTJ8vJB64.exevssvc.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2208	eZTJ8vJB64.exe
Token: SeLoadDriverPrivilege	2208	eZTJ8vJB64.exe
Token: SeBackupPrivilege	3572	vssvc.exe
Token: SeRestorePrivilege	3572	vssvc.exe
Token: SeAuditPrivilege	3572	vssvc.exe
Token: SeTakeOwnershipPrivilege	2624	takeown.exe
Token: SeTakeOwnershipPrivilege	3420	takeown.exe
Token: SeTakeOwnershipPrivilege	1632	takeown.exe
Token: SeTakeOwnershipPrivilege	2632	takeown.exe
Token: SeTakeOwnershipPrivilege	1616	takeown.exe
Token: SeTakeOwnershipPrivilege	3908	takeown.exe
Token: SeTakeOwnershipPrivilege	848	takeown.exe
Token: SeTakeOwnershipPrivilege	2096	takeown.exe
Token: SeTakeOwnershipPrivilege	3028	takeown.exe
Token: SeTakeOwnershipPrivilege	2320	takeown.exe
Token: SeTakeOwnershipPrivilege	1920	takeown.exe
Token: SeTakeOwnershipPrivilege	3756	takeown.exe
Token: SeTakeOwnershipPrivilege	588	takeown.exe
Token: SeTakeOwnershipPrivilege	3912	takeown.exe
Token: SeTakeOwnershipPrivilege	3948	takeown.exe
Token: SeTakeOwnershipPrivilege	3968	takeown.exe
Token: SeTakeOwnershipPrivilege	2940	takeown.exe
Token: SeTakeOwnershipPrivilege	2700	takeown.exe
Token: SeTakeOwnershipPrivilege	2580	takeown.exe
Token: SeTakeOwnershipPrivilege	1240	takeown.exe
Token: SeTakeOwnershipPrivilege	2140	takeown.exe
Token: SeTakeOwnershipPrivilege	1928	takeown.exe
Token: SeTakeOwnershipPrivilege	2672	takeown.exe
Token: SeTakeOwnershipPrivilege	3248	takeown.exe
Token: SeTakeOwnershipPrivilege	1752	takeown.exe
Token: SeTakeOwnershipPrivilege	2100	takeown.exe
Token: SeTakeOwnershipPrivilege	3792	takeown.exe
Token: SeIncreaseQuotaPrivilege	1924	WMIC.exe
Token: SeSecurityPrivilege	1924	WMIC.exe
Token: SeTakeOwnershipPrivilege	1924	WMIC.exe
Token: SeLoadDriverPrivilege	1924	WMIC.exe
Token: SeSystemProfilePrivilege	1924	WMIC.exe
Token: SeSystemtimePrivilege	1924	WMIC.exe
Token: SeProfSingleProcessPrivilege	1924	WMIC.exe
Token: SeIncBasePriorityPrivilege	1924	WMIC.exe
Token: SeCreatePagefilePrivilege	1924	WMIC.exe
Token: SeBackupPrivilege	1924	WMIC.exe
Token: SeRestorePrivilege	1924	WMIC.exe
Token: SeShutdownPrivilege	1924	WMIC.exe
Token: SeDebugPrivilege	1924	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1924	WMIC.exe
Token: SeRemoteShutdownPrivilege	1924	WMIC.exe
Token: SeUndockPrivilege	1924	WMIC.exe
Token: SeManageVolumePrivilege	1924	WMIC.exe
Token: 33	1924	WMIC.exe
Token: 34	1924	WMIC.exe
Token: 35	1924	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1924	WMIC.exe
Token: SeSecurityPrivilege	1924	WMIC.exe
Token: SeTakeOwnershipPrivilege	1924	WMIC.exe
Token: SeLoadDriverPrivilege	1924	WMIC.exe
Token: SeSystemProfilePrivilege	1924	WMIC.exe
Token: SeSystemtimePrivilege	1924	WMIC.exe
Token: SeProfSingleProcessPrivilege	1924	WMIC.exe
Token: SeIncBasePriorityPrivilege	1924	WMIC.exe
Token: SeCreatePagefilePrivilege	1924	WMIC.exe
Token: SeBackupPrivilege	1924	WMIC.exe
Token: SeRestorePrivilege	1924	WMIC.exe
Token: SeShutdownPrivilege	1924	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Setup.exe

pid process

3472 Setup.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

3616 WINWORD.EXE
3616 WINWORD.EXE

pid	process
3472	Setup.exe

pid	process
3616	WINWORD.EXE
3616	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.execmd.execmd.execmd.exewscript.execmd.execmd.exeeZTJ8vJB.exe

