matrix | 224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7v20201028
submitted
08-03-2021 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

new_jdpr.exe
Size

1.3MB
MD5

2c52f3918b636736bdf0022c64115b26
SHA1

88cf55ae8c77ed23219e7c8fe794afa93301ad6d
SHA256

224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914
SHA512

551f22bc10ceb1af2d6f8da6a27ec842176a14108383a2d46a37f4ee3bdfda0b08732aa5549e4a07d3dc337f1ebb07ca1852eb7b0ed9320fe5117b2d5cb62495

Score

10^/10

matrix discovery evasion persistence ransomware spyware upx

Malware Config

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxz60m9o.default-release\storage\default\moz-extension+++4c89016f-388f-4cf4-996f-2c83e646cdb2^userContextId=4294967295\idb\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\Music\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Public\Documents\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\Favorites\Links for United States\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxz60m9o.default-release\storage\permanent\chrome\idb\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Google\Chrome\Application\SetupMetrics\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uxz60m9o.default-release\cache2\doomed\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxz60m9o.Admin\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Recovery\a7611f42-198c-11eb-8a49-ee401b9e63cb\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\ProgramData\Microsoft Help\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\WidevineCdm\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\Favorites\Links\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\MSBuild\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Protect\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\Documents\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Public\Videos\Sample Videos\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\JDPR_README.rtf	new_jdpr.exe

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1816	bcdedit.exe
932	bcdedit.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	mSXUoud864.exe

Executes dropped EXE 64 IoCs

pid	Process
2044	NWDTzyuS.exe
888	mSXUoud8.exe
1712	mSXUoud864.exe
1744	mSXUoud8.exe
1752	mSXUoud8.exe
1452	mSXUoud8.exe
856	mSXUoud8.exe
1752	mSXUoud8.exe
1732	mSXUoud8.exe
1716	takeown.exe
2004	mSXUoud8.exe
1748	cmd.exe
1104	mSXUoud8.exe
316	mSXUoud8.exe
464	mSXUoud8.exe
1576	mSXUoud8.exe
1104	mSXUoud8.exe
628	mSXUoud8.exe
1196	mSXUoud8.exe
1912	mSXUoud8.exe
548	mSXUoud8.exe
2008	mSXUoud8.exe
1748	mSXUoud8.exe
1928	mSXUoud8.exe
1500	mSXUoud8.exe
2040	mSXUoud8.exe
984	mSXUoud8.exe
1736	mSXUoud8.exe
1432	mSXUoud8.exe
1816	mSXUoud8.exe
1192	mSXUoud8.exe
1904	mSXUoud8.exe
292	mSXUoud8.exe
2016	mSXUoud8.exe
804	mSXUoud8.exe
1512	mSXUoud8.exe
1192	mSXUoud8.exe
940	mSXUoud8.exe
1732	mSXUoud8.exe
2016	mSXUoud8.exe
576	mSXUoud8.exe
1192	mSXUoud8.exe
1960	mSXUoud8.exe
804	mSXUoud8.exe
2040	mSXUoud8.exe
224	mSXUoud8.exe
236	mSXUoud8.exe
1748	mSXUoud8.exe
1608	mSXUoud8.exe
1928	mSXUoud8.exe
204	mSXUoud8.exe
972	mSXUoud8.exe
1576	mSXUoud8.exe
1752	mSXUoud8.exe
1604	mSXUoud8.exe
1720	mSXUoud8.exe
236	mSXUoud8.exe
576	mSXUoud8.exe
2044	mSXUoud8.exe
1924	mSXUoud8.exe
1716	mSXUoud8.exe
940	mSXUoud8.exe
1084	mSXUoud8.exe
1748	mSXUoud8.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000300000001315b-26.dat	upx
behavioral1/files/0x000300000001315b-25.dat	upx
behavioral1/files/0x000300000001315b-28.dat	upx
behavioral1/files/0x000300000001315b-41.dat	upx
behavioral1/files/0x000300000001315b-43.dat	upx
behavioral1/files/0x000300000001315b-45.dat	upx
behavioral1/files/0x000300000001315b-47.dat	upx
behavioral1/files/0x000300000001315b-53.dat	upx
behavioral1/files/0x000300000001315b-55.dat	upx
behavioral1/files/0x000300000001315b-57.dat	upx
behavioral1/files/0x000300000001315b-59.dat	upx
behavioral1/files/0x000300000001315b-65.dat	upx
behavioral1/files/0x000300000001315b-67.dat	upx
behavioral1/files/0x000300000001315b-69.dat	upx
behavioral1/files/0x000300000001315b-71.dat	upx
behavioral1/files/0x000300000001315b-77.dat	upx
behavioral1/files/0x000300000001315b-79.dat	upx
behavioral1/files/0x000300000001315b-81.dat	upx
behavioral1/files/0x000300000001315b-83.dat	upx
behavioral1/files/0x000300000001315b-89.dat	upx
behavioral1/files/0x000300000001315b-91.dat	upx
behavioral1/files/0x000300000001315b-93.dat	upx
behavioral1/files/0x000300000001315b-95.dat	upx
behavioral1/files/0x000300000001315b-101.dat	upx
behavioral1/files/0x000300000001315b-103.dat	upx
behavioral1/files/0x000300000001315b-105.dat	upx
behavioral1/files/0x000300000001315b-107.dat	upx
behavioral1/files/0x000300000001315b-113.dat	upx
behavioral1/files/0x000300000001315b-115.dat	upx
behavioral1/files/0x000300000001315b-117.dat	upx
behavioral1/files/0x000300000001315b-119.dat	upx
behavioral1/files/0x000300000001315b-125.dat	upx
behavioral1/files/0x000300000001315b-126.dat	upx
behavioral1/files/0x000300000001315b-128.dat	upx
behavioral1/files/0x000300000001315b-129.dat	upx
behavioral1/files/0x000300000001315b-131.dat	upx
behavioral1/files/0x000300000001315b-132.dat	upx
behavioral1/files/0x000300000001315b-134.dat	upx
behavioral1/files/0x000300000001315b-135.dat	upx
behavioral1/files/0x000300000001315b-137.dat	upx
behavioral1/files/0x000300000001315b-138.dat	upx
behavioral1/files/0x000300000001315b-140.dat	upx
behavioral1/files/0x000300000001315b-141.dat	upx
behavioral1/files/0x000300000001315b-143.dat	upx
behavioral1/files/0x000300000001315b-144.dat	upx
behavioral1/files/0x000300000001315b-146.dat	upx
behavioral1/files/0x000300000001315b-147.dat	upx
behavioral1/files/0x000300000001315b-149.dat	upx
behavioral1/files/0x000300000001315b-150.dat	upx
behavioral1/files/0x000300000001315b-152.dat	upx
behavioral1/files/0x000300000001315b-153.dat	upx
behavioral1/files/0x000300000001315b-155.dat	upx
behavioral1/files/0x000300000001315b-156.dat	upx
behavioral1/files/0x000300000001315b-158.dat	upx
behavioral1/files/0x000300000001315b-159.dat	upx

