matrix | 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95

Analysis

max time kernel
145s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MatrixRansomware.exe
Size

1.2MB
MD5

a93bd199d34d21cc9102600c6ce782cf
SHA1

31b50d84aa1af4f0e76a523382caba476f6e45dc
SHA256

242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95
SHA512

642e0cacf80a54ffa8f1bdeebb2a9b9449bb062bc331924ff8b6c93853ade68cdbd23928081d7c5da7bce944f5c553b0c4b05bd90fda525f017415bd891534c2
SSDEEP

24576:NykKxXJdZiDTrfJR5ez1888K0aNE1eXTBoAlK/u95ByxXEfui:N8bcLK+KzlK/udyh/i

Score

10^/10

matrix credential_access defense_evasion discovery evasion execution impact persistence ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Program Files\Google\Chrome\Application\#README_EMAN#.rtf

Ransom Note

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected]\par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 30E5CD98FD81F3F5\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 30E5CD98FD81F3F5\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 DJYfg6WM\cf0\f1\fs32\lang1049\par \par }

Emails

[email protected]\par

[email protected]\cf1\fs24\par

URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Microsoft Games\Purble Place\ja-JP\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files (x86)\MSBuild\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Microsoft Games\Hearts\it-IT\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\HE9LBEC2\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\All Users\Microsoft\Assistance\Client\1.0\de-DE\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Protect\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\Contacts\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Mozilla Firefox\browser\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jre7\lib\zi\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Microsoft Games\FreeCell\de-DE\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Admin\AppData\LocalLow\Sun\Java\jdk1.7.0_80_x64\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Public\Videos\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\All Users\Microsoft\Assistance\Client\1.0\es-ES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Users\Public\Pictures\Sample Pictures\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\Microsoft Games\Chess\en-US\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe

Matrix family
matrix
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2608	bcdedit.exe
3784	bcdedit.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	VjYf8Dv064.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	VjYf8Dv064.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Executes dropped EXE 64 IoCs

pid	Process
2748	NWJ8KRps.exe
832	VjYf8Dv0.exe
3432	VjYf8Dv064.exe
3060	VjYf8Dv0.exe
2296	VjYf8Dv0.exe
1404	VjYf8Dv0.exe
2228	VjYf8Dv0.exe
2252	VjYf8Dv0.exe
3560	VjYf8Dv0.exe
2140	VjYf8Dv0.exe
3436	VjYf8Dv0.exe
3280	VjYf8Dv0.exe
2356	VjYf8Dv0.exe
3392	VjYf8Dv0.exe
2596	VjYf8Dv0.exe
3964	VjYf8Dv0.exe
3912	VjYf8Dv0.exe
3160	VjYf8Dv0.exe
2756	VjYf8Dv0.exe
2828	VjYf8Dv0.exe
888	VjYf8Dv0.exe
1828	VjYf8Dv0.exe
3336	VjYf8Dv0.exe
688	VjYf8Dv0.exe
1444	VjYf8Dv0.exe
1656	VjYf8Dv0.exe
2860	VjYf8Dv0.exe
1684	VjYf8Dv0.exe
1904	VjYf8Dv0.exe
4048	VjYf8Dv0.exe
2720	VjYf8Dv0.exe
3528	VjYf8Dv0.exe
636	VjYf8Dv0.exe
2128	VjYf8Dv0.exe
3700	VjYf8Dv0.exe
3320	VjYf8Dv0.exe
3736	VjYf8Dv0.exe
2172	VjYf8Dv0.exe
856	VjYf8Dv0.exe
3124	VjYf8Dv0.exe
1704	VjYf8Dv0.exe
1536	VjYf8Dv0.exe
1900	VjYf8Dv0.exe
3208	VjYf8Dv0.exe
1432	VjYf8Dv0.exe
848	VjYf8Dv0.exe
2848	VjYf8Dv0.exe
1936	VjYf8Dv0.exe
2268	VjYf8Dv0.exe
2704	VjYf8Dv0.exe
2068	VjYf8Dv0.exe
3280	VjYf8Dv0.exe
3192	VjYf8Dv0.exe
772	VjYf8Dv0.exe
3112	VjYf8Dv0.exe
3856	VjYf8Dv0.exe
1120	VjYf8Dv0.exe
1844	VjYf8Dv0.exe
3172	VjYf8Dv0.exe
1512	VjYf8Dv0.exe
2620	VjYf8Dv0.exe
2412	VjYf8Dv0.exe
3004	VjYf8Dv0.exe
1708	VjYf8Dv0.exe