description	pid	process	target process
PID 2500 wrote to memory of 2596	2500	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe	cmd.exe
PID 2500 wrote to memory of 2596	2500	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe	cmd.exe
PID 2500 wrote to memory of 2596	2500	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe	cmd.exe
PID 2500 wrote to memory of 2596	2500	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe	cmd.exe
PID 2500 wrote to memory of 2940	2500	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe	NWj6JRGk.exe
PID 2500 wrote to memory of 2940	2500	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe	NWj6JRGk.exe
PID 2500 wrote to memory of 2940	2500	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe	NWj6JRGk.exe
PID 2500 wrote to memory of 2940	2500	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe	NWj6JRGk.exe
PID 2500 wrote to memory of 1664	2500	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe	cmd.exe
PID 2500 wrote to memory of 1664	2500	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe	cmd.exe
PID 2500 wrote to memory of 1664	2500	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe	cmd.exe
PID 2500 wrote to memory of 1664	2500	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe	cmd.exe
PID 2500 wrote to memory of 748	2500	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe	cmd.exe
PID 2500 wrote to memory of 748	2500	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe	cmd.exe
PID 2500 wrote to memory of 748	2500	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe	cmd.exe
PID 2500 wrote to memory of 748	2500	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe	cmd.exe
PID 748 wrote to memory of 2736	748	cmd.exe	wscript.exe
PID 748 wrote to memory of 2736	748	cmd.exe	wscript.exe
PID 748 wrote to memory of 2736	748	cmd.exe	wscript.exe
PID 748 wrote to memory of 2736	748	cmd.exe	wscript.exe
PID 1664 wrote to memory of 472	1664	cmd.exe	reg.exe
PID 1664 wrote to memory of 472	1664	cmd.exe	reg.exe
PID 1664 wrote to memory of 472	1664	cmd.exe	reg.exe
PID 1664 wrote to memory of 472	1664	cmd.exe	reg.exe
PID 1664 wrote to memory of 1464	1664	cmd.exe	reg.exe
PID 1664 wrote to memory of 1464	1664	cmd.exe	reg.exe
PID 1664 wrote to memory of 1464	1664	cmd.exe	reg.exe
PID 1664 wrote to memory of 1464	1664	cmd.exe	reg.exe
PID 2500 wrote to memory of 2412	2500	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe	cmd.exe
PID 2500 wrote to memory of 2412	2500	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe	cmd.exe
PID 2500 wrote to memory of 2412	2500	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe	cmd.exe
PID 2500 wrote to memory of 2412	2500	5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe	cmd.exe
PID 1664 wrote to memory of 3180	1664	cmd.exe	reg.exe
PID 1664 wrote to memory of 3180	1664	cmd.exe	reg.exe
PID 1664 wrote to memory of 3180	1664	cmd.exe	reg.exe
PID 1664 wrote to memory of 3180	1664	cmd.exe	reg.exe
PID 2412 wrote to memory of 4012	2412	cmd.exe	cacls.exe
PID 2412 wrote to memory of 4012	2412	cmd.exe	cacls.exe
PID 2412 wrote to memory of 4012	2412	cmd.exe	cacls.exe
PID 2412 wrote to memory of 4012	2412	cmd.exe	cacls.exe
PID 2736 wrote to memory of 1644	2736	wscript.exe	cmd.exe
PID 2736 wrote to memory of 1644	2736	wscript.exe	cmd.exe
PID 2736 wrote to memory of 1644	2736	wscript.exe	cmd.exe
PID 2736 wrote to memory of 1644	2736	wscript.exe	cmd.exe
PID 2412 wrote to memory of 1572	2412	cmd.exe	takeown.exe
PID 2412 wrote to memory of 1572	2412	cmd.exe	takeown.exe
PID 2412 wrote to memory of 1572	2412	cmd.exe	takeown.exe
PID 2412 wrote to memory of 1572	2412	cmd.exe	takeown.exe
PID 1644 wrote to memory of 2852	1644	cmd.exe	schtasks.exe
PID 1644 wrote to memory of 2852	1644	cmd.exe	schtasks.exe
PID 1644 wrote to memory of 2852	1644	cmd.exe	schtasks.exe
PID 1644 wrote to memory of 2852	1644	cmd.exe	schtasks.exe
PID 2412 wrote to memory of 1536	2412	cmd.exe	cmd.exe
PID 2412 wrote to memory of 1536	2412	cmd.exe	cmd.exe
PID 2412 wrote to memory of 1536	2412	cmd.exe	cmd.exe
PID 2412 wrote to memory of 1536	2412	cmd.exe	cmd.exe
PID 1536 wrote to memory of 3984	1536	cmd.exe	eZTJ8vJB.exe
PID 1536 wrote to memory of 3984	1536	cmd.exe	eZTJ8vJB.exe
PID 1536 wrote to memory of 3984	1536	cmd.exe	eZTJ8vJB.exe
PID 1536 wrote to memory of 3984	1536	cmd.exe	eZTJ8vJB.exe
PID 3984 wrote to memory of 2208	3984	eZTJ8vJB.exe	eZTJ8vJB64.exe
PID 3984 wrote to memory of 2208	3984	eZTJ8vJB.exe	eZTJ8vJB64.exe
PID 3984 wrote to memory of 2208	3984	eZTJ8vJB.exe	eZTJ8vJB64.exe
PID 3984 wrote to memory of 2208	3984	eZTJ8vJB.exe	eZTJ8vJB64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe
"C:\Users\Admin\AppData\Local\Temp\5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe"
1⤵
- Matrix Ransomware
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6.exe" "C:\Users\Admin\AppData\Local\Temp\NWj6JRGk.exe"
  2⤵
  PID:2596
- C:\Users\Admin\AppData\Local\Temp\NWj6JRGk.exe
  "C:\Users\Admin\AppData\Local\Temp\NWj6JRGk.exe" -n
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\4uItOBND.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\4uItOBND.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:472
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:3180
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\ho9tXtXQ.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\ho9tXtXQ.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\hrdcswsM.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1644
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\hrdcswsM.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:2852
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:3772
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:3864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "AdobeID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "AdobeID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3984
    - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB64.exe
        