Loads dropped DLL 64 IoCs

pid	Process
1656	new_jdpr.exe
1656	new_jdpr.exe
1840	cmd.exe
888	mSXUoud8.exe
2020	cmd.exe
936	cmd.exe
940	cmd.exe
744	cmd.exe
2020	cmd.exe
772	cmd.exe
1468	cmd.exe
676	cmd.exe
2016	cmd.exe
1196	cmd.exe
1224	cmd.exe
856	cmd.exe
1748	cmd.exe
1736	cmd.exe
1816	cmd.exe
1432	cmd.exe
292	cmd.exe
576	cmd.exe
804	cmd.exe
1816	cmd.exe
1608	cmd.exe
940	cmd.exe
1732	cmd.exe
1912	cmd.exe
2020	cmd.exe
2008	cmd.exe
940	cmd.exe
1608	cmd.exe
1696	cmd.exe
1196	cmd.exe
984	cmd.exe
1576	cmd.exe
2040	cmd.exe
1912	cmd.exe
972	cmd.exe
1104	cmd.exe
1744	cmd.exe
2020	cmd.exe
1196	cmd.exe
1816	cmd.exe
1744	cmd.exe
848	cmd.exe
216	cmd.exe
1512	cmd.exe
1736	cmd.exe
1808	cmd.exe
1432	cmd.exe
1924	cmd.exe
1512	cmd.exe
224	cmd.exe
1808	cmd.exe
908	cmd.exe
1452	cmd.exe
1104	cmd.exe
1292	cmd.exe
972	cmd.exe
2016	cmd.exe
1744	cmd.exe
232	cmd.exe
936	cmd.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2376	takeown.exe
2044	takeown.exe
936	takeown.exe
1808	takeown.exe
212	takeown.exe
1300	takeown.exe
2760	takeown.exe
1744	takeown.exe
2220	takeown.exe
1576	takeown.exe
1104	takeown.exe
1808	takeown.exe
1928	takeown.exe
1752	takeown.exe
1468	takeown.exe
2640	Process not Found
1432	takeown.exe
576	takeown.exe
744	takeown.exe
1752	takeown.exe
2368	takeown.exe
2780	Process not Found
1608	takeown.exe
744	takeown.exe
1192	takeown.exe
1312	takeown.exe
856	takeown.exe
1732	takeown.exe
1608	takeown.exe
1748	takeown.exe
1696	takeown.exe
1512	takeown.exe
908	takeown.exe
972	takeown.exe
228	takeown.exe
576	takeown.exe
1584	takeown.exe
292	takeown.exe
1312	takeown.exe
1300	takeown.exe
848	takeown.exe
2872	takeown.exe
2156	takeown.exe
308	takeown.exe
848	takeown.exe
1192	takeown.exe
1120	takeown.exe
1192	takeown.exe
1808	takeown.exe
292	takeown.exe
1312	takeown.exe
1928	takeown.exe
232	takeown.exe
2444	takeown.exe
2040	takeown.exe
1696	takeown.exe
1740	takeown.exe
1720	takeown.exe
2160	Process not Found
1816	takeown.exe
1196	takeown.exe
224	takeown.exe
1696	takeown.exe
628	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Libraries\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6O9TWDTA\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	new_jdpr.exe
File opened for modification	C:\Program Files\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\X6969WXQ\desktop.ini	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\XHJ74TZW\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\5JH7AFHU\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	new_jdpr.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\M:	Process not Found
File opened (read-only)	\??\Y:	WINWORD.EXE
File opened (read-only)	\??\V:	new_jdpr.exe
File opened (read-only)	\??\F:	new_jdpr.exe
File opened (read-only)	\??\B:	mSXUoud864.exe
File opened (read-only)	\??\S:	mSXUoud864.exe
File opened (read-only)	\??\Q:	Process not Found
File opened (read-only)	\??\E:	mSXUoud864.exe
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\R:	Process not Found
File opened (read-only)	\??\W:	Process not Found
File opened (read-only)	\??\J:	WINWORD.EXE
File opened (read-only)	\??\U:	new_jdpr.exe
File opened (read-only)	\??\R:	new_jdpr.exe
File opened (read-only)	\??\O:	new_jdpr.exe
File opened (read-only)	\??\R:	WINWORD.EXE
File opened (read-only)	\??\U:	mSXUoud864.exe
File opened (read-only)	\??\V:	mSXUoud864.exe
File opened (read-only)	\??\H:	Process not Found
File opened (read-only)	\??\N:	Process not Found
File opened (read-only)	\??\F:	WINWORD.EXE
File opened (read-only)	\??\N:	new_jdpr.exe
File opened (read-only)	\??\L:	new_jdpr.exe
File opened (read-only)	\??\L:	mSXUoud864.exe
File opened (read-only)	\??\O:	WINWORD.EXE
File opened (read-only)	\??\W:	WINWORD.EXE
File opened (read-only)	\??\X:	mSXUoud864.exe
File opened (read-only)	\??\Y:	mSXUoud864.exe
File opened (read-only)	\??\G:	Process not Found
File opened (read-only)	\??\O:	Process not Found
File opened (read-only)	\??\Y:	Process not Found
File opened (read-only)	\??\E:	new_jdpr.exe
File opened (read-only)	\??\M:	mSXUoud864.exe
File opened (read-only)	\??\P:	mSXUoud864.exe
File opened (read-only)	\??\A:	WINWORD.EXE
File opened (read-only)	\??\K:	WINWORD.EXE
File opened (read-only)	\??\Z:	WINWORD.EXE
File opened (read-only)	\??\K:	new_jdpr.exe
File opened (read-only)	\??\S:	Process not Found
File opened (read-only)	\??\M:	WINWORD.EXE
File opened (read-only)	\??\X:	Process not Found
File opened (read-only)	\??\Z:	Process not Found
File opened (read-only)	\??\B:	WINWORD.EXE
File opened (read-only)	\??\L:	WINWORD.EXE
File opened (read-only)	\??\P:	WINWORD.EXE
File opened (read-only)	\??\I:	new_jdpr.exe
File opened (read-only)	\??\W:	mSXUoud864.exe
File opened (read-only)	\??\L:	Process not Found
File opened (read-only)	\??\N:	mSXUoud864.exe
File opened (read-only)	\??\J:	Process not Found
File opened (read-only)	\??\K:	Process not Found
File opened (read-only)	\??\T:	Process not Found
File opened (read-only)	\??\E:	WINWORD.EXE
File opened (read-only)	\??\Y:	new_jdpr.exe
File opened (read-only)	\??\S:	new_jdpr.exe
File opened (read-only)	\??\H:	new_jdpr.exe
File opened (read-only)	\??\Q:	WINWORD.EXE
File opened (read-only)	\??\S:	WINWORD.EXE
File opened (read-only)	\??\M:	new_jdpr.exe
File opened (read-only)	\??\A:	mSXUoud864.exe
File opened (read-only)	\??\T:	WINWORD.EXE
File opened (read-only)	\??\I:	Process not Found
File opened (read-only)	\??\P:	Process not Found

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\AutoRecover\14C5A2A3C41254184B007011E5565E5B.mof	Process not Found

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\cg0xxAeU.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro_3.4.200.v20130326-1254.jar	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application.jar	new_jdpr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\vlc.mo	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.api	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Anchorage	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiBold.ttf	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Ushuaia	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rainy_River	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.c	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfoInternal.zip	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT	new_jdpr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSans.ttf	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yekaterinburg	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Baku	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\mailapi.jar	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{ED12A50C-ADCB-4FB6-B0B7-713544A9D99B}\CR_EB8C7.tmp\setup.exe	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\AppConfigurationInternal.zip	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nome	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_zh_CN.jar	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	new_jdpr.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\fil.pak	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Bogota	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_zh_CN.jar	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\EST5	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-queries.jar	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Paris	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.password.template	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Easter	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\CST6CDT	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Boa_Vista	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santo_Domingo	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Lord_Howe	new_jdpr.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm	new_jdpr.exe
File opened for modification	C:\Program Files\EnterTrace.mpg	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuala_Lumpur	new_jdpr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\vlc.mo	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\PST8PDT	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Magadan	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_ja.jar	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Halifax	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Funafuti	new_jdpr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png	new_jdpr.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbynet.jar	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt_3.103.1.v20140903-1938.jar	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\JDPR_README.rtf	new_jdpr.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI68D9.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSI81F5.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSID017.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSI8DBC.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSIB4E4.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSI9461.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSID6B2.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSIEB4E.tmp	Process not Found
File opened for modification	C:\Windows\Installer\f75c44e.ipi	Process not Found
File opened for modification	C:\Windows\Installer\MSI83D0.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSIC34.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSI482D.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSIE927.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSI88FE.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSIADA9.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSI2C3C.tmp	Process not Found
File created	C:\Windows\Installer\f75c46b.mst	Process not Found
File opened for modification	C:\Windows\Installer\MSI53E1.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSI8DCC.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSI168B.tmp	Process not Found
File opened for modification	C:\Windows\Installer\f75c45d.ipi	Process not Found
File opened for modification	C:\Windows\Installer\MSIDD38.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSI57D.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSI7049.tmp	Process not Found
File created	C:\Windows\Installer\f75c48c.ipi	Process not Found
File opened for modification	C:\Windows\Installer\MSI75A5.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSI897C.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSID75C.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSIEBDF.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSIE4D.tmp	Process not Found
File created	C:\Windows\Installer\f75c464.ipi	Process not Found
File opened for modification	C:\Windows\Installer\MSI6D64.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSI878F.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSIC6A9.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSIC38E.tmp	Process not Found
File created	C:\Windows\Installer\f75c42a.ipi	Process not Found
File opened for modification	C:\Windows\Installer\MSICE0B.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSI167B.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSI34B1.tmp	Process not Found
File created	C:\Windows\Installer\f75c46e.mst	Process not Found
File opened for modification	C:\Windows\Installer\MSID819.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSIEB6E.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSI788.tmp	Process not Found
File opened for modification	C:\Windows\Installer\f75c45a.ipi	Process not Found
File opened for modification	C:\Windows\Installer\MSI2021.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSIC89A.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSI2042.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSI5C3F.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSI773C.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSI5431.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSIA356.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSIB7F5.tmp	Process not Found
File created	C:\Windows\Installer\f75c433.ipi	Process not Found
File opened for modification	C:\Windows\Installer\MSIFC7B.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSIFE80.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSI248D.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSIF550.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSI5D4B.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSI6B3E.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSIB2D8.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSIB9D2.tmp	Process not Found
File opened for modification	C:\Windows\Installer\MSI249E.tmp	Process not Found
File opened for modification	C:\Windows\Installer\f75c47a.ipi	Process not Found
File opened for modification	C:\Windows\Installer\MSI8126.tmp	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1904	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1720	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\32	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\36	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\3F	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\42	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\46	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\36	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\37	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\3D	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\3E	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\4A	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\35	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\3B	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\3D	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\45	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\46	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\26	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\40	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\43	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\48	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2B	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\39	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\3C	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\43	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\49	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\32	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\34	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\3A	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\27	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2C	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2C	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\3B	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\41	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\4B	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\4B	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\49	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\27	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2B	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\3C	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\3E	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\48	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\26	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2A	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\38	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\44	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\47	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\28	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\35	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\37	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\41	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\42	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\4C	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\4D	Process not Found
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\40	Process not Found