Loads dropped DLL 64 IoCs

pid	Process
2264	MatrixRansomware.exe
2264	MatrixRansomware.exe
3484	cmd.exe
832	VjYf8Dv0.exe
900	cmd.exe
340	cmd.exe
2508	cmd.exe
1432	cmd.exe
2600	cmd.exe
3892	cmd.exe
3020	cmd.exe
2728	cmd.exe
3652	cmd.exe
1272	cmd.exe
3396	cmd.exe
2524	cmd.exe
3976	cmd.exe
2424	cmd.exe
1908	cmd.exe
3928	cmd.exe
2176	cmd.exe
2820	cmd.exe
2244	cmd.exe
3608	cmd.exe
3792	cmd.exe
1212	cmd.exe
1884	cmd.exe
3272	cmd.exe
792	cmd.exe
2844	cmd.exe
3992	cmd.exe
3344	cmd.exe
1892	cmd.exe
1576	cmd.exe
2260	cmd.exe
1240	cmd.exe
1372	cmd.exe
900	cmd.exe
3368	cmd.exe
3688	cmd.exe
3276	cmd.exe
2200	cmd.exe
2548	cmd.exe
1740	cmd.exe
3880	cmd.exe
3196	cmd.exe
3560	cmd.exe
3024	cmd.exe
1412	cmd.exe
3516	cmd.exe
2612	cmd.exe
3020	cmd.exe
2748	cmd.exe
2680	cmd.exe
876	cmd.exe
2616	cmd.exe
2936	cmd.exe
216	cmd.exe
2192	cmd.exe
1864	cmd.exe
1700	cmd.exe
3260	cmd.exe
1136	cmd.exe
2608	cmd.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3460	Process not Found
2704	takeown.exe
1564	Process not Found
2120	takeown.exe
3780	Process not Found
2532	Process not Found
3868	takeown.exe
2484	takeown.exe
1512	takeown.exe
3820	takeown.exe
3092	takeown.exe
636	Process not Found
752	takeown.exe
3508	takeown.exe
3388	takeown.exe
3112	takeown.exe
4012	takeown.exe
1932	takeown.exe
2104	takeown.exe
1448	takeown.exe
4064	takeown.exe
2808	takeown.exe
3476	Process not Found
4052	Process not Found
2260	Process not Found
3984	takeown.exe
3652	takeown.exe
3684	takeown.exe
3456	takeown.exe
3216	Process not Found
2624	Process not Found
1656	takeown.exe
2200	takeown.exe
2664	takeown.exe
3392	takeown.exe
3180	takeown.exe
3928	takeown.exe
1564	Process not Found
3696	Process not Found
3224	takeown.exe
1372	takeown.exe
3036	Process not Found
3208	Process not Found
3796	Process not Found
2720	Process not Found
3628	takeown.exe
4076	takeown.exe
2608	Process not Found
2900	takeown.exe
4068	takeown.exe
1176	takeown.exe
2484	takeown.exe
2628	takeown.exe
2200	takeown.exe
1444	takeown.exe
2196	Process not Found
3940	takeown.exe
4040	takeown.exe
1304	takeown.exe
484	Process not Found
1736	Process not Found
1652	takeown.exe
3392	takeown.exe
580	takeown.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 41 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RM4QEUM4\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YLJ4V77F\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Program Files\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\HE9LBEC2\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QJELLEL3\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	MatrixRansomware.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	MatrixRansomware.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	VjYf8Dv064.exe
File opened (read-only)	\??\V:	VjYf8Dv064.exe
File opened (read-only)	\??\L:	MatrixRansomware.exe
File opened (read-only)	\??\N:	VjYf8Dv064.exe
File opened (read-only)	\??\I:	MatrixRansomware.exe
File opened (read-only)	\??\K:	MatrixRansomware.exe
File opened (read-only)	\??\E:	VjYf8Dv064.exe
File opened (read-only)	\??\R:	VjYf8Dv064.exe
File opened (read-only)	\??\S:	VjYf8Dv064.exe
File opened (read-only)	\??\U:	VjYf8Dv064.exe
File opened (read-only)	\??\W:	VjYf8Dv064.exe
File opened (read-only)	\??\Z:	VjYf8Dv064.exe
File opened (read-only)	\??\W:	MatrixRansomware.exe
File opened (read-only)	\??\J:	MatrixRansomware.exe
File opened (read-only)	\??\E:	MatrixRansomware.exe
File opened (read-only)	\??\A:	VjYf8Dv064.exe
File opened (read-only)	\??\O:	VjYf8Dv064.exe
File opened (read-only)	\??\Y:	MatrixRansomware.exe
File opened (read-only)	\??\U:	MatrixRansomware.exe
File opened (read-only)	\??\T:	MatrixRansomware.exe
File opened (read-only)	\??\M:	MatrixRansomware.exe
File opened (read-only)	\??\H:	MatrixRansomware.exe
File opened (read-only)	\??\G:	MatrixRansomware.exe
File opened (read-only)	\??\L:	VjYf8Dv064.exe
File opened (read-only)	\??\P:	VjYf8Dv064.exe
File opened (read-only)	\??\V:	MatrixRansomware.exe
File opened (read-only)	\??\S:	MatrixRansomware.exe
File opened (read-only)	\??\B:	VjYf8Dv064.exe
File opened (read-only)	\??\K:	VjYf8Dv064.exe
File opened (read-only)	\??\M:	VjYf8Dv064.exe
File opened (read-only)	\??\Z:	MatrixRansomware.exe
File opened (read-only)	\??\Q:	MatrixRansomware.exe
File opened (read-only)	\??\P:	MatrixRansomware.exe
File opened (read-only)	\??\N:	MatrixRansomware.exe
File opened (read-only)	\??\J:	VjYf8Dv064.exe
File opened (read-only)	\??\Q:	VjYf8Dv064.exe
File opened (read-only)	\??\T:	VjYf8Dv064.exe
File opened (read-only)	\??\X:	VjYf8Dv064.exe
File opened (read-only)	\??\R:	MatrixRansomware.exe
File opened (read-only)	\??\Y:	VjYf8Dv064.exe
File opened (read-only)	\??\O:	MatrixRansomware.exe
File opened (read-only)	\??\H:	VjYf8Dv064.exe
File opened (read-only)	\??\I:	VjYf8Dv064.exe
File opened (read-only)	\??\X:	MatrixRansomware.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\OhOQAtM6.bmp"	reg.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001600000001866d-1876.dat	upx
behavioral1/memory/832-1926-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3060-7407-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2296-7435-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/832-7439-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1404-7443-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2228-7447-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2252-7455-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3560-7459-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2252-7453-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2140-7468-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3436-7472-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3280-7478-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2356-7482-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3392-7487-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2596-7492-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3964-7498-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3912-7502-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3160-7512-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2756-7516-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2828-7522-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/888-7526-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1828-7530-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3336-7534-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/688-7540-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1444-7544-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1656-7547-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1656-7549-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2860-7553-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1684-7558-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1904-7564-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/4048-7567-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2720-7569-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3528-7572-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3528-7571-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/636-7574-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2128-7576-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3700-7577-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3700-7578-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3320-7580-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3736-7582-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2172-7584-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/856-7586-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3124-7591-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1704-7593-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1536-7596-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1900-7598-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1900-7597-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3208-7602-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1432-7603-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/848-7605-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2848-7607-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1900-7615-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1936-7616-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2268-7617-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2704-7619-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2068-7621-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3280-7626-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3192-7627-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/772-7629-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/3112-7631-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/2936-7633-0x0000000000160000-0x00000000001D7000-memory.dmp	upx
behavioral1/memory/3856-7635-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1120-7636-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	MatrixRansomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ro.pak	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightDemiItalic.ttf	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Bogota	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Grand_Turk	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_ja.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Prague	MatrixRansomware.exe
File created	C:\Program Files\Java\jre7\lib\security\#README_EMAN#.rtf	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_de.properties	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_ja.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Almaty	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\London	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_ja_4.4.0.v20140623020002.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh88	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Honolulu	MatrixRansomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\vlc.mo	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lindeman	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_mac.css	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cuiaba	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-favorites.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-nodes.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar	MatrixRansomware.exe