        eZTJ8vJB.exe -accepteula "AdobeID.pdf" -nobanner
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""
  2⤵
  - Loads dropped DLL
  PID:2456
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
    3⤵
    - Modifies file permissions
    PID:868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "DefaultID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "DefaultID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:2348
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""
  2⤵
  - Loads dropped DLL
  PID:328
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
    3⤵
    PID:3780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2264
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1984
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""
  2⤵
  - Loads dropped DLL
  PID:1908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"
    3⤵
    PID:3772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "Dynamic.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3676
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "Dynamic.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:3548
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3244
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""
  2⤵
  - Loads dropped DLL
  PID:3924
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"
    3⤵
    PID:3688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "SignHere.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1820
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "SignHere.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:2756
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""
  2⤵
  - Loads dropped DLL
  PID:2788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C
    3⤵
    PID:4020
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
    3⤵
    - Modifies file permissions
    PID:3564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "StandardBusiness.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3668
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "StandardBusiness.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:888
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""
  2⤵
  - Loads dropped DLL
  PID:868
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C
    3⤵
    PID:3212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "ENUtxt.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1432
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "ENUtxt.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:3320
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:840
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:3784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1020
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:3776
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3424
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:3252
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2000
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:548
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1628
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3508
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3700
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui""
  2⤵
  - Loads dropped DLL
  PID:3180
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4068
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2584
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1624
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4084
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4076
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1752
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp""
  2⤵
  - Loads dropped DLL
  PID:2760
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp" /E /G Admin:F /C
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "Dotted_Line.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "Dotted_Line.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:3696
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:3928
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3724
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1512
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1404
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:3552
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3400
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1572
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:864
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\es-ES\Journal.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:3112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\Journal.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:932
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1096
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:472
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3920
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1068
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1756
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:2332
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2312
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3880
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:4072
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1544
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:784
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:2052
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3404
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2768
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini""
  2⤵
  - Loads dropped DLL
  PID:2316
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini" /E /G Admin:F /C
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini"
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "AGMGPUOptIn.ini" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "AGMGPUOptIn.ini" -nobanner
      4⤵
      Executes dropped EXE
      PID:1496
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\ja-JP\jnwmon.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\jnwmon.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1184
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2104
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\Templates\Genko_2.jtp""
  2⤵
  - Loads dropped DLL
  PID:2448
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Genko_2.jtp" /E /G Admin:F /C
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Genko_2.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "Genko_2.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3516
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "Genko_2.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:1156
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:3136
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\Journal.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3916
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1744
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1216
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2040
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:3336
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3436
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3536
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3296
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3148
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:3656
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3416
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3688
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Mail\wab.exe""
  2⤵
  - Loads dropped DLL
  PID:3620
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wab.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "wab.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1324
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "wab.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:3600
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\it-IT\NBMapTIP.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:296
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\NBMapTIP.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2788
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3396
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3304
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2240
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1924
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\PDIALOG.exe""
  2⤵
  - Loads dropped DLL
  PID:2676
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\PDIALOG.exe" /E /G Admin:F /C
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\PDIALOG.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "PDIALOG.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3236
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "PDIALOG.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:2508
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""
  2⤵
  PID:1476
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1060
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2848
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\Templates\Shorthand.jtp""
  2⤵
  PID:3064
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Shorthand.jtp" /E /G Admin:F /C
    3⤵
    PID:3288
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Shorthand.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "Shorthand.jtp" -nobanner
    3⤵
    PID:3652
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "Shorthand.jtp" -nobanner
      4⤵
      PID:1568
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer""
  2⤵
  PID:3076
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer" /E /G Admin:F /C
    3⤵
    PID:856
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer"
    3⤵
    - Modifies file permissions
    PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "AUMProduct.cer" -nobanner
    3⤵
    PID:1632
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "AUMProduct.cer" -nobanner
      4⤵
      PID:2584
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui""
  2⤵
  PID:4080
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:2728
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:1644
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:3720
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3696
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3908
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:2956
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2256
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""
  2⤵
  PID:2132
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3768
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:2832
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe""
  2⤵
  PID:1064
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe" /E /G Admin:F /C
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe"
    3⤵
    - Modifies file permissions
    PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "LogTransport2.exe" -nobanner
    3⤵
    PID:3980
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "LogTransport2.exe" -nobanner
      4⤵
      PID:2324
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf""
  2⤵
  PID:3028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf" /E /G Admin:F /C
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf"
    3⤵
    - Modifies file permissions
    PID:472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "MyriadCAD.otf" -nobanner
    3⤵
    PID:432
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "MyriadCAD.otf" -nobanner
      4⤵
      PID:3972
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif""
  2⤵
  PID:2156
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif" /E /G Admin:F /C
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif"
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "create_form.gif" -nobanner
    3⤵
    PID:3852
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "create_form.gif" -nobanner
      4⤵
      PID:4092
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif""
  2⤵
  PID:784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif" /E /G Admin:F /C
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif"
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "info.gif" -nobanner
    3⤵
    PID:3404
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "info.gif" -nobanner
      4⤵
      PID:2292
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif""
  2⤵
  PID:3584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif"
    3⤵
    - Modifies file permissions
    PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "review_same_reviewers.gif" -nobanner
    3⤵
    PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "review_same_reviewers.gif" -nobanner
      4⤵
      PID:1496
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif""
  2⤵
  PID:2388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif" /E /G Admin:F /C
    3⤵
    PID:328
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif"
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "trash.gif" -nobanner
    3⤵
    PID:2872
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "trash.gif" -nobanner
      4⤵
      PID:3460
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf""
  2⤵
  PID:1156
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf"
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "CourierStd-Bold.otf" -nobanner
    3⤵
    PID:2464
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "CourierStd-Bold.otf" -nobanner
      4⤵
      PID:2396
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf""
  2⤵
  PID:804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:3592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf"
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "MyriadPro-It.otf" -nobanner
    3⤵
    PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "MyriadPro-It.otf" -nobanner
      4⤵
      PID:3440
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt""
  2⤵
  PID:3956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt" /E /G Admin:F /C
    3⤵
    PID:3436
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt"
    3⤵
    - Modifies file permissions
    PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
    3⤵
    PID:3296
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
      4⤵
      PID:3536
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp""
  2⤵
  PID:3672
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp" /E /G Admin:F /C