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\8F622368F04F7B849A7B2021EE668F21\1033\EssentialMergeLetter.dotx = 7800620027004200560050002800380041002400210021002100210021004d004b004b0053006b0057004f005200440044006f00630075006d0065006e007400540065006d0070006c00610074006500730049006e0074006c005f0031003000330033003e007500590069004b004d003100740073004e0041006a004c005f0025005e0029003000610052005f005b005e00340032005d005c0045007300730065006e007400690061006c0020004d00650072006700650020004c00650074007400650072002e0064006f007400780000000000	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00004109B10090400000000000F01FEC\WhiteRabbitHiddenIntl_1033	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00004109E60090400000000000F01FEC\UICaptionsCompanionIntl_1033 = "ProductFilesIntl_1033"	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\1388E932434EA1242A73205BAD92D9CE\Excel\1033 = 780062002700420056004b002800380041002400210021002100210021004d004b004b0053006b0045005800430045004c00460069006c006500730049006e0074006c005f0031003000330033003e0025004700340071004d0050002c004f004500390028004900280048004f0064006a004500470029007300650074006c0061006e0067000000780062002700420056004d002800380041002400210021002100210021004d004b004b0053006b0045007800630065006c0043006f006e007600650072007400650072003100320049006e0074006c005f0031003000330033003e0025004700340071004d0050002c004f004500390028004900280048004f0064006a004500470029007300650074006c0061006e00670000007800620027004200560050002800380041002400210021002100210021004d004b004b0053006b0045007800630065006c0043006f006e007600650072007400650072003100320049006e0074006c005f0031003000330033003e0025004700340071004d0050002c004f004500390028004900280048004f0064006a004500470029007300650074006c0061006e00670000000000	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LR.LexRefBilingualTextContext.1.0\ = "LexRefBilingualTextContext Class"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\36D0A086BEFF5CD46B8920ABFA2A9819	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\8F622368F04F7B849A7B2021EE668F21\1033\BlackTieMergeLetter.dotx = 7800620027004200560050002800380041002400210021002100210021004d004b004b0053006b0057004f005200440044006f00630075006d0065006e007400540065006d0070006c00610074006500730049006e0074006c005f0031003000330033003e003d003f0021006c002100260044006000770040004800400078003d00390035003d007e0051005e005b005e00340032005d005c0042006c00610063006b00200054006900650020004d00650072006700650020004c00650074007400650072002e0064006f007400780000000000	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\8F622368F04F7B849A7B2021EE668F21\1033\EquiLett.dot = 7800620027004200560050002800380041002400210021002100210021004d004b004b0053006b0057004f005200440044006f00630075006d0065006e007400540065006d0070006c00610074006500730049006e0074006c005f0031003000330033003e002e00460072002a0034006e004e004a0074003d002c0068006300510027004c0040007e0037006d005b005e00340032005d005c0045007100750069007400790020004c00650074007400650072002e0064006f007400780000000000	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{5F401D48-328B-454F-B01D-523658C364C6},{0002CE02-0000-0000-C000-000000000046} = 780062002700420056004e002900380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c004500710075006100740069006f006e0045006400690074006f007200460069006c006500730000000000	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{239E8831-E434-421A-A237-02B5DA299DEC},List\1033 = 780062002700420056004b002800380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c0045005800430045004c00460069006c00650073000000780062002700420056004e002900380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c004c00490053005400460069006c00650073000000780062002700420056004a002800380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c00410043004300450053005300460069006c006500730000000000	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{CC29EB5D-7BC2-11D1-A921-00A0C91E2AA2},outex.ecf = 780062002700420056004f002800380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c004f00550054004c004f004f004b00460069006c006500730000000000	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\749801C0E1F98EA4FBD0985566B22EFF\1036 = 7800620027004200560057003f00570041002400210021002100210021004d004b004b0053006b005300700065006c006c0069006e00670041006e0064004700720061006d006d0061007200460069006c00650073005f0031003000330036003e006a003700250062005300730059002800670028003f00750024002100210036007e0039003700460000000000	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00004109910090400000000000F01FEC\PubPaperDirectA4Intl_1033	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\000041091A0090400000000000F01FEC\OneNoteHelpFilesIntl_1033 = "OneNoteFilesIntl_1033"	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\95ABB819C9B84584CBD9C0F8FA658F27\1033 = 7800620027004200560050002800380041002400210021002100210021004d004b004b0053006b0057006f007200640044006f00630075006d0065006e00740050006100720074007300460069006c006500730049006e0074006c005f0031003000330033003c0000000000	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{239E8831-E434-421A-A237-02B5DA299DEC},CLVIEW\1033 = 780062002700420056004e002900380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c0041006c00770061007900730049006e007300740061006c006c006500640000000000	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00004109810090400000000000F01FEC\SetupControllerFiles	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{3A737E86-3543-4DC2-A33A-2757674258C5},1033\Discussion.gta = 7800620027004200560045002a00380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c00470072006f006f0076006500460069006c006500730000000000	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\CAFF1E24517F24441899E380A0889CC0\1033\OMSINTL.DLL = 780062002700420056004f002800380041002400210021002100210021004d004b004b0053006b004f00750074006c006f006f006b004f006d00730049006e0074006c005f0031003000330033003e006b003d007a0067006c002b003d00330046004000710072005a00620055006600210041004700710000000000	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00004109F10090400000000000F01FEC\SpellingAndGrammarFiles_1033	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{C9DA77FC-18F8-4172-8D65-0DAE5D1CED1A},ProofModelFile\1033 = 7800620027004200560054002800380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c005300700065006c006c0069006e00670041006e0064004700720061006d006d0061007200460069006c00650073005f00310030003300330000000000	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{0979747D-C33E-413D-9737-046F1473EB19},1033 = 780062002700420056004e002900380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c00560042004100460069006c006500730000000000	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{AD722A80-AD66-4974-A4D6-034C37CE8BB7},1033\excel.hxs = 780062002700420056004b002800380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c0045007800630065006c00480065006c007000460069006c006500730000000000	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\6DCB319E06591D11781C00AA007AE1D2\1033\jungle.gif = 780062002700420056004f002800380041002400210021002100210021004d004b004b0053006b004f00750074006c006f006f006b00530074006100740069006f006e0065007200790045007800740065006e0064006500640049006e0074006c005f0031003000330033003c0000000000	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\2145AEDD47EF16C49A5F7133E322CB20	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LR.LexRefStFrObject.1.0\CurVer\ = "LR.LexRefStFrObject.1.0.1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\B347638FCC3D5BE438A7B3A875C058E2	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00004109A20000000100000000F01FEC\ExcelPiaReg64	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\8940DAE453F43FF46A6AA36E3829ABE5\1033 = 780062002700420056004f002800380041002400210021002100210021004d004b004b0053006b0057006800690074006500520061006200620069007400480069006400640065006e0049006e0074006c005f0031003000330033003e006b003d00280078005e005f006000410062003d002500750026003600310026007700720033002c0000007800620027004200560050002800380041002400210021002100210021004d004b004b0053006b0057006800690074006500520061006200620069007400480069006400640065006e0049006e0074006c005f0031003000330033003e006b003d00280078005e005f006000410062003d002500750026003600310026007700720033002c000000780062002700420056004b002800380041002400210021002100210021004d004b004b0053006b0057006800690074006500520061006200620069007400480069006400640065006e0049006e0074006c005f0031003000330033003e006b003d00280078005e005f006000410062003d002500750026003600310026007700720033002c0000000000	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\4097559C474E7AE408017D1F0870E7AC	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00004109AB0090400000000000F01FEC\SetupControllerFiles	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\219DB75EC8032D11A9A90006794C4E25\1033 = 780062002700420056004f002800380041002400210021002100210021004d004b004b0053006b004f00750074006c006f006f006b004400560045007800740065006e00730069006f006e007300460069006c006500730049006e0074006c005f0031003000330033003e00600055005a006500210071007900560024003d007d00560027002600690026006a005a002700710000000000	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{CC29EDE3-7BC2-11D1-A921-00A0C91E2AA2},1033\ImportAccounts = 780062002700420056004f002800380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c004f00750074006c006f006f006b0049006d0070006f00720074004500780070006f0072007400460069006c006500730000000000	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LR.LexRefBilingualTextContext.1.0\CurVer\ = "LR.LexRefBilingualTextContext.1.0.1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VisShe.CVisioFileFilter\CLSID	Process not Found
Key created	\REGISTRY\MACHINE\Software\Classes\OSPPWMI.OSppWmiTokenActivationSigner\CLSID	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00004109A20000000100000000F01FEC\Outlook64SearchShellReg	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{AD722A80-AD66-4974-A4D6-034C37CE8BB7},1033\xlmacro.chm = 780062002700420056004b002800380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c0045007800630065006c00480065006c007000460069006c006500730000000000	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\338BBE69B1DA06C4EB82874E79F60449\1033\OMSSMS.CFG = 780062002700420056004f002800380041002400210021002100210021004d004b004b0053006b004f00750074006c006f006f006b004f006d00730049006e0074006c005f0031003000330033003e002e002c005d004700390036006c006a004c003f0078006e005f0065006a004b0029002c004e00680000000000	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\2145AEDD47EF16C49A5F7133E322CB20\1033\mapishellr.dll.x86 = 780062002700420056004f002800380041002400210021002100210021004d004b004b0053006b004f00750074006c006f006f006b005300650061007200630068005300680065006c006c0052006500670049006e0074006c005f0031003000330033003c0000000000	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{E913BCD6-9560-11D1-87C1-00AA00A71E2D},1033\techtool.gif = 780062002700420056004f002800380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c004f00750074006c006f006f006b00530074006100740069006f006e0065007200790042006100730069006300460069006c006500730000000000	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{863226F8-F40F-48B7-A9B7-0212EE66F812},1033\Tasks_Part.accdt = 780062002700420056004a002800380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c00410063006300650073007300540065006d0070006c00610074006500730049006e0074006c0000000000	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00004109611090400100000000F01FEC\Gimme_OnDemandData	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{863226F8-F40F-48B7-A9B7-0212EE66F812},1033\1Right_Part.accdt = 780062002700420056004a002800380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c00410063006300650073007300540065006d0070006c00610074006500730049006e0074006c0000000000	Process not Found
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{EDDCFF16-3AEE-4883-BD91-0F3978640DFB}\1.0	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{863226F8-F40F-48B7-A9B7-0212EE66F812},1033\WideScre.pot = 780062002700420056004d002800380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c00500050005400500072006500730065006e0074006100740069006f006e00540065006d0070006c00610074006500730000000000	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00004109810090400000000000F01FEC\PPTNonBootFilesIntl_1033 = "PPTFilesIntl_1033"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\4DCB319E06591D11781C00AA007AE1D2	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\6DCB319E06591D11781C00AA007AE1D2\1033\currency.gif = 780062002700420056004f002800380041002400210021002100210021004d004b004b0053006b004f00750074006c006f006f006b00530074006100740069006f006e0065007200790042006100730069006300460069006c006500730049006e0074006c005f0031003000330033003c0000000000	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\A09DB75EC8032D11A9A90006794C4E25	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00004109A20000000100000000F01FEC\MsoCommonShellHandler64bit	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Equations\ = "Microsoft Equation"	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\8F622368F04F7B849A7B2021EE668F21\1033\OlMergLe.dot = 7800620027004200560050002800380041002400210021002100210021004d004b004b0053006b0057004f005200440044006f00630075006d0065006e007400540065006d0070006c00610074006500730049006e0074006c005f0031003000330033003e004f005600780076007300390060005500580041004e005e004b0052004e005e0041007a006a0071005b005e00340032005d005c004f007200690065006c0020004d00650072006700650020004c00650074007400650072002e0064006f007400780000000000	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{CC29EC0F-7BC2-11D1-A921-00A0C91E2AA2},jpeg = 780062002700420056004e002900380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c0047007200610070006800690063007300460069006c0074006500720073004a00500045004700460069006c006500730000000000	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{00141843-32F2-4860-A813-77B69DDFA3B5},3082\3082 = 780062002700420056005e007d00740072002600210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c005300700065006c006c0069006e00670041006e0064004700720061006d006d0061007200460069006c00650073005f00330030003800320000000000	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\CF77AD9C8F812714D856D0EAD5C1DEA1\ProofModelFile\1036 = 7800620027004200560057003f00570041002400210021002100210021004d004b004b0053006b005300700065006c006c0069006e00670041006e0064004700720061006d006d0061007200460069006c00650073005f0031003000330036003e0030004a0025004c004100320051006f004d003900640055002400690060006f00430037002c00560000000000	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{C3C48C3D-37B6-4C96-859A-C84F57D2D108},1025/1036 = 7800620027004200560057003f00570041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c005400720061006e0073006c006100740069006f006e00460069006c00650073005f00310030003300360000000000	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\5ABBC7A3529892F48975D0224E1A43DA\1033 = 7800620027004200560027002a00380041002400210021002100210021004d004b004b0053006b004f006e0065004e006f00740065004e006f006e0042006f006f007400460069006c006500730049006e0074006c005f0031003000330033003e00740043005100380043005700780033005100390070007a0043002500390074005a0076002400270000000000	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5BF6FE9-913F-4117-94C7-5040C7E3A6C1}\ProgID	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\E59E417A6B063D11D83000054038584D	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{AD722A80-AD66-4974-A4D6-034C37CE8BB7},1033\fm20.chm = 780062002700420056004e002900380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c00500072006f006400750063007400460069006c006500730000000000	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\216490E0EFC183C4FB4DD378CA809599	Process not Found
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{F836743B-D3CC-4EB5-837A-3B8A570C852E},1033\thatch.dotx = 7800620027004200560050002800380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c0057006f007200640051007500690063006b0046006f0072006d00610074007300460069006c006500730000000000	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\VersionIndependentProgID	Process not Found