File created	C:\Program Files\Java\jre7\lib\fonts\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Rainy_River	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Jakarta	MatrixRansomware.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\vlc.mo	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Bangkok	MatrixRansomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_ja_4.4.0.v20140623020002.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	MatrixRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\#README_EMAN#.rtf	MatrixRansomware.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\ChkrRes.dll.mui	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Updater.api	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-threaddump.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_zh_CN.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_zh_4.4.0.v20140623020002.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tehran	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_zh_CN.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp	MatrixRansomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\vlc.mo	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\PST8PDT	MatrixRansomware.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Panama	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\ct.sym	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.ibm.icu_52.1.0.v201404241930.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Miquelon	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui_5.5.0.165303.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util.jar	MatrixRansomware.exe
File opened for modification	C:\Program Files\Java\jre7\lib\net.properties	MatrixRansomware.exe
File opened for modification	C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\Synchronization.rll	MatrixRansomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sql70.xsl	MatrixRansomware.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VjYf8Dv0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VjYf8Dv0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VjYf8Dv0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VjYf8Dv0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VjYf8Dv0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VjYf8Dv0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VjYf8Dv0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VjYf8Dv0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VjYf8Dv0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VjYf8Dv0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VjYf8Dv0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VjYf8Dv0.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 40 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2092	Process not Found
3876	cacls.exe
3088	cmd.exe
3536	cmd.exe
2748	cmd.exe
2684	cacls.exe
852	Process not Found
3488	cacls.exe
3564	cacls.exe
1532	cacls.exe
1592	Process not Found
2844	Process not Found
3784	cacls.exe
1660	cacls.exe
2384	cacls.exe
3780	Process not Found
3752	Process not Found
1412	Process not Found
2712	cacls.exe
3904	cmd.exe
3168	Process not Found
3644	Process not Found
3212	Process not Found
2164	Process not Found
1864	cmd.exe
3764	cmd.exe
3500	cmd.exe
3976	cmd.exe
3964	cacls.exe
3684	Process not Found
1864	cmd.exe
2404	Process not Found
1892	Process not Found
2980	Process not Found
216	cmd.exe
2668	cmd.exe
1176	cacls.exe
1960	Process not Found
3920	cmd.exe
1592	cacls.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1120	vssadmin.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3528	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3432	VjYf8Dv064.exe
3432	VjYf8Dv064.exe
3432	VjYf8Dv064.exe
3432	VjYf8Dv064.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
3432	VjYf8Dv064.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3432	VjYf8Dv064.exe
Token: SeLoadDriverPrivilege	3432	VjYf8Dv064.exe
Token: SeBackupPrivilege	2012	vssvc.exe
Token: SeRestorePrivilege	2012	vssvc.exe
Token: SeAuditPrivilege	2012	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1676	WMIC.exe
Token: SeSecurityPrivilege	1676	WMIC.exe
Token: SeTakeOwnershipPrivilege	1676	WMIC.exe
Token: SeLoadDriverPrivilege	1676	WMIC.exe
Token: SeSystemProfilePrivilege	1676	WMIC.exe
Token: SeSystemtimePrivilege	1676	WMIC.exe
Token: SeProfSingleProcessPrivilege	1676	WMIC.exe
Token: SeIncBasePriorityPrivilege	1676	WMIC.exe
Token: SeCreatePagefilePrivilege	1676	WMIC.exe
Token: SeBackupPrivilege	1676	WMIC.exe
Token: SeRestorePrivilege	1676	WMIC.exe
Token: SeShutdownPrivilege	1676	WMIC.exe
Token: SeDebugPrivilege	1676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1676	WMIC.exe
Token: SeRemoteShutdownPrivilege	1676	WMIC.exe
Token: SeUndockPrivilege	1676	WMIC.exe
Token: SeManageVolumePrivilege	1676	WMIC.exe
Token: 33	1676	WMIC.exe
Token: 34	1676	WMIC.exe
Token: 35	1676	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1676	WMIC.exe
Token: SeSecurityPrivilege	1676	WMIC.exe
Token: SeTakeOwnershipPrivilege	1676	WMIC.exe
Token: SeLoadDriverPrivilege	1676	WMIC.exe
Token: SeSystemProfilePrivilege	1676	WMIC.exe
Token: SeSystemtimePrivilege	1676	WMIC.exe
Token: SeProfSingleProcessPrivilege	1676	WMIC.exe
Token: SeIncBasePriorityPrivilege	1676	WMIC.exe
Token: SeCreatePagefilePrivilege	1676	WMIC.exe
Token: SeBackupPrivilege	1676	WMIC.exe
Token: SeRestorePrivilege	1676	WMIC.exe
Token: SeShutdownPrivilege	1676	WMIC.exe
Token: SeDebugPrivilege	1676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1676	WMIC.exe
Token: SeRemoteShutdownPrivilege	1676	WMIC.exe
Token: SeUndockPrivilege	1676	WMIC.exe
Token: SeManageVolumePrivilege	1676	WMIC.exe
Token: 33	1676	WMIC.exe
Token: 34	1676	WMIC.exe
Token: 35	1676	WMIC.exe
Token: SeTakeOwnershipPrivilege	1400	takeown.exe
Token: SeTakeOwnershipPrivilege	3628	takeown.exe
Token: SeTakeOwnershipPrivilege	4064	takeown.exe
Token: SeTakeOwnershipPrivilege	3940	takeown.exe
Token: SeTakeOwnershipPrivilege	2808	takeown.exe
Token: SeTakeOwnershipPrivilege	4012	takeown.exe
Token: SeTakeOwnershipPrivilege	3264	takeown.exe
Token: SeTakeOwnershipPrivilege	4040	takeown.exe
Token: SeTakeOwnershipPrivilege	1548	takeown.exe
Token: SeTakeOwnershipPrivilege	1176	takeown.exe
Token: SeTakeOwnershipPrivilege	3708	takeown.exe
Token: SeTakeOwnershipPrivilege	3796	takeown.exe
Token: SeTakeOwnershipPrivilege	888	takeown.exe
Token: SeTakeOwnershipPrivilege	3608	takeown.exe
Token: SeTakeOwnershipPrivilege	2160	takeown.exe
Token: SeTakeOwnershipPrivilege	1656	takeown.exe
Token: SeTakeOwnershipPrivilege	3224	takeown.exe
Token: SeTakeOwnershipPrivilege	2844	takeown.exe
Token: SeTakeOwnershipPrivilege	3984	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2700	2264	MatrixRansomware.exe	31
PID 2264 wrote to memory of 2700	2264	MatrixRansomware.exe	31
PID 2264 wrote to memory of 2700	2264	MatrixRansomware.exe	31
PID 2264 wrote to memory of 2700	2264	MatrixRansomware.exe	31
PID 2264 wrote to memory of 2748	2264	MatrixRansomware.exe	33
PID 2264 wrote to memory of 2748	2264	MatrixRansomware.exe	33
PID 2264 wrote to memory of 2748	2264	MatrixRansomware.exe	33
PID 2264 wrote to memory of 2748	2264	MatrixRansomware.exe	33
PID 2264 wrote to memory of 792	2264	MatrixRansomware.exe	35
PID 2264 wrote to memory of 792	2264	MatrixRansomware.exe	35
PID 2264 wrote to memory of 792	2264	MatrixRansomware.exe	35
PID 2264 wrote to memory of 792	2264	MatrixRansomware.exe	35
PID 2264 wrote to memory of 756	2264	MatrixRansomware.exe	37
PID 2264 wrote to memory of 756	2264	MatrixRansomware.exe	37
PID 2264 wrote to memory of 756	2264	MatrixRansomware.exe	37
PID 2264 wrote to memory of 756	2264	MatrixRansomware.exe	37
PID 792 wrote to memory of 320	792	cmd.exe	39
PID 792 wrote to memory of 320	792	cmd.exe	39
PID 792 wrote to memory of 320	792	cmd.exe	39
PID 792 wrote to memory of 320	792	cmd.exe	39
PID 756 wrote to memory of 2992	756	cmd.exe	40
PID 756 wrote to memory of 2992	756	cmd.exe	40
PID 756 wrote to memory of 2992	756	cmd.exe	40
PID 756 wrote to memory of 2992	756	cmd.exe	40
PID 792 wrote to memory of 1732	792	cmd.exe	41
PID 792 wrote to memory of 1732	792	cmd.exe	41
PID 792 wrote to memory of 1732	792	cmd.exe	41
PID 792 wrote to memory of 1732	792	cmd.exe	41
PID 792 wrote to memory of 1980	792	cmd.exe	42
PID 792 wrote to memory of 1980	792	cmd.exe	42
PID 792 wrote to memory of 1980	792	cmd.exe	42
PID 792 wrote to memory of 1980	792	cmd.exe	42
PID 2264 wrote to memory of 3116	2264	MatrixRansomware.exe	43
PID 2264 wrote to memory of 3116	2264	MatrixRansomware.exe	43
PID 2264 wrote to memory of 3116	2264	MatrixRansomware.exe	43
PID 2264 wrote to memory of 3116	2264	MatrixRansomware.exe	43
PID 3116 wrote to memory of 3804	3116	cmd.exe	45
PID 3116 wrote to memory of 3804	3116	cmd.exe	45
PID 3116 wrote to memory of 3804	3116	cmd.exe	45
PID 3116 wrote to memory of 3804	3116	cmd.exe	45
PID 3116 wrote to memory of 3196	3116	cmd.exe	46
PID 3116 wrote to memory of 3196	3116	cmd.exe	46
PID 3116 wrote to memory of 3196	3116	cmd.exe	46
PID 3116 wrote to memory of 3196	3116	cmd.exe	46
PID 2992 wrote to memory of 1072	2992	wscript.exe	47
PID 2992 wrote to memory of 1072	2992	wscript.exe	47
PID 2992 wrote to memory of 1072	2992	wscript.exe	47
PID 2992 wrote to memory of 1072	2992	wscript.exe	47
PID 1072 wrote to memory of 3528	1072	cmd.exe	49
PID 1072 wrote to memory of 3528	1072	cmd.exe	49
PID 1072 wrote to memory of 3528	1072	cmd.exe	49
PID 1072 wrote to memory of 3528	1072	cmd.exe	49
PID 3116 wrote to memory of 3484	3116	cmd.exe	50
PID 3116 wrote to memory of 3484	3116	cmd.exe	50
PID 3116 wrote to memory of 3484	3116	cmd.exe	50
PID 3116 wrote to memory of 3484	3116	cmd.exe	50
PID 3484 wrote to memory of 832	3484	cmd.exe	51
PID 3484 wrote to memory of 832	3484	cmd.exe	51
PID 3484 wrote to memory of 832	3484	cmd.exe	51
PID 3484 wrote to memory of 832	3484	cmd.exe	51
PID 832 wrote to memory of 3432	832	VjYf8Dv0.exe	52
PID 832 wrote to memory of 3432	832	VjYf8Dv0.exe	52
PID 832 wrote to memory of 3432	832	VjYf8Dv0.exe	52
PID 832 wrote to memory of 3432	832	VjYf8Dv0.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\MatrixRansomware.exe
"C:\Users\Admin\AppData\Local\Temp\MatrixRansomware.exe"
1⤵
- Matrix Ransomware
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\MatrixRansomware.exe" "C:\Users\Admin\AppData\Local\Temp\NWJ8KRps.exe"
  2⤵
  PID:2700
- C:\Users\Admin\AppData\Local\Temp\NWJ8KRps.exe
  "C:\Users\Admin\AppData\Local\Temp\NWJ8KRps.exe" -n
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\OhOQAtM6.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\OhOQAtM6.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:320
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:1980
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\LmfUROdi.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\LmfUROdi.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\YrHhVySU.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1072
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\YrHhVySU.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3528
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:4012
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:1976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C
    3⤵
    PID:3804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
    3⤵
    PID:3196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "DefaultID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3484
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "DefaultID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:832
    - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv064.exe
        