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp"
    3⤵
    - Modifies file permissions
    PID:3416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "can.hyp" -nobanner
    3⤵
    PID:2216
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "can.hyp" -nobanner
      4⤵
      PID:2756
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp""
  2⤵
  PID:2580
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp" /E /G Admin:F /C
    3⤵
    PID:3600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp"
    3⤵
    PID:3520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "usa37.hyp" -nobanner
    3⤵
    PID:3812
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "usa37.hyp" -nobanner
      4⤵
      PID:4012
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT""
  2⤵
  PID:3176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT" /E /G Admin:F /C
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT"
    3⤵
    - Modifies file permissions
    PID:296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "ICELAND.TXT" -nobanner
    3⤵
    PID:1432
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "ICELAND.TXT" -nobanner
      4⤵
      PID:1696
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT""
  2⤵
  PID:3784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT" /E /G Admin:F /C
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT"
    3⤵
    PID:700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "CP1254.TXT" -nobanner
    3⤵
    PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "CP1254.TXT" -nobanner
      4⤵
      PID:680
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2308
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif""
  2⤵
  PID:3288
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif" /E /G Admin:F /C
    3⤵
    PID:524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif"
    3⤵
    PID:3268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "email_all.gif" -nobanner
    3⤵
    PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "email_all.gif" -nobanner
      4⤵
      PID:4028
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif""
  2⤵
  PID:2348
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif" /E /G Admin:F /C
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif"
    3⤵
    PID:3076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "open_original_form.gif" -nobanner
    3⤵
    PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "open_original_form.gif" -nobanner
      4⤵
      PID:2356
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif""
  2⤵
  PID:2504
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif" /E /G Admin:F /C
    3⤵
    PID:4084
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif"
    3⤵
    - Modifies file permissions
    PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "rss.gif" -nobanner
    3⤵
    PID:4032
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "rss.gif" -nobanner
      4⤵
      PID:4040
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif""
  2⤵
  PID:3696
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif" /E /G Admin:F /C
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif"
    3⤵
    PID:3908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
    3⤵
    PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
      4⤵
      PID:2372
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf""
  2⤵
  PID:1956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf" /E /G Admin:F /C
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf"
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "CourierStd-Oblique.otf" -nobanner
    3⤵
    PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "CourierStd-Oblique.otf" -nobanner
      4⤵
      PID:3112
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM""
  2⤵
  PID:1064
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM" /E /G Admin:F /C
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM"
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "SY______.PFM" -nobanner
    3⤵
    PID:748
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "SY______.PFM" -nobanner
      4⤵
      PID:2796
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt""
  2⤵
  PID:3892
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt" /E /G Admin:F /C
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt"
    3⤵
    - Modifies file permissions
    PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
    3⤵
    PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
      4⤵
      PID:3332
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp""
  2⤵
  PID:2156
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp" /E /G Admin:F /C
    3⤵
    PID:4072
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp"
    3⤵
    - Modifies file permissions
    PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "can129.hsp" -nobanner
    3⤵
    PID:1500
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "can129.hsp" -nobanner
      4⤵
      PID:2264
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat""
  2⤵
  PID:1748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat" /E /G Admin:F /C
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat"
    3⤵
    - Modifies file permissions
    PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "icudt26l.dat" -nobanner
    3⤵
    PID:1824
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "icudt26l.dat" -nobanner
      4⤵
      PID:2316
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT""
  2⤵
  PID:344
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT" /E /G Admin:F /C
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT"
    3⤵
    - Modifies file permissions
    PID:616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "ROMANIAN.TXT" -nobanner
    3⤵
    PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "ROMANIAN.TXT" -nobanner
      4⤵
      PID:4016
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT""
  2⤵
  PID:2388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT" /E /G Admin:F /C
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT"
    3⤵
    PID:300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "CP1258.TXT" -nobanner
    3⤵
    PID:2092
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "CP1258.TXT" -nobanner
      4⤵
      PID:2980
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif""
  2⤵
  PID:3152
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif" /E /G Admin:F /C
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif"
    3⤵
    PID:3772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "bl.gif" -nobanner
    3⤵
    PID:3568
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "bl.gif" -nobanner
      4⤵
      PID:3392
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif""
  2⤵
  PID:804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif" /E /G Admin:F /C
    3⤵
    PID:1428
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif"
    3⤵
    PID:3124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "forms_super.gif" -nobanner
    3⤵
    PID:3148
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "forms_super.gif" -nobanner
      4⤵
      PID:3296
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif""
  2⤵
  PID:3956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif" /E /G Admin:F /C
    3⤵
    PID:216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif"
    3⤵
    PID:228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "review_browser.gif" -nobanner
    3⤵
    PID:236
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "review_browser.gif" -nobanner
      4⤵
      PID:3372
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3416
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif""
  2⤵
  PID:2076
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif" /E /G Admin:F /C
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif"
    3⤵
    - Modifies file permissions
    PID:1952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "tl.gif" -nobanner
    3⤵
    PID:3672
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "tl.gif" -nobanner
      4⤵
      PID:2424
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V""
  2⤵
  PID:3428
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V" /E /G Admin:F /C
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V"
    3⤵
    - Modifies file permissions
    PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "Identity-V" -nobanner
    3⤵
    PID:2172
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "Identity-V" -nobanner
      4⤵
      PID:2056
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui""
  2⤵
  PID:1592
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3260
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui"
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:2788
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf""
  2⤵
  PID:2856
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf"
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "MyriadPro-Bold.otf" -nobanner
    3⤵
    PID:3320
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "MyriadPro-Bold.otf" -nobanner
      4⤵
      PID:2240
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe""
  2⤵
  PID:1904
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe" /E /G Admin:F /C
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe"
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "SC_Reader.exe" -nobanner
    3⤵
    PID:2568
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "SC_Reader.exe" -nobanner
      4⤵
      PID:1568
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths""
  2⤵
  PID:3264
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths" /E /G Admin:F /C
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths"
    3⤵
    - Modifies file permissions
    PID:3832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "brt55.ths" -nobanner
    3⤵
    PID:3420
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "brt55.ths" -nobanner
      4⤵
      PID:3288
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp""
  2⤵
  PID:388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp" /E /G Admin:F /C
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp"
    3⤵
    PID:3244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "usa03.hsp" -nobanner
    3⤵
    PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "usa03.hsp" -nobanner
      4⤵
      PID:3312
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT""
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT" /E /G Admin:F /C
    3⤵
    PID:4036
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT"
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "CYRILLIC.TXT" -nobanner
    3⤵
    PID:4040
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "CYRILLIC.TXT" -nobanner
      4⤵
      PID:2184
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT""
  2⤵
  PID:1772
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT" /E /G Admin:F /C
    3⤵
    PID:3840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT"
    3⤵
    - Modifies file permissions
    PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "CP1252.TXT" -nobanner
    3⤵
    PID:3896
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "CP1252.TXT" -nobanner
      4⤵
      PID:864
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui""
  2⤵
  PID:1096
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui"
    3⤵
    PID:3228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:3000
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Windows Mail\wabmig.exe""
  2⤵
  PID:2036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wabmig.exe"
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      PID:2320
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui""
  2⤵
  PID:2284
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui"
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:3744
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:2420
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""
  2⤵
  PID:3016
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3872
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    PID:3760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:3848
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1336
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""
  2⤵
  PID:1712
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3272
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:2276
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""
  2⤵
  PID:1208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"
    3⤵
    PID:4016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:3976
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:3992
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""
  2⤵
  PID:2448
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:3104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:1200
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png""
  2⤵
  PID:3592
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png" /E /G Admin:F /C
    3⤵
    PID:3300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png"
    3⤵
    PID:3568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "MahjongMCE.png" -nobanner
    3⤵
    PID:1220
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "MahjongMCE.png" -nobanner
      4⤵
      PID:2392
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Windows Mail\it-IT\WinMail.exe.mui""
  2⤵
  PID:3436
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\it-IT\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\it-IT\WinMail.exe.mui"
    3⤵
    PID:3108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:3172
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:3056
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:3316
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    PID:3688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:3656
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""
  2⤵
  PID:3828
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3580
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1040
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:3608
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
  2⤵
  PID:2580
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "background.png" -nobanner
    3⤵
    PID:3812
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "background.png" -nobanner
      4⤵
      PID:296