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2008	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1712	mSXUoud864.exe
1712	mSXUoud864.exe
1712	mSXUoud864.exe
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1712	mSXUoud864.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	mSXUoud864.exe
Token: SeLoadDriverPrivilege	1712	mSXUoud864.exe
Token: SeBackupPrivilege	2004	vssvc.exe
Token: SeRestorePrivilege	2004	vssvc.exe
Token: SeAuditPrivilege	2004	vssvc.exe
Token: SeTakeOwnershipPrivilege	1512	takeown.exe
Token: SeTakeOwnershipPrivilege	1192	takeown.exe
Token: SeTakeOwnershipPrivilege	1752	takeown.exe
Token: SeTakeOwnershipPrivilege	1924	takeown.exe
Token: SeTakeOwnershipPrivilege	1576	takeown.exe
Token: SeTakeOwnershipPrivilege	1292	takeown.exe
Token: SeTakeOwnershipPrivilege	1500	takeown.exe
Token: SeTakeOwnershipPrivilege	1104	takeown.exe
Token: SeTakeOwnershipPrivilege	1748	takeown.exe
Token: SeTakeOwnershipPrivilege	1104	takeown.exe
Token: SeTakeOwnershipPrivilege	2008	takeown.exe
Token: SeTakeOwnershipPrivilege	204	takeown.exe
Token: SeTakeOwnershipPrivilege	1816	takeown.exe
Token: SeIncreaseQuotaPrivilege	676	WMIC.exe
Token: SeSecurityPrivilege	676	WMIC.exe
Token: SeTakeOwnershipPrivilege	676	WMIC.exe
Token: SeLoadDriverPrivilege	676	WMIC.exe
Token: SeSystemProfilePrivilege	676	WMIC.exe
Token: SeSystemtimePrivilege	676	WMIC.exe
Token: SeProfSingleProcessPrivilege	676	WMIC.exe
Token: SeIncBasePriorityPrivilege	676	WMIC.exe
Token: SeCreatePagefilePrivilege	676	WMIC.exe
Token: SeBackupPrivilege	676	WMIC.exe
Token: SeRestorePrivilege	676	WMIC.exe
Token: SeShutdownPrivilege	676	WMIC.exe
Token: SeDebugPrivilege	676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	676	WMIC.exe
Token: SeRemoteShutdownPrivilege	676	WMIC.exe
Token: SeUndockPrivilege	676	WMIC.exe
Token: SeManageVolumePrivilege	676	WMIC.exe
Token: 33	676	WMIC.exe
Token: 34	676	WMIC.exe
Token: 35	676	WMIC.exe
Token: SeTakeOwnershipPrivilege	1912	takeown.exe
Token: SeTakeOwnershipPrivilege	236	takeown.exe
Token: SeTakeOwnershipPrivilege	1608	takeown.exe
Token: SeTakeOwnershipPrivilege	548	takeown.exe
Token: SeIncreaseQuotaPrivilege	676	WMIC.exe
Token: SeSecurityPrivilege	676	WMIC.exe
Token: SeTakeOwnershipPrivilege	676	WMIC.exe
Token: SeLoadDriverPrivilege	676	WMIC.exe
Token: SeSystemProfilePrivilege	676	WMIC.exe
Token: SeSystemtimePrivilege	676	WMIC.exe
Token: SeProfSingleProcessPrivilege	676	WMIC.exe
Token: SeIncBasePriorityPrivilege	676	WMIC.exe
Token: SeCreatePagefilePrivilege	676	WMIC.exe
Token: SeBackupPrivilege	676	WMIC.exe
Token: SeRestorePrivilege	676	WMIC.exe
Token: SeShutdownPrivilege	676	WMIC.exe
Token: SeDebugPrivilege	676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	676	WMIC.exe
Token: SeRemoteShutdownPrivilege	676	WMIC.exe
Token: SeUndockPrivilege	676	WMIC.exe
Token: SeManageVolumePrivilege	676	WMIC.exe
Token: 33	676	WMIC.exe
Token: 34	676	WMIC.exe
Token: 35	676	WMIC.exe
Token: SeTakeOwnershipPrivilege	2040	takeown.exe
Token: SeTakeOwnershipPrivilege	1928	takeown.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2008	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2008	WINWORD.EXE
2008	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 1236	1656	new_jdpr.exe	27
PID 1656 wrote to memory of 1236	1656	new_jdpr.exe	27
PID 1656 wrote to memory of 1236	1656	new_jdpr.exe	27
PID 1656 wrote to memory of 1236	1656	new_jdpr.exe	27
PID 1656 wrote to memory of 2044	1656	new_jdpr.exe	29
PID 1656 wrote to memory of 2044	1656	new_jdpr.exe	29
PID 1656 wrote to memory of 2044	1656	new_jdpr.exe	29
PID 1656 wrote to memory of 2044	1656	new_jdpr.exe	29
PID 1656 wrote to memory of 1648	1656	new_jdpr.exe	34
PID 1656 wrote to memory of 1648	1656	new_jdpr.exe	34
PID 1656 wrote to memory of 1648	1656	new_jdpr.exe	34
PID 1656 wrote to memory of 1648	1656	new_jdpr.exe	34
PID 1656 wrote to memory of 908	1656	new_jdpr.exe	35
PID 1656 wrote to memory of 908	1656	new_jdpr.exe	35
PID 1656 wrote to memory of 908	1656	new_jdpr.exe	35
PID 1656 wrote to memory of 908	1656	new_jdpr.exe	35
PID 1648 wrote to memory of 1720	1648	cmd.exe	38
PID 1648 wrote to memory of 1720	1648	cmd.exe	38
PID 1648 wrote to memory of 1720	1648	cmd.exe	38
PID 1648 wrote to memory of 1720	1648	cmd.exe	38
PID 1648 wrote to memory of 268	1648	cmd.exe	40
PID 1648 wrote to memory of 268	1648	cmd.exe	40
PID 1648 wrote to memory of 268	1648	cmd.exe	40
PID 1648 wrote to memory of 268	1648	cmd.exe	40
PID 1648 wrote to memory of 1140	1648	cmd.exe	41
PID 1648 wrote to memory of 1140	1648	cmd.exe	41
PID 1648 wrote to memory of 1140	1648	cmd.exe	41
PID 1648 wrote to memory of 1140	1648	cmd.exe	41
PID 908 wrote to memory of 1580	908	cmd.exe	39
PID 908 wrote to memory of 1580	908	cmd.exe	39
PID 908 wrote to memory of 1580	908	cmd.exe	39
PID 908 wrote to memory of 1580	908	cmd.exe	39
PID 1656 wrote to memory of 1524	1656	new_jdpr.exe	42
PID 1656 wrote to memory of 1524	1656	new_jdpr.exe	42
PID 1656 wrote to memory of 1524	1656	new_jdpr.exe	42
PID 1656 wrote to memory of 1524	1656	new_jdpr.exe	42
PID 1524 wrote to memory of 1512	1524	cmd.exe	44
PID 1524 wrote to memory of 1512	1524	cmd.exe	44
PID 1524 wrote to memory of 1512	1524	cmd.exe	44
PID 1524 wrote to memory of 1512	1524	cmd.exe	44
PID 1580 wrote to memory of 1924	1580	wscript.exe	45
PID 1580 wrote to memory of 1924	1580	wscript.exe	45
PID 1580 wrote to memory of 1924	1580	wscript.exe	45
PID 1580 wrote to memory of 1924	1580	wscript.exe	45
PID 1524 wrote to memory of 308	1524	cmd.exe	47
PID 1524 wrote to memory of 308	1524	cmd.exe	47
PID 1524 wrote to memory of 308	1524	cmd.exe	47
PID 1524 wrote to memory of 308	1524	cmd.exe	47
PID 1924 wrote to memory of 1904	1924	cmd.exe	48
PID 1924 wrote to memory of 1904	1924	cmd.exe	48
PID 1924 wrote to memory of 1904	1924	cmd.exe	48
PID 1924 wrote to memory of 1904	1924	cmd.exe	48
PID 1524 wrote to memory of 1840	1524	cmd.exe	49
PID 1524 wrote to memory of 1840	1524	cmd.exe	49
PID 1524 wrote to memory of 1840	1524	cmd.exe	49
PID 1524 wrote to memory of 1840	1524	cmd.exe	49
PID 1840 wrote to memory of 888	1840	cmd.exe	50
PID 1840 wrote to memory of 888	1840	cmd.exe	50
PID 1840 wrote to memory of 888	1840	cmd.exe	50
PID 1840 wrote to memory of 888	1840	cmd.exe	50
PID 888 wrote to memory of 1712	888	mSXUoud8.exe	51
PID 888 wrote to memory of 1712	888	mSXUoud8.exe	51
PID 888 wrote to memory of 1712	888	mSXUoud8.exe	51
PID 888 wrote to memory of 1712	888	mSXUoud8.exe	51