        VjYf8Dv0.exe -accepteula "DefaultID.pdf" -nobanner
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:3432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""
  2⤵
  - Loads dropped DLL
  PID:340
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C
    3⤵
    PID:828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "Dynamic.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:900
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "Dynamic.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:3060
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""
  2⤵
  - Loads dropped DLL
  PID:1432
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C
    3⤵
    PID:3388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "SignHere.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2508
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "SignHere.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1404
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""
  2⤵
  - Loads dropped DLL
  PID:3892
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2600
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:2252
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""
  2⤵
  - Loads dropped DLL
  PID:2728
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "AdobeID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3020
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "AdobeID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:2140
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:1272
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3652
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:3280
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""
  2⤵
  - Loads dropped DLL
  PID:2524
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
    3⤵
    - Modifies file permissions
    PID:3112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "StandardBusiness.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3396
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "StandardBusiness.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:3392
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""
  2⤵
  - Loads dropped DLL
  PID:2424
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "ENUtxt.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3976
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "ENUtxt.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:3964
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:3928
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:540
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1908
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3160
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\es-ES\MSPVWCTL.DLL.mui""
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2820
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\MSPVWCTL.DLL.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2176
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2828
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\it-IT\JNTFiltr.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:3608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\JNTFiltr.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2244
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1828
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:1212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1856
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3792
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:688
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\Templates\Graph.jtp""
  2⤵
  - Loads dropped DLL
  PID:3272
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Graph.jtp" /E /G Admin:F /C
    3⤵
    PID:3676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Graph.jtp"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "Graph.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "Graph.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:1656
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:2844
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:792
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1684
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Mail\wabmig.exe""
  2⤵
  - Loads dropped DLL
  PID:3344
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:3108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wabmig.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3992
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:4048
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1576
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3868
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1892
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:3528
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1240
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1260
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2260
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2128
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer""
  2⤵
  - Loads dropped DLL
  PID:900
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer" /E /G Admin:F /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2924
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer"
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "AUMProduct.cer" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1372
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "AUMProduct.cer" -nobanner
      4⤵
      Executes dropped EXE
      PID:3320
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif""
  2⤵
  - Loads dropped DLL
  PID:3688
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif" /E /G Admin:F /C
    3⤵
    PID:3744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif"
    3⤵
    - Modifies file permissions
    PID:752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "email_all.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3368
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "email_all.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:2172
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif""
  2⤵
  - Loads dropped DLL
  PID:2200
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif" /E /G Admin:F /C
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif"
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "open_original_form.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3276
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "open_original_form.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:3124
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif""
  2⤵
  - Loads dropped DLL
  PID:1740
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif" /E /G Admin:F /C
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif"
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "rss.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2548
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "rss.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1536
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif""
  2⤵
  - Loads dropped DLL
  PID:3196
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif" /E /G Admin:F /C
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif"
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3880
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:3208
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf""
  2⤵
  - Loads dropped DLL
  PID:3024
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf" /E /G Admin:F /C
    3⤵
    PID:3504
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf"
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "CourierStd-Oblique.otf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3560
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "CourierStd-Oblique.otf" -nobanner
      4⤵
      Executes dropped EXE
      PID:848
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM""
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3516
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM" /E /G Admin:F /C
    3⤵
    PID:3204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM"
    3⤵
    PID:288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "SY______.PFM" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1412
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "SY______.PFM" -nobanner
      4⤵
      Executes dropped EXE
      PID:1936
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt""
  2⤵
  - Loads dropped DLL
  PID:3020
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt" /E /G Admin:F /C
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt"
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
      4⤵
      Executes dropped EXE
      PID:2704
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp""
  2⤵
  - Loads dropped DLL
  PID:2680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp" /E /G Admin:F /C
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp"
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "can129.hsp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2748
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "can129.hsp" -nobanner
      4⤵
      Executes dropped EXE
      PID:3280
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat""
  2⤵
  - Loads dropped DLL
  PID:2616
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat" /E /G Admin:F /C
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat"
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "icudt26l.dat" -nobanner
    3⤵
    - Loads dropped DLL
    PID:876
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "icudt26l.dat" -nobanner
      4⤵
      Executes dropped EXE
      PID:772
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT""
  2⤵
  - Loads dropped DLL
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:216
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT" /E /G Admin:F /C
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3488
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT"
    3⤵
    PID:3144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "ROMANIAN.TXT" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "ROMANIAN.TXT" -nobanner
      4⤵
      Executes dropped EXE
      PID:3856
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT""
  2⤵
  - Loads dropped DLL
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT" /E /G Admin:F /C
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT"
    3⤵
    PID:3176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "CP1258.TXT" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2192
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "CP1258.TXT" -nobanner
      4⤵
      Executes dropped EXE
      PID:1844
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:3260
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3964
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1512
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Windows Mail\wabmig.exe""
  2⤵
  - Loads dropped DLL
  PID:2608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:3088
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wabmig.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1136
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:2412
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui""
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:4020
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1708
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui""
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3632
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2900
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:2820
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  PID:4064
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "background.png" -nobanner
    3⤵
    PID:3988
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "background.png" -nobanner
      4⤵
      PID:3200
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png""
  2⤵
  PID:112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png" /E /G Admin:F /C
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "FreeCellMCE.png" -nobanner
    3⤵
    PID:3680
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "FreeCellMCE.png" -nobanner
      4⤵
      PID:1444
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png""
  2⤵
  PID:3924
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png" /E /G Admin:F /C
    3⤵
    PID:1304
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "HeartsMCE.png" -nobanner
    3⤵
    PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "HeartsMCE.png" -nobanner
      4⤵
      PID:3380
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui""
  2⤵
  PID:3768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:976
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    PID:4012
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      PID:3752
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3252
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui""
  2⤵
  PID:792
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:3820
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:3108
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui""
  2⤵
  PID:2372
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:580
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      PID:4060
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui""
  2⤵
  PID:2436
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui"
    3⤵
    PID:3348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:2636
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:3896
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\Journal.exe""
  2⤵
  PID:928
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Journal.exe" /E /G Admin:F /C
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Journal.exe"
    3⤵
    PID:3732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "Journal.exe" -nobanner
    3⤵
    PID:3828
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "Journal.exe" -nobanner
      4⤵
      PID:3664
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\Templates\Seyes.jtp""
  2⤵
  PID:2872
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Seyes.jtp" /E /G Admin:F /C
    3⤵
    PID:3872
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Seyes.jtp"
    3⤵
    - Modifies file permissions
    PID:1372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "Seyes.jtp" -nobanner
    3⤵
    PID:3740
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "Seyes.jtp" -nobanner
      4⤵
      PID:3668
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui""
  2⤵
  PID:3696
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui"
    3⤵
    PID:3368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:3724
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:3688
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3092
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""
  2⤵
  PID:3580
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:3276
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      System Location Discovery: System Language Discovery
      PID:1704
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:2036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:4036
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:2504
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      PID:1740
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini""
  2⤵
  PID:3456
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini" /E /G Admin:F /C
    3⤵
    PID:3256
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini"
    3⤵
    PID:3864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "eula.ini" -nobanner
    3⤵
    PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "eula.ini" -nobanner
      4⤵
      PID:1432
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4092
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc""
  2⤵
  PID:3472
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc" /E /G Admin:F /C
    3⤵
    PID:848
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc"
    3⤵
    PID:608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "AcroSign.prc" -nobanner
    3⤵
    PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "AcroSign.prc" -nobanner
      4⤵
      PID:3024
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif" /E /G Admin:F /C
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif"
    3⤵
    PID:288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "forms_distributed.gif" -nobanner
    3⤵
    PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "forms_distributed.gif" -nobanner
      4⤵
      PID:1412
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif""
  2⤵
  PID:2000
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif" /E /G Admin:F /C
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif"
    3⤵
    - Modifies file permissions
    PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "reviews_sent.gif" -nobanner
    3⤵
    PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "reviews_sent.gif" -nobanner
      4⤵
      PID:2068
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif""
  2⤵
  PID:2240
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif" /E /G Admin:F /C
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif"
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "stop_collection_data.gif" -nobanner
    3⤵
    PID:3280
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "stop_collection_data.gif" -nobanner
      4⤵
      PID:2748
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm""
  2⤵
  PID:3948
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm" /E /G Admin:F /C
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm"
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "ReadMe.htm" -nobanner
    3⤵
    PID:2120
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "ReadMe.htm" -nobanner
      4⤵
      PID:200
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf""
  2⤵
  PID:3488
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:3856
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf"
    3⤵
    PID:3400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "MinionPro-It.otf" -nobanner
    3⤵
    PID:220
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "MinionPro-It.otf" -nobanner
      4⤵
      PID:216
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB""
  2⤵
  PID:3876
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB" /E /G Admin:F /C
    3⤵
    PID:3340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB"
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "ZX______.PFB" -nobanner
    3⤵
    PID:1864
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "ZX______.PFB" -nobanner
      4⤵
      PID:2988
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp""
  2⤵
  PID:1532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp" /E /G Admin:F /C
    3⤵
    PID:316
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp"
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "brt04.hsp" -nobanner
    3⤵
    PID:1176
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "brt04.hsp" -nobanner
      4⤵
      PID:3156
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env""
  2⤵
  PID:3260
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env" /E /G Admin:F /C
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env"
    3⤵
    PID:3088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "engphon.env" -nobanner
    3⤵
    PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "engphon.env" -nobanner
      4⤵
      PID:2676
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT""
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3920
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT" /E /G Admin:F /C
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3784
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT"
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "CORPCHAR.TXT" -nobanner
    3⤵
    PID:2188
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "CORPCHAR.TXT" -nobanner
      4⤵
      PID:4044
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT""
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3764
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT" /E /G Admin:F /C
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT"
    3⤵
    - Modifies file permissions
    PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "CP1250.TXT" -nobanner
    3⤵
    PID:1504
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "CP1250.TXT" -nobanner
      4⤵
      PID:1496
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  PID:2820
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    PID:1016
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      PID:3336
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2244
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Windows Mail\fr-FR\WinMail.exe.mui""
  2⤵
  PID:3624
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\fr-FR\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3604
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\fr-FR\WinMail.exe.mui"
    3⤵
    PID:3988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:3408
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:1828
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui""
  2⤵
  PID:3932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui"
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:3940
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1736
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:1884
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:3676
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      PID:2472
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
  2⤵
  PID:2328
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "background.png" -nobanner
    3⤵
    PID:3768
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "background.png" -nobanner
      4⤵
      PID:2672
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Java\jre7\bin\server\classes.jsa""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre7\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:852
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:3820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:3264
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "classes.jsa" -nobanner
      4⤵
      PID:4048
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui""
  2⤵
  PID:1792
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui"
    3⤵
    - Modifies file permissions
    PID:3868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    PID:2400
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      PID:4040
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\es-ES\NBMapTIP.dll.mui""
  2⤵
  PID:3804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\NBMapTIP.dll.mui"
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:3896
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:2636
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\it-IT\jnwdui.dll.mui""
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2076
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\jnwdui.dll.mui"
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:3732
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      PID:2056
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui""
  2⤵
  PID:1208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:2348
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui"
    3⤵
    PID:344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      System Location Discovery: System Language Discovery
      PID:1372
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\Templates\Memo.jtp""
  2⤵
  PID:3704
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Memo.jtp" /E /G Admin:F /C
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Memo.jtp"
    3⤵
    PID:3744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "Memo.jtp" -nobanner
    3⤵
    PID:2308
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "Memo.jtp" -nobanner
      4⤵
      PID:2536
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Mail\es-ES\msoeres.dll.mui""
  2⤵
  PID:3712
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\es-ES\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\es-ES\msoeres.dll.mui"
    3⤵
    - Modifies file permissions
    PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:2624
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:3124
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Mail\WinMail.exe""
  2⤵
  PID:2200
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\WinMail.exe" /E /G Admin:F /C
    3⤵
    PID:880
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\WinMail.exe"
    3⤵
    - Modifies file permissions
    PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "WinMail.exe" -nobanner
    3⤵
    PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "WinMail.exe" -nobanner
      4⤵
      PID:536
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""
  2⤵
  PID:340
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3296
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:1556
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:388
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3256
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig""
  2⤵
  PID:3308
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig" /E /G Admin:F /C
    3⤵
    PID:3672
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig"
    3⤵
    PID:3480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "cryptocme2.sig" -nobanner
    3⤵
    PID:324
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "cryptocme2.sig" -nobanner
      4⤵
      PID:3304
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer""
  2⤵
  PID:2848
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer" /E /G Admin:F /C
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer"
    3⤵
    - Modifies file permissions
    PID:3508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "pmd.cer" -nobanner
    3⤵
    PID:3892
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "pmd.cer" -nobanner
      4⤵
      PID:2600
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif" /E /G Admin:F /C
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif"
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "email_initiator.gif" -nobanner
    3⤵
    PID:1896
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "email_initiator.gif" -nobanner
      4⤵
      PID:2268
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif""
  2⤵
  PID:2140
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif" /E /G Admin:F /C
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif"
    3⤵
    PID:3436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "pdf.gif" -nobanner
    3⤵
    PID:1244
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "pdf.gif" -nobanner
      4⤵
      PID:2532
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif""
  2⤵
  PID:2788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif" /E /G Admin:F /C
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif"
    3⤵
    - Modifies file permissions
    PID:3652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "server_issue.gif" -nobanner
    3⤵
    PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "server_issue.gif" -nobanner
      4⤵
      PID:2916
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif""
  2⤵
  PID:2708
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif" /E /G Admin:F /C
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif"
    3⤵
    PID:772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
    3⤵
    PID:1224
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
      4⤵
      PID:3112
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf""
  2⤵
  PID:1408
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf" /E /G Admin:F /C
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf"
    3⤵
    - Modifies file permissions
    PID:3392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "CourierStd.otf" -nobanner
    3⤵
    PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "CourierStd.otf" -nobanner
      4⤵
      PID:232
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm""
  2⤵
  PID:2668
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm" /E /G Admin:F /C
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm"
    3⤵
    - Modifies file permissions
    PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "zx______.pfm" -nobanner
    3⤵
    PID:3416
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "zx______.pfm" -nobanner
      4⤵
      PID:444
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt""
  2⤵
  PID:1864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt" /E /G Admin:F /C
    3⤵
    PID:552
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt"
    3⤵
    PID:3900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
    3⤵
    PID:3912
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
      4⤵
      PID:3964
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx""
  2⤵
  PID:3156
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx" /E /G Admin:F /C
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx"
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "can32.clx" -nobanner
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1676
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "can32.clx" -nobanner
      4⤵
      PID:644
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt""
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3088
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt" /E /G Admin:F /C
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2712
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt"
    3⤵
    PID:3444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "symbol.txt" -nobanner
    3⤵
    PID:3260
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "symbol.txt" -nobanner
      4⤵
      PID:3244
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT""
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3536
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT" /E /G Admin:F /C
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT"
    3⤵
    PID:320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "SYMBOL.TXT" -nobanner
    3⤵
    PID:3920
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "SYMBOL.TXT" -nobanner
      4⤵
      System Location Discovery: System Language Discovery
      PID:4020
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Microsoft Games\Chess\ChessMCE.png""
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Chess\ChessMCE.png" /E /G Admin:F /C
    3⤵
    PID:888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Chess\ChessMCE.png"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "ChessMCE.png" -nobanner
    3⤵
    PID:2948
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "ChessMCE.png" -nobanner
      4⤵
      PID:376
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\de-DE\JNTFiltr.dll.mui""
  2⤵
  PID:1140
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\JNTFiltr.dll.mui"
    3⤵
    - Modifies file permissions
    PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:3200
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:3604
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\en-US\Journal.exe.mui""
  2⤵
  PID:1696