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui""
  2⤵
  PID:1456
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui"
    3⤵
    - Modifies file permissions
    PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      PID:2488
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui""
  2⤵
  PID:548
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui"
    3⤵
    - Modifies file permissions
    PID:484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    PID:2508
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      PID:3192
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui""
  2⤵
  PID:3776
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui"
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:856
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:3248
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui""
  2⤵
  PID:3420
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui"
    3⤵
    - Modifies file permissions
    PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      PID:4064
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\Templates\Genko_1.jtp""
  2⤵
  PID:1884
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Genko_1.jtp" /E /G Admin:F /C
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Genko_1.jtp"
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "Genko_1.jtp" -nobanner
    3⤵
    PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "Genko_1.jtp" -nobanner
      4⤵
      PID:928
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Mail\de-DE\WinMail.exe.mui""
  2⤵
  PID:3184
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\de-DE\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\de-DE\WinMail.exe.mui"
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:1636
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:1572
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Mail\ja-JP\WinMail.exe.mui""
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\ja-JP\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\ja-JP\WinMail.exe.mui"
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:3932
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:1668
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""
  2⤵
  PID:2608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"
    3⤵
    PID:276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:4092
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:4008
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""
  2⤵
  PID:2780
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:1336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:4052
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:2840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc""
  2⤵
  PID:616
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc" /E /G Admin:F /C
    3⤵
    PID:3948
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc"
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "adobepdf.xdc" -nobanner
    3⤵
    PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "adobepdf.xdc" -nobanner
      4⤵
      PID:2388
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat""
  2⤵
  PID:3392
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat" /E /G Admin:F /C
    3⤵
    PID:3152
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat"
    3⤵
    PID:3296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "qmgr0.dat" -nobanner
    3⤵
    PID:3084
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "qmgr0.dat" -nobanner
      4⤵
      PID:3172
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png""
  2⤵
  PID:3416
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png" /E /G Admin:F /C
    3⤵
    PID:3660
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png"
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "FreeCellMCE.png" -nobanner
    3⤵
    PID:3580
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "FreeCellMCE.png" -nobanner
      4⤵
      PID:3600
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png""
  2⤵
  PID:1244
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png" /E /G Admin:F /C
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png"
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "HeartsMCE.png" -nobanner
    3⤵
    PID:3352
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "HeartsMCE.png" -nobanner
      4⤵
      PID:296
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Microsoft Games\Chess\ChessMCE.png""
  2⤵
  PID:564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Chess\ChessMCE.png" /E /G Admin:F /C
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Chess\ChessMCE.png"
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "ChessMCE.png" -nobanner
    3⤵
    PID:700
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "ChessMCE.png" -nobanner
      4⤵
      PID:2168
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif""
  2⤵
  PID:1456
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif" /E /G Admin:F /C
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif"
    3⤵
    PID:3268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "distribute_form.gif" -nobanner
    3⤵
    PID:840
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "distribute_form.gif" -nobanner
      4⤵
      PID:332
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css""
  2⤵
  PID:856
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css" /E /G Admin:F /C
    3⤵
    PID:3776
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css"
    3⤵
    - Modifies file permissions
    PID:3264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "main.css" -nobanner
    3⤵
    PID:4028
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "main.css" -nobanner
      4⤵
      PID:1752
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif""
  2⤵
  PID:2732
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif" /E /G Admin:F /C
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif"
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "review_shared.gif" -nobanner
    3⤵
    PID:2652
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "review_shared.gif" -nobanner
      4⤵
      PID:3020
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif""
  2⤵
  PID:928
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif" /E /G Admin:F /C
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif"
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
    3⤵
    PID:2728
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
      4⤵
      PID:1616
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf""
  2⤵
  PID:2704
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf" /E /G Admin:F /C
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf"
    3⤵
    PID:3796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
    3⤵
    PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
      4⤵
      PID:864
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3092
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf""
  2⤵
  PID:3856
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:3920
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf"
    3⤵
    - Modifies file permissions
    PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "MyriadPro-Regular.otf" -nobanner
    3⤵
    PID:860
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "MyriadPro-Regular.otf" -nobanner
      4⤵
      PID:3400
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt""
  2⤵
  PID:1688
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt" /E /G Admin:F /C
    3⤵
    PID:432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt"
    3⤵
    - Modifies file permissions
    PID:2132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
    3⤵
    PID:3228
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
      4⤵
      PID:1188
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths""
  2⤵
  PID:472
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths" /E /G Admin:F /C
    3⤵
    PID:3332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths"
    3⤵
    - Modifies file permissions
    PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "can03.ths" -nobanner
    3⤵
    PID:3744
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "can03.ths" -nobanner
      4⤵
      PID:3780
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp""
  2⤵
  PID:1224
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp" /E /G Admin:F /C
    3⤵
    PID:3396
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp"
    3⤵
    - Modifies file permissions
    PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
    3⤵
    PID:3280
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
      4⤵
      PID:3868
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT""
  2⤵
  PID:3140
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT" /E /G Admin:F /C
    3⤵
    PID:3900
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT"
    3⤵
    PID:3816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "ROMAN.TXT" -nobanner
    3⤵
    PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "ROMAN.TXT" -nobanner
      4⤵
      PID:2196
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT""
  2⤵
  PID:2200
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT" /E /G Admin:F /C
    3⤵
    PID:320
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT"
    3⤵
    - Modifies file permissions
    PID:2248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "CP1257.TXT" -nobanner
    3⤵
    PID:2868
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "CP1257.TXT" -nobanner
      4⤵
      PID:1496
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui""
  2⤵
  PID:3584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3728
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui"
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:1148
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:3460
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Windows Mail\wab.exe""
  2⤵
  PID:3468
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:3948
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wab.exe"
    3⤵
    - Modifies file permissions
    PID:1200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:3952
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "wab.exe" -nobanner
      4⤵
      PID:2388
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui""
  2⤵
  PID:616
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui"
    3⤵
    PID:3136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:3152
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:3124
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui""
  2⤵
  PID:2444
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui"
    3⤵
    PID:3372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1220
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:3392
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Java\jre7\bin\server\classes.jsa""
  2⤵
  PID:3660
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre7\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:2076
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:3608
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "classes.jsa" -nobanner
      4⤵
      PID:1040
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui""
  2⤵
  PID:3416
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui"
    3⤵
    PID:3812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    PID:2140
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      PID:868
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui""
  2⤵
  PID:3488
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui"
    3⤵
    PID:3204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:1060
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:2488
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui""
  2⤵
  PID:1568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3252
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui"
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:3284
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      PID:2672
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui""
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui"
    3⤵
    PID:832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:4048
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:2016
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\Journal.exe""
  2⤵
  PID:4036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Journal.exe" /E /G Admin:F /C
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Journal.exe"
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "Journal.exe" -nobanner
    3⤵
    PID:3840
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "Journal.exe" -nobanner
      4⤵
      PID:1616
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2144
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\Templates\Seyes.jtp""
  2⤵
  PID:3864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Seyes.jtp" /E /G Admin:F /C
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Seyes.jtp"
    3⤵
    - Modifies file permissions
    PID:3980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "Seyes.jtp" -nobanner
    3⤵
    PID:3920
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "Seyes.jtp" -nobanner
      4⤵
      PID:3068
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui""
  2⤵
  PID:3856
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:3972
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui"
    3⤵
    - Modifies file permissions
    PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:3112
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:748
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui""
  2⤵
  PID:3932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui"
    3⤵
    - Modifies file permissions
    PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:3544
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:3852
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui""
  2⤵
  PID:1080
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui"
    3⤵
    PID:3760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    PID:3868
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      PID:3280
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui""
  2⤵
  PID:2968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui"
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:1020
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2420