C:\Users\Admin\AppData\Local\Temp\new_jdpr.exe
"C:\Users\Admin\AppData\Local\Temp\new_jdpr.exe"
1⤵
- Matrix Ransomware
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\new_jdpr.exe" "C:\Users\Admin\AppData\Local\Temp\NWDTzyuS.exe"
  2⤵
  PID:1236
- C:\Users\Admin\AppData\Local\Temp\NWDTzyuS.exe
  "C:\Users\Admin\AppData\Local\Temp\NWDTzyuS.exe" -n
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\cg0xxAeU.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\cg0xxAeU.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:1720
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:268
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:1140
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\VuVav6cq.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\VuVav6cq.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\lSLN9S9H.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1924
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\lSLN9S9H.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:1904
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:2044
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:1716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"
    3⤵
    - Modifies file permissions
    PID:308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "AdobeID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "AdobeID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:888
    - - C:\Users\Admin\AppData\Local\Temp\mSXUoud864.exe
        
        mSXUoud8.exe -accepteula "AdobeID.pdf" -nobanner
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""
  2⤵
  - Loads dropped DLL
  PID:936
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "DefaultID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "DefaultID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1744
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""
  2⤵
  - Loads dropped DLL
  PID:744
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
    3⤵
    PID:676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:940
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1452
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""
  2⤵
  - Loads dropped DLL
  PID:772
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Dynamic.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "Dynamic.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1752
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""
  2⤵
  - Loads dropped DLL
  PID:676
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C
    3⤵
    PID:940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"
    3⤵
    - Modifies file permissions
    PID:856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "SignHere.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1468
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "SignHere.pdf" -nobanner
      4⤵
      PID:1716
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""
  2⤵
  - Loads dropped DLL
  PID:1196
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
    3⤵
    - Modifies file permissions
    PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "StandardBusiness.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2016
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "StandardBusiness.pdf" -nobanner
      4⤵
      PID:1748
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""
  2⤵
  - Loads dropped DLL
  PID:856
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
    3⤵
    - Executes dropped EXE
    PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "ENUtxt.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1224
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "ENUtxt.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:316
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:1736
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"
    3⤵
    PID:984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1748
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:1576
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Java\jre7\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:1432
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre7\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:628
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1196
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  - Loads dropped DLL
  PID:576
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    - Loads dropped DLL
    PID:292
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:1912
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  - Loads dropped DLL
  PID:1816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    - Loads dropped DLL
    PID:804
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      Executes dropped EXE
      PID:2008
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\en-US\Journal.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\Journal.exe.mui" /E /G Admin:F /C
    3⤵
    PID:576
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\Journal.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Journal.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "Journal.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1928
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\Templates\Graph.jtp""
  2⤵
  - Loads dropped DLL
  PID:1912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Graph.jtp" /E /G Admin:F /C
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Graph.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Graph.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "Graph.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:2040
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Mail\wabmig.exe""
  2⤵
  - Loads dropped DLL
  PID:2008
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C
    3⤵
    PID:628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wabmig.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "wabmig.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "wabmig.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:1736
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui" /E /G Admin:F /C
    3⤵
    PID:292
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "jnwmon.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:940
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "jnwmon.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1816
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\Templates\Genko_2.jtp""
  2⤵
  - Loads dropped DLL
  PID:1196
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Genko_2.jtp" /E /G Admin:F /C
    3⤵
    PID:576
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Genko_2.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Genko_2.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "Genko_2.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:1904
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Mail\wab.exe""
  2⤵
  - Loads dropped DLL
  PID:1576
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\wab.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "wab.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:984
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "wab.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:2016
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html""
  2⤵
  - Loads dropped DLL
  PID:1912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html" /E /G Admin:F /C
    3⤵
    PID:908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html"
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "license.html" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "license.html" -nobanner
      4⤵
      Executes dropped EXE
      PID:1512
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe""
  2⤵
  - Loads dropped DLL
  PID:1104
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe" /E /G Admin:F /C
    3⤵
    PID:576
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe"
    3⤵
    PID:804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "LogTransport2.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:972
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "LogTransport2.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:940
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:2020
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "PDIALOG.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1744
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "PDIALOG.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:2016
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\Templates\Music.jtp""
  2⤵
  - Loads dropped DLL
  PID:1816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Music.jtp" /E /G Admin:F /C
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Music.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Music.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1196
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "Music.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:1192
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\PDIALOG.exe""
  2⤵
  - Loads dropped DLL
  PID:848
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\PDIALOG.exe" /E /G Admin:F /C
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\PDIALOG.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "PDIALOG.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1744
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "PDIALOG.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:804
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\Templates\Shorthand.jtp""
  2⤵
  - Loads dropped DLL
  PID:1512
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Shorthand.jtp" /E /G Admin:F /C
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Shorthand.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Shorthand.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:216
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "Shorthand.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:224
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "NBMapTIP.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "NBMapTIP.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1748
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp""
  2⤵
  - Loads dropped DLL
  PID:1924
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp" /E /G Admin:F /C
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Month_Calendar.jtp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1432
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "Month_Calendar.jtp" -nobanner
      4⤵
      Executes dropped EXE
      PID:1928
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
  2⤵
  - Loads dropped DLL
  PID:224
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "ImagingDevices.exe.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1512
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "ImagingDevices.exe.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:972
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  - Loads dropped DLL
  PID:908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1808
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:1752
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  - Loads dropped DLL
  PID:1104
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1452
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      Executes dropped EXE
      PID:1720
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif""
  2⤵
  - Loads dropped DLL
  PID:972
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif" /E /G Admin:F /C
    3⤵
    PID:1084
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif"
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "bl.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1292
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "bl.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:576
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini""
  2⤵
  - Loads dropped DLL
  PID:1744
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini" /E /G Admin:F /C
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini"
    3⤵
    - Modifies file permissions
    PID:908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "AGMGPUOptIn.ini" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2016
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "AGMGPUOptIn.ini" -nobanner
      4⤵
      Executes dropped EXE
      PID:1924
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig""
  2⤵
  - Loads dropped DLL
  PID:936
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig" /E /G Admin:F /C
    3⤵
    PID:292
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig"
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "cryptocme2.sig" -nobanner
    3⤵
    - Loads dropped DLL
    PID:232
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "cryptocme2.sig" -nobanner
      4⤵
      Executes dropped EXE
      PID:940
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif""
  2⤵
  PID:1192
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif" /E /G Admin:F /C
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif"
    3⤵
    - Modifies file permissions
    PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "forms_super.gif" -nobanner
    3⤵
    PID:1808
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "forms_super.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1748
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif""
  2⤵
  PID:1448
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif" /E /G Admin:F /C
    3⤵
    PID:204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif"
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "review_browser.gif" -nobanner
    3⤵
    PID:220
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "review_browser.gif" -nobanner
      4⤵
      PID:940
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc""
  2⤵
  PID:1452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc" /E /G Admin:F /C
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc"
    3⤵
    - Modifies file permissions
    PID:972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "adobepdf.xdc" -nobanner
    3⤵
    PID:908
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "adobepdf.xdc" -nobanner
      4⤵
      PID:1716
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif""
  2⤵
  PID:1292
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif" /E /G Admin:F /C
    3⤵
    PID:204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif"
    3⤵
    PID:232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "tl.gif" -nobanner
    3⤵
    PID:940
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "tl.gif" -nobanner
      4⤵
      PID:1468
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V""
  2⤵
  PID:1196
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V" /E /G Admin:F /C
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Identity-V" -nobanner
    3⤵
    PID:1312
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "Identity-V" -nobanner
      4⤵
      PID:1192
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf""
  2⤵
  PID:1720
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf"
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "MyriadPro-Bold.otf" -nobanner
    3⤵
    PID:224
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "MyriadPro-Bold.otf" -nobanner
      4⤵
      PID:1744
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe""
  2⤵
  PID:292
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe" /E /G Admin:F /C
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe"
    3⤵
    PID:984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "SC_Reader.exe" -nobanner
    3⤵
    PID:676
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "SC_Reader.exe" -nobanner
      4⤵
      PID:848
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths""
  2⤵
  PID:2008
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths" /E /G Admin:F /C
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths"
    3⤵
    - Modifies file permissions
    PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "brt55.ths" -nobanner
    3⤵
    PID:1684
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "brt55.ths" -nobanner
      4⤵
      PID:1120
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp""
  2⤵
  PID:236
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp" /E /G Admin:F /C
    3⤵
    PID:228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp"
    3⤵
    - Modifies file permissions
    PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "usa03.hsp" -nobanner
    3⤵
    PID:984
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "usa03.hsp" -nobanner
      4⤵
      PID:1736
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT""
  2⤵
  PID:1716
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT" /E /G Admin:F /C
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT"
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CYRILLIC.TXT" -nobanner
    3⤵
    PID:1040
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "CYRILLIC.TXT" -nobanner
      4⤵
      PID:1584
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT""
  2⤵
  PID:1432
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT" /E /G Admin:F /C
    3⤵
    PID:576
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT"
    3⤵
    - Modifies file permissions
    PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CP1252.TXT" -nobanner
    3⤵
    PID:2008
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "CP1252.TXT" -nobanner
      4⤵
      PID:1608
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\Journal.exe""
  2⤵
  PID:1808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Journal.exe" /E /G Admin:F /C
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Journal.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Journal.exe" -nobanner
    3⤵
    PID:212
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "Journal.exe" -nobanner
      4⤵
      PID:292
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1196
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\Templates\Seyes.jtp""
  2⤵
  PID:232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Seyes.jtp" /E /G Admin:F /C
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Seyes.jtp"
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Seyes.jtp" -nobanner
    3⤵
    PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "Seyes.jtp" -nobanner
      4⤵
      PID:1292
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:1720
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:628
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer""
  2⤵
  PID:1452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer" /E /G Admin:F /C
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer"
    3⤵
    - Modifies file permissions
    PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "AUMProduct.cer" -nobanner
    3⤵
    PID:848
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "AUMProduct.cer" -nobanner
      4⤵
      PID:1960
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif""
  2⤵
  PID:576
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif" /E /G Admin:F /C
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif"
    3⤵
    PID:744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "add_reviewer.gif" -nobanner
    3⤵
    PID:1468
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "add_reviewer.gif" -nobanner
      4⤵
      PID:2008
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif""
  2⤵
  PID:1432
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif" /E /G Admin:F /C
    3⤵
    PID:908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif"
    3⤵
    - Modifies file permissions
    PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "forms_received.gif" -nobanner
    3⤵
    PID:1720
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "forms_received.gif" -nobanner
      4⤵
      PID:972
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif""
  2⤵
  PID:1808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif" /E /G Admin:F /C
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif"
    3⤵
    - Modifies file permissions
    PID:292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "reviews_super.gif" -nobanner
    3⤵
    PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "reviews_super.gif" -nobanner
      4⤵
      PID:204
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif""
  2⤵
  PID:744
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif" /E /G Admin:F /C
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif"
    3⤵
    - Modifies file permissions
    PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "submission_history.gif" -nobanner
    3⤵
    PID:576
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "submission_history.gif" -nobanner
      4⤵
      PID:1292
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H""
  2⤵
  PID:2040
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H" /E /G Admin:F /C
    3⤵
    PID:984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H"
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Identity-H" -nobanner
    3⤵
    PID:676
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "Identity-H" -nobanner
      4⤵
      PID:1960
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf""
  2⤵
  PID:1040
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf"
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "MinionPro-Regular.otf" -nobanner
    3⤵
    PID:848
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "MinionPro-Regular.otf" -nobanner
      4⤵
      PID:2008
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB""
  2⤵
  PID:936
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB" /E /G Admin:F /C
    3⤵
    PID:908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB"
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "ZY______.PFB" -nobanner
    3⤵
    PID:1264
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "ZY______.PFB" -nobanner
      4⤵
      PID:972
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx""
  2⤵
  PID:1736
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx" /E /G Admin:F /C
    3⤵
    PID:292
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx"
    3⤵
    - Modifies file permissions
    PID:228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "brt32.clx" -nobanner
    3⤵
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "brt32.clx" -nobanner
      4⤵
      PID:212
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca""
  2⤵
  PID:1104
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca" /E /G Admin:F /C
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca"
    3⤵
    - Modifies file permissions
    PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "usa.fca" -nobanner
    3⤵
    PID:1040
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "usa.fca" -nobanner
      4⤵
      PID:204
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT""