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\Journal.exe.mui"
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    PID:3428
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      PID:112
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui""
  2⤵
  PID:1736
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3404
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui"
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      PID:3068
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\it-IT\jnwmon.dll.mui""
  2⤵
  PID:560
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\jnwmon.dll.mui"
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    PID:3252
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      PID:4012
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2180
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\ja-JP\NBMapTIP.dll.mui""
  2⤵
  PID:3684
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\NBMapTIP.dll.mui"
    3⤵
    PID:592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:3848
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:852
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp""
  2⤵
  PID:3264
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp" /E /G Admin:F /C
    3⤵
    PID:3212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp"
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "Month_Calendar.jtp" -nobanner
    3⤵
    PID:3984
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "Month_Calendar.jtp" -nobanner
      4⤵
      System Location Discovery: System Language Discovery
      PID:2716
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui""
  2⤵
  PID:3084
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui"
    3⤵
    PID:4024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:2568
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""
  2⤵
  PID:2636
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3140
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"
    3⤵
    PID:4076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:2128
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:2076
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""
  2⤵
  PID:1240
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:2924
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:2348
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif""
  2⤵
  PID:1372
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif" /E /G Admin:F /C
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif"
    3⤵
    PID:928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "ended_review_or_form.gif" -nobanner
    3⤵
    PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "ended_review_or_form.gif" -nobanner
      4⤵
      PID:2588
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif""
  2⤵
  PID:2536
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:3724
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif"
    3⤵
    - Modifies file permissions
    PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "reviewers.gif" -nobanner
    3⤵
    PID:752
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "reviewers.gif" -nobanner
      4⤵
      PID:1232
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif""
  2⤵
  PID:3124
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif" /E /G Admin:F /C
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif"
    3⤵
    - Modifies file permissions
    PID:3092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "server_lg.gif" -nobanner
    3⤵
    PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "server_lg.gif" -nobanner
      4⤵
      PID:3412
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1784
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif""
  2⤵
  PID:2556
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif" /E /G Admin:F /C
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif"
    3⤵
    - Modifies file permissions
    PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "turnOnNotificationInTray.gif" -nobanner
    3⤵
    PID:3276
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "turnOnNotificationInTray.gif" -nobanner
      4⤵
      PID:3468
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf""
  2⤵
  PID:388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf"
    3⤵
    - Modifies file permissions
    PID:3388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "MinionPro-Bold.otf" -nobanner
    3⤵
    PID:3864
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "MinionPro-Bold.otf" -nobanner
      4⤵
      PID:1916
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm""
  2⤵
  PID:3456
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm" /E /G Admin:F /C
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm"
    3⤵
    PID:3464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "zy______.pfm" -nobanner
    3⤵
    PID:848
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "zy______.pfm" -nobanner
      4⤵
      PID:828
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca""
  2⤵
  PID:1612
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca" /E /G Admin:F /C
    3⤵
    PID:608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca"
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "brt.fca" -nobanner
    3⤵
    PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "brt.fca" -nobanner
      4⤵
      PID:3100
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp""
  2⤵
  PID:2268
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp" /E /G Admin:F /C
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp"
    3⤵
    - Modifies file permissions
    PID:1448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "eng.hyp" -nobanner
    3⤵
    PID:3384
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "eng.hyp" -nobanner
      4⤵
      PID:3300
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt""
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3500
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt" /E /G Admin:F /C
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1660
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt"
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "zdingbat.txt" -nobanner
    3⤵
    PID:284
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "zdingbat.txt" -nobanner
      4⤵
      PID:2592
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT""
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT" /E /G Admin:F /C
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2684
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT"
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "TURKISH.TXT" -nobanner
    3⤵
    PID:1428
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "TURKISH.TXT" -nobanner
      4⤵
      PID:1228
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Windows Mail\es-ES\msoeres.dll.mui""
  2⤵
  PID:2572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\es-ES\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\es-ES\msoeres.dll.mui"
    3⤵
    PID:3948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:3392
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Windows Mail\WinMail.exe""
  2⤵
  PID:2796
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\WinMail.exe" /E /G Admin:F /C
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\WinMail.exe"
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "WinMail.exe" -nobanner
    3⤵
    PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "WinMail.exe" -nobanner
      4⤵
      PID:2104
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui""
  2⤵
  PID:2784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:4052
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui"
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:552
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:3900
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata""
  2⤵
  PID:2520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"
    3⤵
    PID:3248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "directories.acrodata" -nobanner
    3⤵
    PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "directories.acrodata" -nobanner
      4⤵
      System Location Discovery: System Language Discovery
      PID:2620
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:3576
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:540
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    PID:3600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      PID:3444
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3244
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Windows Mail\es-ES\WinMail.exe.mui""
  2⤵
  PID:3928
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\es-ES\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\es-ES\WinMail.exe.mui"
    3⤵
    PID:4044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:1592
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:320
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui""
  2⤵
  PID:3920
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3800
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui"
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3644
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:2740
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui""
  2⤵
  PID:2948
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui"
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1520
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:2244
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png""
  2⤵
  PID:1856
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png" /E /G Admin:F /C
    3⤵
    PID:3988
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png"
    3⤵
    PID:1140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "MahjongMCE.png" -nobanner
    3⤵
    PID:1828
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "MahjongMCE.png" -nobanner
      4⤵
      PID:2972
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui""
  2⤵
  PID:1500
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui"
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    PID:2808
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      PID:3408
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui""
  2⤵
  PID:3404
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2868
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui"
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    PID:3940
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      PID:3364
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui""
  2⤵
  PID:1600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:756
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui"
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    PID:3772
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      PID:2328
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui""
  2⤵
  PID:3980
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:3836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui"
    3⤵
    - Modifies file permissions
    PID:3684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:3452
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      PID:3840
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\Templates\Genko_1.jtp""
  2⤵
  PID:3808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Genko_1.jtp" /E /G Admin:F /C
    3⤵
    PID:3868
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Genko_1.jtp"
    3⤵
    PID:3356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "Genko_1.jtp" -nobanner
    3⤵
    PID:3544
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "Genko_1.jtp" -nobanner
      4⤵
      PID:3760
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Mail\de-DE\WinMail.exe.mui""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4024
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\de-DE\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3832
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\de-DE\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    PID:580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:2400
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:3164
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Mail\ja-JP\WinMail.exe.mui""
  2⤵
  PID:4076
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\ja-JP\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3664
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\ja-JP\WinMail.exe.mui"
    3⤵
    PID:4032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:3316
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:3692
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""
  2⤵
  PID:2088
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"
    3⤵
    PID:1260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3732
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:3668
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""
  2⤵
  PID:928
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3736
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:3368
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini""
  2⤵
  PID:2368
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini" /E /G Admin:F /C
    3⤵
    PID:752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini"
    3⤵
    - Modifies file permissions
    PID:4068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "AGMGPUOptIn.ini" -nobanner
    3⤵
    PID:4028
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "AGMGPUOptIn.ini" -nobanner
      4⤵
      PID:3728
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf""
  2⤵
  PID:584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf" /E /G Admin:F /C
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf"
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "MyriadCAD.otf" -nobanner
    3⤵
    PID:3696
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "MyriadCAD.otf" -nobanner
      4⤵
      PID:3124
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif""
  2⤵
  PID:4056
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif" /E /G Admin:F /C
    3⤵
    PID:3276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif"
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "create_form.gif" -nobanner
    3⤵
    PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "create_form.gif" -nobanner
      4⤵
      PID:1988
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif""
  2⤵
  PID:2296
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif" /E /G Admin:F /C
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif"
    3⤵
    PID:388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "info.gif" -nobanner
    3⤵
    PID:1556
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "info.gif" -nobanner
      4⤵
      PID:3304
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif""
  2⤵
  PID:2332
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:3196
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif"
    3⤵
    - Modifies file permissions
    PID:3456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "review_same_reviewers.gif" -nobanner
    3⤵
    PID:3460
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "review_same_reviewers.gif" -nobanner
      4⤵
      PID:1292
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif""
  2⤵
  PID:3100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif" /E /G Admin:F /C
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif"
    3⤵
    PID:3504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "trash.gif" -nobanner
    3⤵
    PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "trash.gif" -nobanner
      4⤵
      PID:2564
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf""
  2⤵