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui""
  2⤵
  PID:1988
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui"
    3⤵
    PID:3128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    PID:1748
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      PID:1496
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\Templates\blank.jtp""
  2⤵
  PID:2104
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\blank.jtp" /E /G Admin:F /C
    3⤵
    PID:3728
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\blank.jtp"
    3⤵
    - Modifies file permissions
    PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "blank.jtp" -nobanner
    3⤵
    PID:3216
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "blank.jtp" -nobanner
      4⤵
      PID:2912
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp""
  2⤵
  PID:4056
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp" /E /G Admin:F /C
    3⤵
    PID:3104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp"
    3⤵
    PID:3916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "To_Do_List.jtp" -nobanner
    3⤵
    PID:972
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "To_Do_List.jtp" -nobanner
      4⤵
      PID:3116
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""
  2⤵
  PID:1208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3164
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:3168
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:3296
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:2204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:3688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    PID:3568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      PID:3300
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Mail\it-IT\WinMail.exe.mui""
  2⤵
  PID:3448
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\it-IT\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\it-IT\WinMail.exe.mui"
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:3580
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:3644
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3812
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:3304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:2140
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:2300
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:3384
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:3176
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html""
  2⤵
  PID:3488
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html" /E /G Admin:F /C
    3⤵
    PID:332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html"
    3⤵
    - Modifies file permissions
    PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "license.html" -nobanner
    3⤵
    PID:1244
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "license.html" -nobanner
      4⤵
      PID:840
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:3284
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    - Modifies file permissions
    PID:4028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      PID:4064
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif""
  2⤵
  PID:1204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif" /E /G Admin:F /C
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif"
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "add_reviewer.gif" -nobanner
    3⤵
    PID:4040
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "add_reviewer.gif" -nobanner
      4⤵
      PID:1628
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif""
  2⤵
  PID:608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif" /E /G Admin:F /C
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif"
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "forms_received.gif" -nobanner
    3⤵
    PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "forms_received.gif" -nobanner
      4⤵
      PID:3840
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif""
  2⤵
  PID:3696
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif" /E /G Admin:F /C
    3⤵
    PID:3732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif"
    3⤵
    - Modifies file permissions
    PID:3320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "reviews_super.gif" -nobanner
    3⤵
    PID:3980
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "reviews_super.gif" -nobanner
      4⤵
      PID:1904
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif""
  2⤵
  PID:2796
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif" /E /G Admin:F /C
    3⤵
    PID:3112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif"
    3⤵
    - Modifies file permissions
    PID:1068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "submission_history.gif" -nobanner
    3⤵
    PID:2080
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "submission_history.gif" -nobanner
      4⤵
      PID:1948
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H""
  2⤵
  PID:4072
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H" /E /G Admin:F /C
    3⤵
    PID:3544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H"
    3⤵
    - Modifies file permissions
    PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "Identity-H" -nobanner
    3⤵
    PID:1676
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "Identity-H" -nobanner
      4⤵
      PID:3932
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf""
  2⤵
  PID:3280
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf"
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "MinionPro-Regular.otf" -nobanner
    3⤵
    PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "MinionPro-Regular.otf" -nobanner
      4⤵
      PID:1136
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB""
  2⤵
  PID:2036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB" /E /G Admin:F /C
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB"
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "ZY______.PFB" -nobanner
    3⤵
    PID:2868
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "ZY______.PFB" -nobanner
      4⤵
      PID:4068
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx""
  2⤵
  PID:2460
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx" /E /G Admin:F /C
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx"
    3⤵
    - Modifies file permissions
    PID:1148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "brt32.clx" -nobanner
    3⤵
    PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "brt32.clx" -nobanner
      4⤵
      PID:3216
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca""
  2⤵
  PID:3948
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca" /E /G Admin:F /C
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca"
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "usa.fca" -nobanner
    3⤵
    PID:2448
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "usa.fca" -nobanner
      4⤵
      PID:3348
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT""
  2⤵
  PID:3164
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT" /E /G Admin:F /C
    3⤵
    PID:3124
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT"
    3⤵
    - Modifies file permissions
    PID:3536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "CROATIAN.TXT" -nobanner
    3⤵
    PID:2984
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "CROATIAN.TXT" -nobanner
      4⤵
      PID:1208
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT""
  2⤵
  PID:2744
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT" /E /G Admin:F /C
    3⤵
    PID:232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT"
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "CP1251.TXT" -nobanner
    3⤵
    PID:3520
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "CP1251.TXT" -nobanner
      4⤵
      PID:3608
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    PID:3812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:3668
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      PID:3828
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Windows Mail\it-IT\msoeres.dll.mui""
  2⤵
  PID:2924
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\it-IT\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\it-IT\msoeres.dll.mui"
    3⤵
    - Modifies file permissions
    PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:2920
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:2788
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  PID:332
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3652
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:3180
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui""
  2⤵
  PID:4028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui"
    3⤵
    - Modifies file permissions
    PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:4048
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:2544
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png""
  2⤵
  PID:2072
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png" /E /G Admin:F /C
    3⤵
    PID:4040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png"
    3⤵
    - Modifies file permissions
    PID:4044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "PurblePlaceMCE.png" -nobanner
    3⤵
    PID:3020
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "PurblePlaceMCE.png" -nobanner
      4⤵
      PID:388
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png""
  2⤵
  PID:1580
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png" /E /G Admin:F /C
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png"
    3⤵
    - Modifies file permissions
    PID:928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "SolitaireMCE.png" -nobanner
    3⤵
    PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "SolitaireMCE.png" -nobanner
      4⤵
      PID:2012
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png""
  2⤵
  PID:908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png" /E /G Admin:F /C
    3⤵
    PID:3092
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png"
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "SpiderSolitaireMCE.png" -nobanner
    3⤵
    PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "SpiderSolitaireMCE.png" -nobanner
      4⤵
      PID:3240
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui""
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui"
    3⤵
    PID:3796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    PID:3880
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      PID:3844
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif""
  2⤵
  PID:1948
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif" /E /G Admin:F /C
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif"
    3⤵
    - Modifies file permissions
    PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "br.gif" -nobanner
    3⤵
    PID:2332
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "br.gif" -nobanner
      4⤵
      PID:432
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\es-ES\NBMapTIP.dll.mui""
  2⤵
  PID:2212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\NBMapTIP.dll.mui"
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:888
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:3852
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif""
  2⤵
  PID:4012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif" /E /G Admin:F /C
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif"
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "form_responses.gif" -nobanner
    3⤵
    PID:916
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "form_responses.gif" -nobanner
      4⤵
      PID:2420
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif""
  2⤵
  PID:2252
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif" /E /G Admin:F /C
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif"
    3⤵
    - Modifies file permissions
    PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "review_email.gif" -nobanner
    3⤵
    PID:4024
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "review_email.gif" -nobanner
      4⤵
      PID:2872
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif""
  2⤵
  PID:3556
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif" /E /G Admin:F /C
    3⤵
    PID:3708
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif"
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "tr.gif" -nobanner
    3⤵
    PID:3616
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "tr.gif" -nobanner
      4⤵
      PID:3216
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf""
  2⤵
  PID:3764
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf" /E /G Admin:F /C
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf"
    3⤵
    PID:3328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "AdobePiStd.otf" -nobanner
    3⤵
    PID:3208
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "AdobePiStd.otf" -nobanner
      4⤵
      PID:3064
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf""
  2⤵
  PID:2448
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:3104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf"
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
    3⤵
    PID:2896
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
      4⤵
      PID:972
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3168
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files\Windows Journal\it-IT\jnwdui.dll.mui""
  2⤵
  PID:1088
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\jnwdui.dll.mui"
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:220
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      PID:3392
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt""
  2⤵
  PID:2636
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt" /E /G Admin:F /C
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt"
    3⤵
    - Modifies file permissions
    PID:3644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eZTJ8vJB.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
    3⤵
    PID:1428
  - - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
      eZTJ8vJB.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
      4⤵
      PID:3580
- - C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe
    eZTJ8vJB.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca""
  2⤵
  PID:3480
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca" /E /G Admin:F /C
    3⤵
    PID:3464