  2⤵
  PID:1448
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT" /E /G Admin:F /C
    3⤵
    PID:236
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT"
    3⤵
    - Modifies file permissions
    PID:576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CROATIAN.TXT" -nobanner
    3⤵
    PID:936
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "CROATIAN.TXT" -nobanner
      4⤵
      PID:1292
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT""
  2⤵
  PID:1732
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT" /E /G Admin:F /C
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT"
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CP1251.TXT" -nobanner
    3⤵
    PID:676
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "CP1251.TXT" -nobanner
      4⤵
      PID:2008
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe""
  2⤵
  PID:1468
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe" /E /G Admin:F /C
    3⤵
    PID:908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe"
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "GoogleUpdateSetup.exe" -nobanner
    3⤵
    PID:848
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "GoogleUpdateSetup.exe" -nobanner
      4⤵
      PID:972
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf""
  2⤵
  PID:1452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf" /E /G Admin:F /C
    3⤵
    PID:932
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf"
    3⤵
    - Modifies file permissions
    PID:1196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "MyriadCAD.otf" -nobanner
    3⤵
    PID:940
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "MyriadCAD.otf" -nobanner
      4⤵
      PID:1720
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif""
  2⤵
  PID:224
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif" /E /G Admin:F /C
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif"
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "create_form.gif" -nobanner
    3⤵
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "create_form.gif" -nobanner
      4⤵
      PID:232
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif""
  2⤵
  PID:984
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif" /E /G Admin:F /C
    3⤵
    PID:628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif"
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "info.gif" -nobanner
    3⤵
    PID:1040
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "info.gif" -nobanner
      4⤵
      PID:1608
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif""
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif"
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "review_same_reviewers.gif" -nobanner
    3⤵
    PID:228
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "review_same_reviewers.gif" -nobanner
      4⤵
      PID:208
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif""
  2⤵
  PID:1928
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif" /E /G Admin:F /C
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif"
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "trash.gif" -nobanner
    3⤵
    PID:676
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "trash.gif" -nobanner
      4⤵
      PID:1684
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf""
  2⤵
  PID:292
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf"
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CourierStd-Bold.otf" -nobanner
    3⤵
    PID:576
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "CourierStd-Bold.otf" -nobanner
      4⤵
      PID:1192
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf""
  2⤵
  PID:1808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf"
    3⤵
    - Modifies file permissions
    PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "MyriadPro-It.otf" -nobanner
    3⤵
    PID:940
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "MyriadPro-It.otf" -nobanner
      4⤵
      PID:212
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt""
  2⤵
  PID:236
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt" /E /G Admin:F /C
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt"
    3⤵
    - Modifies file permissions
    PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
    3⤵
    PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
      4⤵
      PID:204
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp""
  2⤵
  PID:2044
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp" /E /G Admin:F /C
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp"
    3⤵
    PID:292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "can.hyp" -nobanner
    3⤵
    PID:1040
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "can.hyp" -nobanner
      4⤵
      PID:1292
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp""
  2⤵
  PID:908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp" /E /G Admin:F /C
    3⤵
    PID:224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp"
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "usa37.hyp" -nobanner
    3⤵
    PID:228
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "usa37.hyp" -nobanner
      4⤵
      PID:2008
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT""
  2⤵
  PID:848
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT" /E /G Admin:F /C
    3⤵
    PID:984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT"
    3⤵
    PID:744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "ICELAND.TXT" -nobanner
    3⤵
    PID:1300
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "ICELAND.TXT" -nobanner
      4⤵
      PID:972
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT""
  2⤵
  PID:1120
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT" /E /G Admin:F /C
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT"
    3⤵
    - Modifies file permissions
    PID:936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CP1254.TXT" -nobanner
    3⤵
    PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "CP1254.TXT" -nobanner
      4⤵
      PID:1720
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
  2⤵
  PID:628
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Workflow.Targets" -nobanner
    3⤵
    PID:212
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "Workflow.Targets" -nobanner
      4⤵
      PID:676
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui""
  2⤵
  PID:1264
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui" /E /G Admin:F /C
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui"
    3⤵
    - Modifies file permissions
    PID:848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
    3⤵
    PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
      4⤵
      PID:1732
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
  2⤵
  PID:1720
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "PhotoViewer.dll.mui" -nobanner
    3⤵
    PID:1744
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "PhotoViewer.dll.mui" -nobanner
      4⤵
      PID:1928
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\Templates\Memo.jtp""
  2⤵
  PID:232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Memo.jtp" /E /G Admin:F /C
    3⤵
    PID:228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Memo.jtp"
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Memo.jtp" -nobanner
    3⤵
    PID:932
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "Memo.jtp" -nobanner
      4⤵
      PID:1452
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Mail\WinMail.exe""
  2⤵
  PID:1732
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\WinMail.exe" /E /G Admin:F /C
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\WinMail.exe"
    3⤵
    - Modifies file permissions
    PID:292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "WinMail.exe" -nobanner
    3⤵
    PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "WinMail.exe" -nobanner
      4⤵
      PID:1040
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
  2⤵
  PID:1928
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
    3⤵
    PID:224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "PhotoAcq.dll.mui" -nobanner
    3⤵
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "PhotoAcq.dll.mui" -nobanner
      4⤵
      PID:228
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer""
  2⤵
  PID:1452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer" /E /G Admin:F /C
    3⤵
    PID:236
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer"
    3⤵
    - Modifies file permissions
    PID:744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "pmd.cer" -nobanner
    3⤵
    PID:1104
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "pmd.cer" -nobanner
      4⤵
      PID:1264
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif""
  2⤵
  PID:208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif" /E /G Admin:F /C
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif"
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "email_initiator.gif" -nobanner
    3⤵
    PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "email_initiator.gif" -nobanner
      4⤵
      PID:1720
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif""
  2⤵
  PID:2008
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif" /E /G Admin:F /C
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif"
    3⤵
    - Modifies file permissions
    PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "pdf.gif" -nobanner
    3⤵
    PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "pdf.gif" -nobanner
      4⤵
      PID:1584
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif""
  2⤵
  PID:972
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif" /E /G Admin:F /C
    3⤵
    PID:292
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif"
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "server_issue.gif" -nobanner
    3⤵
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "server_issue.gif" -nobanner
      4⤵
      PID:1120
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif""
  2⤵
  PID:1808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif" /E /G Admin:F /C
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif"
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
    3⤵
    PID:908
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
      4⤵
      PID:628
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf""
  2⤵
  PID:212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf" /E /G Admin:F /C
    3⤵
    PID:676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf"
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CourierStd.otf" -nobanner
    3⤵
    PID:204
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "CourierStd.otf" -nobanner
      4⤵
      PID:1196
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm""
  2⤵
  PID:1748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm" /E /G Admin:F /C
    3⤵
    PID:936
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm"
    3⤵
    PID:972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "zx______.pfm" -nobanner
    3⤵
    PID:1104
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "zx______.pfm" -nobanner
      4⤵
      PID:1448
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt""
  2⤵
  PID:1752
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt" /E /G Admin:F /C
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt"
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
    3⤵
    PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
      4⤵
      PID:1744
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx""
  2⤵
  PID:848
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx" /E /G Admin:F /C
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx"
    3⤵
    PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "can32.clx" -nobanner
    3⤵
    PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "can32.clx" -nobanner
      4⤵
      PID:932
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt""
  2⤵
  PID:1736
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt" /E /G Admin:F /C
    3⤵
    PID:208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt"
    3⤵
    - Modifies file permissions
    PID:576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "symbol.txt" -nobanner
    3⤵
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "symbol.txt" -nobanner
      4⤵
      PID:1716
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT""
  2⤵
  PID:236
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT" /E /G Admin:F /C
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT"
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "SYMBOL.TXT" -nobanner
    3⤵
    PID:908
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "SYMBOL.TXT" -nobanner
      4⤵
      PID:228
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif""
  2⤵
  PID:1312
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif" /E /G Admin:F /C
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif"
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "email_all.gif" -nobanner
    3⤵
    PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "email_all.gif" -nobanner
      4⤵
      PID:1264
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif""
  2⤵
  PID:1432
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif" /E /G Admin:F /C
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif"
    3⤵
    PID:940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "open_original_form.gif" -nobanner
    3⤵
    PID:1040
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "open_original_form.gif" -nobanner
      4⤵
      PID:1720
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif""
  2⤵
  PID:292
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif" /E /G Admin:F /C
    3⤵
    PID:744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif"
    3⤵
    - Modifies file permissions
    PID:1300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "rss.gif" -nobanner
    3⤵
    PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "rss.gif" -nobanner
      4⤵
      PID:1584
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif""
  2⤵
  PID:1960
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif" /E /G Admin:F /C
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif"
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
    3⤵
    PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
      4⤵
      PID:1120
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf""
  2⤵
  PID:676
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf" /E /G Admin:F /C
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf"
    3⤵
    PID:224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CourierStd-Oblique.otf" -nobanner
    3⤵
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "CourierStd-Oblique.otf" -nobanner
      4⤵
      PID:628
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM""
  2⤵
  PID:236
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM" /E /G Admin:F /C
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM"
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "SY______.PFM" -nobanner
    3⤵
    PID:292
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "SY______.PFM" -nobanner
      4⤵
      PID:908
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt""
  2⤵
  PID:1312
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt" /E /G Admin:F /C
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt"
    3⤵
    - Modifies file permissions
    PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
    3⤵
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
      4⤵
      PID:1816
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp""
  2⤵
  PID:1432
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp" /E /G Admin:F /C
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp"
    3⤵
    - Modifies file permissions
    PID:744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "can129.hsp" -nobanner
    3⤵
    PID:984
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "can129.hsp" -nobanner
      4⤵
      PID:1040
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat""
  2⤵
  PID:232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat" /E /G Admin:F /C
    3⤵
    PID:292
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat"
    3⤵
    PID:972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "icudt26l.dat" -nobanner
    3⤵
    PID:1300
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "icudt26l.dat" -nobanner
      4⤵
      PID:1744
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT""
  2⤵
  PID:576
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT" /E /G Admin:F /C
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT"
    3⤵
    - Modifies file permissions
    PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "ROMANIAN.TXT" -nobanner
    3⤵
    PID:1684
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "ROMANIAN.TXT" -nobanner
      4⤵
      PID:932
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT""
  2⤵
  PID:1752
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT" /E /G Admin:F /C
    3⤵
    PID:984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT"
    3⤵
    PID:848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CP1258.TXT" -nobanner
    3⤵
    PID:224
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "CP1258.TXT" -nobanner
      4⤵
      PID:1716
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif""
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif" /E /G Admin:F /C
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif"
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "distribute_form.gif" -nobanner
    3⤵
    PID:1292
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "distribute_form.gif" -nobanner
      4⤵
      PID:908
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css""
  2⤵
  PID:1120
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css" /E /G Admin:F /C
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css"
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "main.css" -nobanner
    3⤵
    PID:1808
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "main.css" -nobanner
      4⤵
      PID:1816
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif""
  2⤵
  PID:628
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif" /E /G Admin:F /C
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif"
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "review_shared.gif" -nobanner
    3⤵
    PID:676
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "review_shared.gif" -nobanner
      4⤵
      PID:1752
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif""
  2⤵
  PID:1300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif" /E /G Admin:F /C
    3⤵
    PID:232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif"
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
    3⤵
    PID:236
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
      4⤵
      PID:1584
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf""
  2⤵
  PID:1684
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf" /E /G Admin:F /C
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf"
    3⤵
    - Modifies file permissions
    PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
    3⤵
    PID:932
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
      4⤵
      PID:228
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf""
  2⤵
  PID:936
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf"
    3⤵
    - Modifies file permissions
    PID:848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "MyriadPro-Regular.otf" -nobanner
    3⤵
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "MyriadPro-Regular.otf" -nobanner
      4⤵
      PID:1264
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt""
  2⤵
  PID:1104
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt" /E /G Admin:F /C
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt"
    3⤵
    - Modifies file permissions
    PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
    3⤵
    PID:908
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
      4⤵
      PID:1720
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths""
  2⤵
  PID:224
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths" /E /G Admin:F /C
    3⤵
    PID:208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths"
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "can03.ths" -nobanner
    3⤵
    PID:1448
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "can03.ths" -nobanner
      4⤵
      PID:744
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp""
  2⤵
  PID:1292
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp" /E /G Admin:F /C
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp"
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
    3⤵
    PID:676
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
      4⤵
      PID:972
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT""
  2⤵
  PID:1608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT" /E /G Admin:F /C
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT"
    3⤵
    - Modifies file permissions
    PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "ROMAN.TXT" -nobanner
    3⤵
    PID:236
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "ROMAN.TXT" -nobanner
      4⤵
      PID:2040
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT""
  2⤵
  PID:204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT" /E /G Admin:F /C
    3⤵
    PID:628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT"
    3⤵
    - Modifies file permissions
    PID:224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CP1257.TXT" -nobanner
    3⤵
    PID:932
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "CP1257.TXT" -nobanner
      4⤵
      PID:280
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui""
  2⤵
  PID:1928
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui"
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:1264
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:1696
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Windows Mail\wab.exe""
  2⤵
  PID:1816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\wab.exe" /E /G Admin:F /C
    3⤵
    PID:208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\wab.exe"
    3⤵
    - Modifies file permissions
    PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "wab.exe" -nobanner
    3⤵
    PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "wab.exe" -nobanner
      4⤵
      PID:940
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata""
  2⤵
  PID:228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"
    3⤵
    PID:848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "directories.acrodata" -nobanner
    3⤵
    PID:1752
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "directories.acrodata" -nobanner
      4⤵
      PID:1512