  PID:3300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:2840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf"
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "CourierStd-Bold.otf" -nobanner
    3⤵
    PID:3020
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "CourierStd-Bold.otf" -nobanner
      4⤵
      PID:2728
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf""
  2⤵
  PID:2584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf"
    3⤵
    PID:3516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "MyriadPro-It.otf" -nobanner
    3⤵
    PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "MyriadPro-It.otf" -nobanner
      4⤵
      PID:2788
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt""
  2⤵
  PID:1228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt" /E /G Admin:F /C
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt"
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
    3⤵
    PID:2748
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
      4⤵
      PID:2976
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp""
  2⤵
  PID:1272
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp" /E /G Admin:F /C
    3⤵
    PID:3948
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp"
    3⤵
    - Modifies file permissions
    PID:3392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "can.hyp" -nobanner
    3⤵
    PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "can.hyp" -nobanner
      4⤵
      PID:3052
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp""
  2⤵
  PID:2832
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp" /E /G Admin:F /C
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp"
    3⤵
    - Modifies file permissions
    PID:3180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "usa37.hyp" -nobanner
    3⤵
    PID:216
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "usa37.hyp" -nobanner
      4⤵
      PID:3488
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT""
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3976
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT" /E /G Admin:F /C
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3964
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT"
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "ICELAND.TXT" -nobanner
    3⤵
    PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "ICELAND.TXT" -nobanner
      4⤵
      PID:2384
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT""
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3904
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT" /E /G Admin:F /C
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1532
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT"
    3⤵
    - Modifies file permissions
    PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "CP1254.TXT" -nobanner
    3⤵
    PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "CP1254.TXT" -nobanner
      4⤵
      PID:3636
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui""
  2⤵
  PID:2940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3244
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui"
    3⤵
    PID:3168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:3576
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:3784
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui""
  2⤵
  PID:2448
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\ja-JP\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    PID:3928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2984
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:3564
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui""
  2⤵
  PID:3448
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3648
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui"
    3⤵
    PID:3536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:3920
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:1496
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui""
  2⤵
  PID:2876
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui"
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    PID:2948
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      PID:2176
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui""
  2⤵
  PID:3624
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui"
    3⤵
    PID:3952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:2160
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:112
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui""
  2⤵
  PID:1552
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui"
    3⤵
    - Modifies file permissions
    PID:1304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:1500
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      System Location Discovery: System Language Discovery
      PID:3916
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui""
  2⤵
  PID:1736
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui"
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    PID:3792
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      PID:3252
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3220
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui"
    3⤵
    PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3272
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      PID:1884
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3780
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\Templates\blank.jtp""
  2⤵
  PID:1904
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\blank.jtp" /E /G Admin:F /C
    3⤵
    PID:4004
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\blank.jtp"
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "blank.jtp" -nobanner
    3⤵
    PID:852
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "blank.jtp" -nobanner
      4⤵
      PID:3984
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp""
  2⤵
  PID:3356
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp" /E /G Admin:F /C
    3⤵
    PID:636
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp"
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "To_Do_List.jtp" -nobanner
    3⤵
    PID:3588
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "To_Do_List.jtp" -nobanner
      4⤵
      PID:2568
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Mail\it-IT\WinMail.exe.mui""
  2⤵
  PID:580
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\it-IT\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\it-IT\WinMail.exe.mui"
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:3888
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      System Location Discovery: System Language Discovery
      PID:3944
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:4032
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:4076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:2096
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      System Location Discovery: System Language Discovery
      PID:344
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""
  2⤵
  PID:3740
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui"
    3⤵
    - Modifies file permissions
    PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:3872
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:2172
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe""
  2⤵
  PID:996
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe" /E /G Admin:F /C
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe"
    3⤵
    PID:928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "LogTransport2.exe" -nobanner
    3⤵
    PID:956
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "LogTransport2.exe" -nobanner
      4⤵
      PID:4072
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
  2⤵
  PID:1712
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
    3⤵
    PID:3328
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "device.png" -nobanner
    3⤵
    PID:2540
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "device.png" -nobanner
      4⤵
      PID:3660
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat""
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat" /E /G Admin:F /C
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat"
    3⤵
    PID:3092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "tokens.dat" -nobanner
    3⤵
    PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "tokens.dat" -nobanner
      4⤵
      PID:1580
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif""
  2⤵
  PID:1900
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif" /E /G Admin:F /C
    3⤵
    PID:340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif"
    3⤵
    - Modifies file permissions
    PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "bl.gif" -nobanner
    3⤵
    PID:3468
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "bl.gif" -nobanner
      4⤵
      PID:1740
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif""
  2⤵
  PID:2228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif" /E /G Admin:F /C
    3⤵
    PID:3560
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif"
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "forms_super.gif" -nobanner
    3⤵
    PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "forms_super.gif" -nobanner
      4⤵
      PID:3388
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif""
  2⤵
  PID:3476
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif" /E /G Admin:F /C
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif"
    3⤵
    PID:608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "review_browser.gif" -nobanner
    3⤵
    PID:3960
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "review_browser.gif" -nobanner
      4⤵
      PID:2332
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif""
  2⤵
  PID:2388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif" /E /G Admin:F /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif"
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "tl.gif" -nobanner
    3⤵
    PID:288
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "tl.gif" -nobanner
      4⤵
      PID:1732
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V""
  2⤵
  PID:2840
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V" /E /G Admin:F /C
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V"
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "Identity-V" -nobanner
    3⤵
    PID:3524
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "Identity-V" -nobanner
      4⤵
      PID:2068
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf""
  2⤵
  PID:2020
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:3192
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf"
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "MyriadPro-Bold.otf" -nobanner
    3⤵
    PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "MyriadPro-Bold.otf" -nobanner
      4⤵
      PID:2584
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe""
  2⤵
  PID:1840
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe" /E /G Admin:F /C
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe"
    3⤵
    - Modifies file permissions
    PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "SC_Reader.exe" -nobanner
    3⤵
    PID:772
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "SC_Reader.exe" -nobanner
      4⤵
      PID:1228
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths""
  2⤵
  PID:3948
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths" /E /G Admin:F /C
    3⤵
    PID:3400
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths"
    3⤵
    PID:3352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "brt55.ths" -nobanner
    3⤵
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "brt55.ths" -nobanner
      4⤵
      PID:2936
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp""
  2⤵
  PID:3584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp" /E /G Admin:F /C
    3⤵
    PID:3416
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp"
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "usa03.hsp" -nobanner
    3⤵
    PID:3180
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "usa03.hsp" -nobanner
      4⤵
      PID:3488
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT""
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2668
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT" /E /G Admin:F /C
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT"
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "CYRILLIC.TXT" -nobanner
    3⤵
    PID:3876
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "CYRILLIC.TXT" -nobanner
      4⤵
      PID:3900
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT""
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT" /E /G Admin:F /C
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1176
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT"
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "CP1252.TXT" -nobanner
    3⤵
    PID:540
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "CP1252.TXT" -nobanner
      4⤵
      PID:3904
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png""
  2⤵
  PID:3244
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png" /E /G Admin:F /C
    3⤵
    PID:3784
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png"
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "PurblePlaceMCE.png" -nobanner
    3⤵
    PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "PurblePlaceMCE.png" -nobanner
      4⤵
      PID:2712
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png""
  2⤵
  PID:2696
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png" /E /G Admin:F /C
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png"
    3⤵
    PID:3852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "SolitaireMCE.png" -nobanner
    3⤵
    PID:4020
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "SolitaireMCE.png" -nobanner
      4⤵
      PID:2448
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png""
  2⤵
  PID:3648
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png" /E /G Admin:F /C
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png"
    3⤵
    PID:3956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "SpiderSolitaireMCE.png" -nobanner
    3⤵
    PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "SpiderSolitaireMCE.png" -nobanner
      4⤵
      PID:376
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  PID:3372
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    PID:3240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    PID:2488
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      PID:1520
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Windows Mail\it-IT\WinMail.exe.mui""
  2⤵
  PID:908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\it-IT\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:3968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\it-IT\WinMail.exe.mui"
    3⤵
    - Modifies file permissions
    PID:1444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:4064
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:1980
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:3932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    PID:3408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c VjYf8Dv0.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:1552
  - - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
      VjYf8Dv0.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:3380
- - C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe
    VjYf8Dv0.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat" "C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui""
  2⤵
  PID:3068