C:\Windows\system32\taskeng.exe
taskeng.exe {4496AC55-D3A1-40F9-AF3E-175F42C70BED} S-1-5-21-1658372521-4246568289-2509113762-1000:PIRBKNPS\Admin:Interactive:[1]
1⤵
PID:4004
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\hrdcswsM.bat"
  2⤵
  PID:2224
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2588
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1476
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3508
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Delete /TN DSHCA /F
    3⤵
    PID:2652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3572

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\#SNT2_INFO#.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3616

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe" -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
PID:3472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "573153943-17481149036400658511104429370-723932636-217435812767880708-2132002272"
1⤵
PID:3996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17593386911487836767793516221527022471182387442912438699941699610708164218226"
1⤵
PID:1184

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1482766193-1904624942-829141398-33204973913979122781656175377352384032-1027940442"
1⤵
PID:300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "803413888-746835559-1245516329-8959723720544526071758471432-2104848017-1730068619"
1⤵
PID:2212

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe" -Embedding
1⤵
PID:2320

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2768
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7DD0898531DC17514D321C6EB7C43FDC
  2⤵
  PID:2260
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5C0FC00E8E43E9635ED015C0F1B10124
  2⤵
  PID:2372
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F3172CA9AD99D92EDCFCD4742F5F15C7 M Global\MSI0000
  2⤵
  PID:3440
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E4B2A351DF274E03B634ED2266DB48A4
  2⤵
  PID:1216

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Public\Desktop\#SNT2_INFO#.rtf"
1⤵
PID:2464

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe" -Embedding
1⤵
PID:2604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}
1⤵
PID:3032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1625554272-164822098912048075456288606181849462825-20753675781467330695-206614070"
1⤵
PID:276

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe" -Embedding
1⤵
PID:852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1873985770-365544559-5869599221299319764-867847231-1997199284932952721287549871"
1⤵
PID:2036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "607095952-1192982180-999721462350062146-1189814390-4114627695336002681236651521"
1⤵
PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f777e87.rbs

Filesize
650KB

MD5
76b9ff1e19902b6ffbc421b62de1f0e5

SHA1
27fb1d88d3400bd1cdc8dff411aa7eeba602a0bc

SHA256
03f0376e65eb3ae0dc53bf0e30998db324c59e529e5491ebc63db3769c0a1f58

SHA512
0e47fe87474d0947a4e6da56f65774523069524b4778594d073483cf05236a36dc91fa7090c2dded5f50656b1e6023146b6e645e912bc1cbc8542d0506d9a173

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\#SNT2_INFO#.rtf

Filesize
13KB

MD5
bdf190e81c2bc0d84386365dbe5a7f04

SHA1
9e0314dd0d105398666f65f13e5f773de1e3bd6c

SHA256
832ad9f426844e9fd94ef23bb2fb8ca20879407302d5dc2d9f5f7496353e5cfb

SHA512
3a8638f1524b2ed9fb7c91507a15006a50632f4a23bfd3c0a93930eddd836c037394152298d809eeae010ed4aba4701626b747fc9055ec7534d09efd4b92cd9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kvm7g9hN.bat

Filesize
226B

MD5
c1cf33abdf71be71cf4ebf0bc9234aaf

SHA1
bbb797ab378b82375fdabc81a903268830139bb2

SHA256
76e19059862f400352bcc381b0d689c309c977ea565aa077e24ce00984773eb0

SHA512
f44a1a52068a65fbf9b99ce705ef84b68c8164a8e32520eb3ec5228e088be54ad9d60b535b8479985d6b160f7bc38b35b1e272f0b7682953c9c39a2896897546

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWj6JRGk.exe

Filesize
1.0MB

MD5
b0c7abaf6dcc140e130a9c2e29481d5c

SHA1
af1dbdf4848b2a46fd63adf88cd4fbcc33c403a5

SHA256
24ec4ee7063725d4715fa3ad91eee13c52ada9e5827bca87e3bdb308ba2260cf

SHA512
ee8c54130ca503e6a61d61b0d6ed083daa02cd1d38250d921415173581703313fc1252934c8f260c9f8d431c217a5edf6c67a1ecbef2b55d703e5a07fb34eb6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup00000354\OSETUPUI.DLL

Filesize
187KB

MD5
196a884e700b7eb09b2cd0a48eccbc3a

SHA1
a400c341adaf960022fe4f97ab477e0ab1e02a96

SHA256
12babd301ab2f5a0cd35226d4939e1e200d5fcf90694a25690df7ad0ea28b55a

SHA512
b9f0229e3ed822b79ab2ffa41b67343215bde419a44c638422734f75191f2359bcfeb3553189e17a89b5edfa25016484ec78df48eb05049c72b1d393dd3f4041

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup00000910\OSETUP.DLL

Filesize
5.5MB

MD5
fcc38158c5d62a39e1ba79a29d532240

SHA1
eca2d1e91c634bc8a4381239eb05f30803636c24

SHA256
e51a5292a06674cdbbcea240084b65186aa1dd2bc3316f61ff433d9d9f542a74

SHA512
0d224474a9358863e4bb8dacc48b219376d9cc89cea13f8d0c6f7b093dd420ceb185eb4d649e5bd5246758419d0531922b4f351df8ad580b3baa0fab88d89ec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bad_4A875481C4483ABD.txt

Filesize
4KB

MD5
048f4fd4c8c46943bf8c0ee83a38d1ee

SHA1
74fd874011fe9cbe04336bb4840baecfd6d2a8c5

SHA256
a9346742e29ad302dc3083f165a0cf40afdf505eef6babc6cdd5eddb7eca2128

SHA512
c3eed031eabfa3e85e05697fa92af90ce72ee1117aa99d6103836cc47f0dc875082f2d42553d05b367f93aa8ba692d671d1ca8369366fb04777d8a0fa71a07ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\eZTJ8vJB64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
89B

MD5
9f8823a6212a942f2da0a4e7d7b80505

SHA1
173d8f82773b623f684533e94ba705f4fd7b2bd5

SHA256
b2f315bcd8bca446bad3f0e7c34f6f68750d4f63fa9e0fe6dd84ca93a05850d0

SHA512
0d62e414c4734ade4cda70830831a6e3fe8f4343bfd9e50a6afe126228caa7ef67dec5af26579574b1ff849cfb952bcf7af42ce4fda77c9b3307b934d57a6ab8

Download Submit
C:\Users\Admin\AppData\Roaming\ho9tXtXQ.vbs

Filesize
260B

MD5
2d1a11d96ae2e8d6c26d320d67374357

SHA1
95d4caff3309ee11f1ae5528c81bdcf59dac0f66

SHA256
ddfea527ae4debd4c87f0ded2d5cbb70322a2036c39dc328dade1b25e7d87ffe

SHA512
f7bcf40dc589c327c59c8e3af776352b1253bfdbc3a042fd876d37934ececbb88c68fbc769e9cbf2acc307ab4d7ca5b3775901d1655742136e813b883e9fda61

Download Submit
C:\Windows\Installer\MSI183D.tmp

Filesize
107KB

MD5
9f0b9bc54bb73dfb7cf85520da1a08cb

SHA1
236f7b770317d782f0817fbf7542140cb1e1526e

SHA256
0d44d40e8bda72a3d6ca26665100b256848e2183029a6728c18ad97cd650547f

SHA512
8acfb05a7b4723776fa66c0f71bde90dd49243de5dd2a8cf1a1f09a1175f9346c12a717050bff5f3938bda6cc4c610ca1eab75d4b9b7c8bcfb97d9158727a10d