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif""
  2⤵
  PID:2044
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif" /E /G Admin:F /C
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif"
    3⤵
    - Modifies file permissions
    PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "br.gif" -nobanner
    3⤵
    PID:972
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "br.gif" -nobanner
      4⤵
      PID:1192
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif""
  2⤵
  PID:1748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif" /E /G Admin:F /C
    3⤵
    PID:232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif"
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "form_responses.gif" -nobanner
    3⤵
    PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "form_responses.gif" -nobanner
      4⤵
      PID:1040
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif""
  2⤵
  PID:1716
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif" /E /G Admin:F /C
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif"
    3⤵
    PID:280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "review_email.gif" -nobanner
    3⤵
    PID:936
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "review_email.gif" -nobanner
      4⤵
      PID:1264
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif""
  2⤵
  PID:208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif" /E /G Admin:F /C
    3⤵
    PID:908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif"
    3⤵
    - Modifies file permissions
    PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "tr.gif" -nobanner
    3⤵
    PID:1432
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "tr.gif" -nobanner
      4⤵
      PID:292
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf""
  2⤵
  PID:1452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf" /E /G Admin:F /C
    3⤵
    PID:744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf"
    3⤵
    - Modifies file permissions
    PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "AdobePiStd.otf" -nobanner
    3⤵
    PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "AdobePiStd.otf" -nobanner
      4⤵
      PID:1468
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf""
  2⤵
  PID:212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf"
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
    3⤵
    PID:1752
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
      4⤵
      PID:972
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt""
  2⤵
  PID:224
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt" /E /G Admin:F /C
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt"
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
    3⤵
    PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
      4⤵
      PID:1584
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca""
  2⤵
  PID:1292
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca" /E /G Admin:F /C
    3⤵
    PID:228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca"
    3⤵
    PID:204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "can.fca" -nobanner
    3⤵
    PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "can.fca" -nobanner
      4⤵
      PID:932
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths""
  2⤵
  PID:1744
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths" /E /G Admin:F /C
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths"
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "usa03.ths" -nobanner
    3⤵
    PID:936
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "usa03.ths" -nobanner
      4⤵
      PID:1736
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT""
  2⤵
  PID:1448
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT" /E /G Admin:F /C
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT"
    3⤵
    PID:224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "GREEK.TXT" -nobanner
    3⤵
    PID:292
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "GREEK.TXT" -nobanner
      4⤵
      PID:848
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT""
  2⤵
  PID:1120
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT" /E /G Admin:F /C
    3⤵
    PID:676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT"
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CP1253.TXT" -nobanner
    3⤵
    PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "CP1253.TXT" -nobanner
      4⤵
      PID:2044
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui""
  2⤵
  PID:1264
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui"
    3⤵
    PID:972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:1684
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:228
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui""
  2⤵
  PID:1960
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui" /E /G Admin:F /C
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui"
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "JNTFiltr.dll.mui" -nobanner
    3⤵
    PID:932
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "JNTFiltr.dll.mui" -nobanner
      4⤵
      PID:1716
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp""
  2⤵
  PID:744
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp" /E /G Admin:F /C
    3⤵
    PID:228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp"
    3⤵
    - Modifies file permissions
    PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Dotted_Line.jtp" -nobanner
    3⤵
    PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "Dotted_Line.jtp" -nobanner
      4⤵
      PID:1264
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui""
  2⤵
  PID:908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui"
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "msoeres.dll.mui" -nobanner
    3⤵
    PID:1468
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "msoeres.dll.mui" -nobanner
      4⤵
      PID:1576
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
  2⤵
  PID:628
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
    3⤵
    PID:936
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
    3⤵
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
      4⤵
      PID:236
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  PID:212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    PID:228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "background.png" -nobanner
    3⤵
    PID:1040
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "background.png" -nobanner
      4⤵
      PID:908
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe""
  2⤵
  PID:936
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
    3⤵
    PID:236
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "ImagingDevices.exe" -nobanner
    3⤵
    PID:628
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "ImagingDevices.exe" -nobanner
      4⤵
      PID:1584
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
  2⤵
  PID:228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
    3⤵
    - Modifies file permissions
    PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "watermark.png" -nobanner
    3⤵
    PID:1744
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "watermark.png" -nobanner
      4⤵
      PID:1732
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Users\All Users\Microsoft Help\MS.GROOVE.14.1033.hxn""
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft Help\MS.GROOVE.14.1033.hxn" /E /G Admin:F /C
    3⤵
    PID:744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft Help\MS.GROOVE.14.1033.hxn"
    3⤵
    - Modifies file permissions
    PID:232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "MS.GROOVE.14.1033.hxn" -nobanner
    3⤵
    PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "MS.GROOVE.14.1033.hxn" -nobanner
      4⤵
      PID:212
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Users\All Users\Microsoft Help\MS.ONENOTE.14.1033.hxn""
  2⤵
  PID:1196
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft Help\MS.ONENOTE.14.1033.hxn" /E /G Admin:F /C
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft Help\MS.ONENOTE.14.1033.hxn"
    3⤵
    - Modifies file permissions
    PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "MS.ONENOTE.14.1033.hxn" -nobanner
    3⤵
    PID:936
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "MS.ONENOTE.14.1033.hxn" -nobanner
      4⤵
      PID:1312
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\Windows6.1-KB2999226-x64.msu""
  2⤵
  PID:1736
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\Windows6.1-KB2999226-x64.msu" /E /G Admin:F /C
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\Windows6.1-KB2999226-x64.msu"
    3⤵
    - Modifies file permissions
    PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Windows6.1-KB2999226-x64.msu" -nobanner
    3⤵
    PID:1300
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "Windows6.1-KB2999226-x64.msu" -nobanner
      4⤵
      PID:1684
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der""
  2⤵
  PID:936
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der" /E /G Admin:F /C
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der"
    3⤵
    - Modifies file permissions
    PID:1120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "RTC.der" -nobanner
    3⤵
    PID:676
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "RTC.der" -nobanner
      4⤵
      PID:228
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif""
  2⤵
  PID:1608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif" /E /G Admin:F /C
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif"
    3⤵
    PID:972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "end_review.gif" -nobanner
    3⤵
    PID:1264
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "end_review.gif" -nobanner
      4⤵
      PID:1196
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif""
  2⤵
  PID:676
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif" /E /G Admin:F /C
    3⤵
    PID:936
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif"
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "reviews_joined.gif" -nobanner
    3⤵
    PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "reviews_joined.gif" -nobanner
      4⤵
      PID:1752
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif""
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif" /E /G Admin:F /C
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif"
    3⤵
    PID:292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "server_ok.gif" -nobanner
    3⤵
    PID:936
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "server_ok.gif" -nobanner
      4⤵
      PID:1312
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif""
  2⤵
  PID:1300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif" /E /G Admin:F /C
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif"
    3⤵
    - Modifies file permissions
    PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "warning.gif" -nobanner
    3⤵
    PID:212
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "warning.gif" -nobanner
      4⤵
      PID:1608
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf""
  2⤵
  PID:1576
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf"
    3⤵
    PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
    3⤵
    PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
      4⤵
      PID:972
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
  2⤵
  PID:1608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
    3⤵
    PID:232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "background.png" -nobanner
    3⤵
    PID:1312
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "background.png" -nobanner
      4⤵
      PID:936
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB""
  2⤵
  PID:228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB" /E /G Admin:F /C
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB"
    3⤵
    - Modifies file permissions
    PID:628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "SY______.PFB" -nobanner
    3⤵
    PID:212
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "SY______.PFB" -nobanner
      4⤵
      PID:1512
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp""
  2⤵
  PID:628
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp" /E /G Admin:F /C
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp"
    3⤵
    PID:208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "brt.hyp" -nobanner
    3⤵
    PID:228
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "brt.hyp" -nobanner
      4⤵
      PID:1684
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx""
  2⤵
  PID:208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx" /E /G Admin:F /C
    3⤵
    PID:232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx"
    3⤵
    - Modifies file permissions
    PID:1300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "eng32.clx" -nobanner
    3⤵
    PID:628
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "eng32.clx" -nobanner
      4⤵
      PID:1312
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT""
  2⤵
  PID:1300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT" /E /G Admin:F /C
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT"
    3⤵
    PID:208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CENTEURO.TXT" -nobanner
    3⤵
    PID:1512
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "CENTEURO.TXT" -nobanner
      4⤵
      PID:236
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT""
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT" /E /G Admin:F /C
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT"
    3⤵
    - Modifies file permissions
    PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "UKRAINE.TXT" -nobanner
    3⤵
    PID:1312
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "UKRAINE.TXT" -nobanner
      4⤵
      PID:628
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui""
  2⤵
  PID:2040
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui" /E /G Admin:F /C
    3⤵
    PID:236
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui"
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "jnwdui.dll.mui" -nobanner
    3⤵
    PID:228
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "jnwdui.dll.mui" -nobanner
      4⤵
      PID:236
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\Templates\Genko_1.jtp""
  2⤵
  PID:2068
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\Genko_1.jtp" /E /G Admin:F /C
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\Genko_1.jtp"
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Genko_1.jtp" -nobanner
    3⤵
    PID:2120
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "Genko_1.jtp" -nobanner
      4⤵
      PID:2132
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2144
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui""
  2⤵
  PID:2160
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui"
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "WinMail.exe.mui" -nobanner
    3⤵
    PID:2220
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "WinMail.exe.mui" -nobanner
      4⤵
      PID:2228
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini""
  2⤵
  PID:2252
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini" /E /G Admin:F /C
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini"
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "eula.ini" -nobanner
    3⤵
    PID:2300
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "eula.ini" -nobanner
      4⤵
      PID:2308
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc""
  2⤵
  PID:2332
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc" /E /G Admin:F /C
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc"
    3⤵
    - Modifies file permissions
    PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "AcroSign.prc" -nobanner
    3⤵
    PID:2376
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "AcroSign.prc" -nobanner
      4⤵
      PID:2384
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2396
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\Templates\blank.jtp""
  2⤵
  PID:2408
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\blank.jtp" /E /G Admin:F /C
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\blank.jtp"
    3⤵
    - Modifies file permissions
    PID:2444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "blank.jtp" -nobanner
    3⤵
    PID:2456
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "blank.jtp" -nobanner
      4⤵
      PID:2464
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp""
  2⤵
  PID:2488
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp" /E /G Admin:F /C
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp"
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "To_Do_List.jtp" -nobanner
    3⤵
    PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "To_Do_List.jtp" -nobanner
      4⤵
      PID:2544
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Windows Mail\WinMail.exe""
  2⤵
  PID:2568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Windows Mail\WinMail.exe" /E /G Admin:F /C
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Windows Mail\WinMail.exe"
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "WinMail.exe" -nobanner
    3⤵
    PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "WinMail.exe" -nobanner
      4⤵
      PID:2624
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat""
  2⤵
  PID:2648
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat" /E /G Admin:F /C
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat"
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "qmgr0.dat" -nobanner
    3⤵
    PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "qmgr0.dat" -nobanner
      4⤵
      PID:2700
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat""
  2⤵
  PID:2724
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat" /E /G Admin:F /C
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat"
    3⤵
    - Modifies file permissions
    PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "qmgr1.dat" -nobanner
    3⤵
    PID:2768
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "qmgr1.dat" -nobanner
      4⤵
      PID:2776
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif""
  2⤵
  PID:2804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif" /E /G Admin:F /C
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif"
    3⤵
    - Modifies file permissions
    PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "forms_distributed.gif" -nobanner
    3⤵
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "forms_distributed.gif" -nobanner
      4⤵
      PID:2892
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif""
  2⤵
  PID:2924
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif" /E /G Admin:F /C
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif"
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "reviews_sent.gif" -nobanner
    3⤵
    PID:3028
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "reviews_sent.gif" -nobanner
      4⤵
      PID:3036
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif""
  2⤵
  PID:3060
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif" /E /G Admin:F /C
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif"
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "stop_collection_data.gif" -nobanner
    3⤵
    PID:1684
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "stop_collection_data.gif" -nobanner
      4⤵
      PID:2040
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm""
  2⤵
  PID:2092
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm" /E /G Admin:F /C
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm"
    3⤵
    - Modifies file permissions
    PID:2156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "ReadMe.htm" -nobanner
    3⤵
    PID:2144
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "ReadMe.htm" -nobanner
      4⤵
      PID:2072
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf""
  2⤵
  PID:2196
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf"
    3⤵
    - Modifies file permissions
    PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "MinionPro-It.otf" -nobanner
    3⤵
    PID:2244
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "MinionPro-It.otf" -nobanner
      4⤵
      PID:2184
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB""
  2⤵
  PID:2280
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB" /E /G Admin:F /C
    3⤵
    PID:2312
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB"
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "ZX______.PFB" -nobanner
    3⤵
    PID:2324
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "ZX______.PFB" -nobanner
      4⤵
      PID:2268
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp""
  2⤵
  PID:2360
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp" /E /G Admin:F /C
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp"
    3⤵
    - Modifies file permissions
    PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "brt04.hsp" -nobanner
    3⤵
    PID:2400
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "brt04.hsp" -nobanner
      4⤵
      PID:2336
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env""
  2⤵
  PID:2440
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env" /E /G Admin:F /C
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env"
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "engphon.env" -nobanner
    3⤵
    PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "engphon.env" -nobanner
      4⤵
      PID:2476
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT""
  2⤵
  PID:2500
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT" /E /G Admin:F /C
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT"
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CORPCHAR.TXT" -nobanner
    3⤵
    PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "CORPCHAR.TXT" -nobanner
      4⤵
      PID:2560
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT""
  2⤵
  PID:2496
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT" /E /G Admin:F /C
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT"
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CP1250.TXT" -nobanner
    3⤵
    PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "CP1250.TXT" -nobanner
      4⤵
      PID:2644
- - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
    mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif""
  2⤵
  PID:2584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif" /E /G Admin:F /C
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif"
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "ended_review_or_form.gif" -nobanner
    3⤵
    PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
      mSXUoud8.exe -accepteula "ended_review_or_form.gif" -nobanner
      4⤵
      PID:2720