C:\Windows\system32\taskeng.exe
taskeng.exe {7EA95ABB-302F-45AA-BABE-F9D518B376D7} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
1⤵
PID:3496
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\YrHhVySU.bat"
  2⤵
  PID:3796
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1120
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2608
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3784
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Delete /TN DSHCA /F
    3⤵
    PID:3852

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\#README_EMAN#.rtf

Filesize
8KB

MD5
5f574bc0dbb40eb1cdb53485d9166b59

SHA1
769ba960cfbbf9667d384e7373f0a6a77f85cd3d

SHA256
0aee00de22542ef1db88ad6e23ccf7b731d23f41ed78d4d5414a9610e4090b96

SHA512
f7912eb3f670dd2a8faf677cd6d38187a093e3b68f4e27ce726c38bc219dea8841ed4c9138b4694e2d2b2061e920564089a1ffb414fede905a6e311964c799b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWJ8KRps.exe

Filesize
1.2MB

MD5
a93bd199d34d21cc9102600c6ce782cf

SHA1
31b50d84aa1af4f0e76a523382caba476f6e45dc

SHA256
242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95

SHA512
642e0cacf80a54ffa8f1bdeebb2a9b9449bb062bc331924ff8b6c93853ade68cdbd23928081d7c5da7bce944f5c553b0c4b05bd90fda525f017415bd891534c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\VjYf8Dv0.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bad_30E5CD98FD81F3F5.txt

Filesize
5KB

MD5
a184cc24f83bab89b26ca16ae624a11d

SHA1
2a4eb91967207e8a58e2627d7624135c60958671

SHA256
7ff20eca99842d526356048e8e56e093ce2affb6dd28b73d0560bb699d0fc58f

SHA512
15357ca2cf177db871e85214916431a1341c296386fba11fdfd958ff8edccba8a61f342954901f81d17574ef527a6a02bc93f2eff4d1402b9ebb24362f9c86ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\elog_30E5CD98FD81F3F5.txt

Filesize
32KB

MD5
ddb2e8ec89327eba3eaf2d3dc1a9ff0b

SHA1
d3d45406e841ec8e8c5b010efe3515abff744b8e

SHA256
1f317b01464e0e62b2c00372ac882192b03da33bb9028b369ab94c1b8d435f34

SHA512
ddacf727ffe9ec73d49fa75367694e4c1e887d904eeeb2f632bd2819bdfd1f90663913aa308f448113a7b4c30b33e19d3cd27a76d62bd4105f9a75c9ca3d0f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\hJhxPvi0.bat

Filesize
226B

MD5
0671f9c4d8c2ec05f3e08218209687dc

SHA1
716683cefddd0e5d13a9e664c629a87f1fb35279

SHA256
dfc752b561458566aaddeb1057983db9207d8093a93ded7f5a419727198a7640

SHA512
722bfd1cd01d5c56b862bb8532970a5c3c4a0ee3d8a04f31748cc8ddefee0b1920cfc50272b0e0178cd41b91228e16712a7d3d861213278757bbf5f4c84e47f4

Download Submit
C:\Users\Admin\AppData\Roaming\LmfUROdi.vbs

Filesize
260B

MD5
91c3618fe8254eae2f1c06be1aa311be

SHA1
4828f50408f081e1e6bd855c048a1b3c5fc1c08b

SHA256
36b2f3f19b715540275b684d3cd0a684e61c5336936be6d158074b73038ac745

SHA512
be9ed07d4b516fa3162809babde3243bef81937578d328bff40b1078552463d1b431a986d6d83c62ee7ef88fbf91a28e753b616af10ed47c096dab2ed4d84143

Download Submit
C:\Users\Admin\AppData\Roaming\YrHhVySU.bat

Filesize
265B

MD5
893e084460ab952b499e7213c0a8b350

SHA1
6d9c51c4f8a7d2bd5351a7389c6969a7d4071a48

SHA256
844fa20a6bab590b6350db9887da5b177f7d6d6fccf1c996d926b658660d318c

SHA512
0d45f73a60b506d77037faf9925e13ba31fad77c2abb5cfb147f9532a65e2c0690ac884e08e46b5f44b9e1bdbf16742db8e5f6d207293dbdc1bfef753063242e

Download Submit
\Users\Admin\AppData\Local\Temp\VjYf8Dv064.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
memory/340-7433-0x0000000000270000-0x00000000002E7000-memory.dmp

Filesize
476KB

Download
memory/636-7574-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/688-7540-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/772-7629-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/792-7555-0x0000000000830000-0x00000000008A7000-memory.dmp

Filesize
476KB

Download
memory/832-1926-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/832-7439-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/848-7605-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/856-7586-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/880-7723-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/888-7526-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/900-7362-0x0000000002300000-0x0000000002377000-memory.dmp

Filesize
476KB

Download
memory/1120-7636-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1136-7660-0x0000000002300000-0x0000000002377000-memory.dmp

Filesize
476KB

Download
memory/1212-7683-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1372-7579-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1404-7443-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1432-7603-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1444-7544-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1444-7681-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1512-7667-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1512-7656-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1536-7596-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1656-7549-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1656-7547-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1684-7558-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1700-7655-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1704-7593-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1704-7719-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1708-7666-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1740-7725-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1828-7530-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1844-7640-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1900-7597-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1900-7615-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1900-7598-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1904-7564-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1908-7509-0x00000000001A0000-0x0000000000217000-memory.dmp

Filesize
476KB

Download
memory/1936-7616-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2068-7621-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2088-7709-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2128-7576-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2140-7468-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2172-7584-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2176-7520-0x00000000004E0000-0x0000000000557000-memory.dmp

Filesize
476KB

Download
memory/2192-7638-0x0000000000280000-0x00000000002F7000-memory.dmp

Filesize
476KB

Download
memory/2228-7447-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2244-7529-0x0000000000430000-0x00000000004A7000-memory.dmp

Filesize
476KB

Download
memory/2252-7453-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2252-7455-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2264-7451-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2264-7654-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2268-7617-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2296-7435-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2356-7482-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2412-7662-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2524-7490-0x0000000000130000-0x00000000001A7000-memory.dmp

Filesize
476KB

Download
memory/2596-7492-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2600-7452-0x00000000022F0000-0x0000000002367000-memory.dmp

Filesize
476KB

Download
memory/2620-7657-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2696-7669-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2704-7619-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2720-7569-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2748-8-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2756-7516-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2820-7524-0x0000000000180000-0x00000000001F7000-memory.dmp

Filesize
476KB

Download
memory/2820-7671-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2828-7522-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2848-7607-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2860-7553-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2936-7633-0x0000000000160000-0x00000000001D7000-memory.dmp

Filesize
476KB

Download
memory/3004-7664-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3040-7713-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3060-7407-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3108-7695-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3112-7631-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3124-7591-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3132-7687-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3160-7512-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3172-7642-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3192-7627-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3200-7677-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3208-7602-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3252-7691-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3276-7717-0x0000000002300000-0x0000000002377000-memory.dmp

Filesize
476KB

Download
memory/3280-7626-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3280-7478-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3320-7580-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3336-7534-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3344-7570-0x0000000002330000-0x00000000023A7000-memory.dmp

Filesize
476KB

Download
memory/3380-7685-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3392-7487-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3408-7679-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3436-7472-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3484-1921-0x0000000000590000-0x0000000000607000-memory.dmp

Filesize
476KB

Download
memory/3484-7438-0x0000000000590000-0x0000000000607000-memory.dmp

Filesize
476KB

Download
memory/3528-7571-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3528-7572-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3560-7459-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3608-7535-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3664-7707-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3668-7711-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3688-7715-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3700-7577-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3700-7578-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3736-7582-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3752-7689-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3760-7673-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3836-7697-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3856-7635-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3860-7701-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3896-7703-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3912-7502-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3964-7498-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3976-7496-0x0000000000260000-0x00000000002D7000-memory.dmp

Filesize
476KB

Download
memory/3992-7565-0x00000000023B0000-0x0000000002427000-memory.dmp

Filesize
476KB

Download
memory/3996-7705-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4048-7567-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4060-7699-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download