Download Submit
C:\Windows\Installer\MSI1DBE.tmp

Filesize
134KB

MD5
b8255a1bc3c307557741d2c99b8256d1

SHA1
48cc6f3c1a566f06684c5184cf830cbd7db638c2

SHA256
796aea9a46fb7704222a7fe1f4e27455b14640c816d6f961344f89dc47537b33

SHA512
85f685ad84f2208ad87ff34fb5e99edae50fc938a9335cb9747b7707d237c1b397c318090112eee0e9f04777ee004e26e7377f57c3e31159a96638b65110a69c

Download Submit
C:\Windows\Installer\MSI717.tmp

Filesize
363KB

MD5
4a843a97ae51c310b573a02ffd2a0e8e

SHA1
063fa914ccb07249123c0d5f4595935487635b20

SHA256
727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

SHA512
905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

Download Submit
\Users\Admin\AppData\Local\Temp\NWj6JRGk.exe

Filesize
832KB

MD5
994b7600c9521ae73d7c52b36f68e5f2

SHA1
5e38b5939fe0ee5e8621f77e7cbfeeb891c20496

SHA256
118778aff8af73a9dd8df23fc3c7b4683d894a293e33d350c145ff0cd44cde57

SHA512
612fe3063e5997da7ee1751ff1af5a7445aaf6b8f458e04c13db3a4bd51db62731f9e747d428a207b83531ace174a794c453e3d93b0bb5fe1db00f758e0c6067

Download Submit
\Users\Admin\AppData\Local\Temp\NWj6JRGk.exe

Filesize
1.2MB

MD5
504890ff01be54dfa0ce0b92624614a2

SHA1
f8ce09a61e7b131c1d48e621b65a4789f7d5feed

SHA256
5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6

SHA512
45668897546f316af5565a63015cb91b2c9f275882bb39aa1c1b113b6a544f6bfdec1270e69ec932cbdc82432e1e86ff149eaf20747600cdd35086c286187fec

Download Submit
\Users\Admin\AppData\Local\Temp\eZTJ8vJB.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
memory/328-6058-0x0000000000460000-0x00000000004D7000-memory.dmp

Filesize
476KB

Download
memory/472-7408-0x0000000000220000-0x0000000000297000-memory.dmp

Filesize
476KB

Download
memory/548-7351-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/784-7432-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/784-7418-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/836-7400-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/840-7345-0x0000000000370000-0x00000000003E7000-memory.dmp

Filesize
476KB

Download
memory/860-7493-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/864-7398-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/868-7333-0x00000000004A0000-0x0000000000517000-memory.dmp

Filesize
476KB

Download
memory/888-7318-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/888-7319-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/932-7402-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1020-7339-0x0000000000180000-0x00000000001F7000-memory.dmp

Filesize
476KB

Download
memory/1040-7311-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1096-7404-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1156-7433-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1324-7453-0x0000000000120000-0x0000000000197000-memory.dmp

Filesize
476KB

Download
memory/1404-7391-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1496-7423-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1496-7435-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1536-6192-0x0000000000260000-0x00000000002D7000-memory.dmp

Filesize
476KB

Download
memory/1536-1440-0x0000000000260000-0x00000000002D7000-memory.dmp

Filesize
476KB

Download
memory/1544-7415-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1564-7457-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1568-7475-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1572-7397-0x0000000001FB0000-0x0000000002027000-memory.dmp

Filesize
476KB

Download
memory/1624-5756-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1624-7377-0x0000000000130000-0x00000000001A7000-memory.dmp

Filesize
476KB

Download
memory/1644-7491-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1752-7374-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1756-7407-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1820-7305-0x0000000001F20000-0x0000000001F97000-memory.dmp

Filesize
476KB

Download
memory/1912-7487-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1924-7460-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1924-7459-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1924-7334-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1984-5939-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1984-5951-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2032-7430-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2036-7409-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2040-7439-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2040-7440-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2104-7429-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2184-7388-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2232-7406-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2312-7410-0x0000000001FC0000-0x0000000002037000-memory.dmp

Filesize
476KB

Download
memory/2348-5761-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2348-7307-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2348-7370-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2456-5805-0x0000000001F70000-0x0000000001FE7000-memory.dmp

Filesize
476KB

Download
memory/2500-7443-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2500-3111-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2500-7327-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2500-7421-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2504-7380-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2504-7399-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2508-7464-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2556-7466-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2584-7366-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2584-7482-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2632-5807-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2644-7472-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2644-7471-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2724-7462-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2756-7448-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2756-7308-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2760-7387-0x0000000000280000-0x00000000002F7000-memory.dmp

Filesize
476KB

Download
memory/2768-7419-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2776-7363-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2788-7321-0x0000000001EF0000-0x0000000001F67000-memory.dmp

Filesize
476KB

Download
memory/2800-7414-0x0000000000170000-0x00000000001E7000-memory.dmp

Filesize
476KB

Download
memory/2848-7469-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2876-7383-0x0000000001F60000-0x0000000001FD7000-memory.dmp

Filesize
476KB

Download
memory/2888-7438-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2892-6057-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2940-8-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2956-7506-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3064-7476-0x0000000000380000-0x00000000003F7000-memory.dmp

Filesize
476KB

Download
memory/3076-7484-0x0000000001F20000-0x0000000001F97000-memory.dmp

Filesize
476KB

Download
memory/3148-7446-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3156-7434-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3180-7369-0x00000000002D0000-0x0000000000347000-memory.dmp

Filesize
476KB

Download
memory/3244-6505-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3244-6441-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3252-7353-0x0000000000420000-0x0000000000497000-memory.dmp

Filesize
476KB

Download
memory/3296-7444-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3320-7329-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3396-7456-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3408-7355-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3424-7344-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3508-7357-0x0000000000350000-0x00000000003C7000-memory.dmp

Filesize
476KB

Download
memory/3520-7454-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3536-7445-0x0000000000220000-0x0000000000297000-memory.dmp

Filesize
476KB

Download
memory/3548-6251-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3548-7330-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3552-7401-0x0000000001FD0000-0x0000000002047000-memory.dmp

Filesize
476KB

Download
memory/3600-7452-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3616-7451-0x000000002FF31000-0x000000002FF32000-memory.dmp

Filesize
4KB

Download
memory/3616-7508-0x0000000070C4D000-0x0000000070C58000-memory.dmp

Filesize
44KB

Download
memory/3616-7480-0x0000000070C4D000-0x0000000070C58000-memory.dmp

Filesize
44KB

Download
memory/3640-7442-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3652-7473-0x0000000002020000-0x0000000002097000-memory.dmp

Filesize
476KB

Download
memory/3664-7323-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3688-7447-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3696-7384-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3700-7359-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3700-7478-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3740-7424-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3776-7340-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3836-7394-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3868-7420-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3880-7412-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3908-7504-0x0000000000260000-0x00000000002D7000-memory.dmp

Filesize
476KB

Download
memory/3916-7437-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3984-1649-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4052-7413-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4072-7417-0x0000000000290000-0x0000000000307000-memory.dmp

Filesize
476KB

Download
memory/4076-7373-0x00000000001F0000-0x0000000000267000-memory.dmp

Filesize
476KB

Download