C:\Windows\system32\taskeng.exe
taskeng.exe {8E1A1768-8F34-4C18-9CF9-AC3A6DBEDE98} S-1-5-21-293278959-2699126792-324916226-1000:TUICJFPF\Admin:Interactive:[1]
1⤵
PID:2028
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\lSLN9S9H.bat"
  2⤵
  PID:1264
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1720
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:676
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1816
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:932
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Delete /TN DSHCA /F
    3⤵
    PID:1748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Public\Desktop\JDPR_README.rtf"
1⤵
- Enumerates connected drives
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2008

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe" -Embedding
1⤵
PID:212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/212-576-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/212-432-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/212-430-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1432-382-0x000007FEF7BD0000-0x000007FEF7E4A000-memory.dmp

Filesize
2.5MB

Download
memory/1580-34-0x0000000002880000-0x0000000002884000-memory.dmp

Filesize
16KB

Download
memory/1656-2-0x00000000765A1000-0x00000000765A3000-memory.dmp

Filesize
8KB

Download
memory/2008-387-0x0000000070801000-0x0000000070803000-memory.dmp

Filesize
8KB

Download
memory/2008-381-0x0000000072D81000-0x0000000072D84000-memory.dmp

Filesize
12KB

Download
memory/2008-394-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2792-566-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/3068-505-0x000007FEFC251000-0x000007FEFC253000-memory.dmp

Filesize
8KB

Download