matrix | 224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7v20201028
submitted
08-03-2021 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

new_jdpr.exe
Size

1.3MB
MD5

2c52f3918b636736bdf0022c64115b26
SHA1

88cf55ae8c77ed23219e7c8fe794afa93301ad6d
SHA256

224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914
SHA512

551f22bc10ceb1af2d6f8da6a27ec842176a14108383a2d46a37f4ee3bdfda0b08732aa5549e4a07d3dc337f1ebb07ca1852eb7b0ed9320fe5117b2d5cb62495

Score

10^/10

matrix discovery evasion persistence ransomware spyware upx

Malware Config

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

new_jdpr.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxz60m9o.default-release\storage\default\moz-extension+++4c89016f-388f-4cf4-996f-2c83e646cdb2^userContextId=4294967295\idb\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\Music\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Public\Documents\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\Favorites\Links for United States\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxz60m9o.default-release\storage\permanent\chrome\idb\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Google\Chrome\Application\SetupMetrics\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uxz60m9o.default-release\cache2\doomed\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxz60m9o.Admin\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Recovery\a7611f42-198c-11eb-8a49-ee401b9e63cb\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\ProgramData\Microsoft Help\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\WidevineCdm\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\Favorites\Links\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\MSBuild\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Protect\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Admin\Documents\JDPR_README.rtf	new_jdpr.exe
File created	C:\Users\Public\Videos\Sample Videos\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\JDPR_README.rtf	new_jdpr.exe

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1816 bcdedit.exe
932 bcdedit.exe
Drops file in Drivers directory 1 IoCs

Processes:

mSXUoud864.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP152.SYS mSXUoud864.exe

pid	process
1816	bcdedit.exe
932	bcdedit.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	mSXUoud864.exe

Executes dropped EXE 64 IoCs

Processes:

NWDTzyuS.exemSXUoud8.exemSXUoud864.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exetakeown.exemSXUoud8.execmd.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exemSXUoud8.exe

pid	process
2044	NWDTzyuS.exe
888	mSXUoud8.exe
1712	mSXUoud864.exe
1744	mSXUoud8.exe
1752	mSXUoud8.exe
1452	mSXUoud8.exe
856	mSXUoud8.exe
1752	mSXUoud8.exe
1732	mSXUoud8.exe
1716	takeown.exe
2004	mSXUoud8.exe
1748	cmd.exe
1104	mSXUoud8.exe
316	mSXUoud8.exe
464	mSXUoud8.exe
1576	mSXUoud8.exe
1104	mSXUoud8.exe
628	mSXUoud8.exe
1196	mSXUoud8.exe
1912	mSXUoud8.exe
548	mSXUoud8.exe
2008	mSXUoud8.exe
1748	mSXUoud8.exe
1928	mSXUoud8.exe
1500	mSXUoud8.exe
2040	mSXUoud8.exe
984	mSXUoud8.exe
1736	mSXUoud8.exe
1432	mSXUoud8.exe
1816	mSXUoud8.exe
1192	mSXUoud8.exe
1904	mSXUoud8.exe
292	mSXUoud8.exe
2016	mSXUoud8.exe
804	mSXUoud8.exe
1512	mSXUoud8.exe
1192	mSXUoud8.exe
940	mSXUoud8.exe
1732	mSXUoud8.exe
2016	mSXUoud8.exe
576	mSXUoud8.exe
1192	mSXUoud8.exe
1960	mSXUoud8.exe
804	mSXUoud8.exe
2040	mSXUoud8.exe
224	mSXUoud8.exe
236	mSXUoud8.exe
1748	mSXUoud8.exe
1608	mSXUoud8.exe
1928	mSXUoud8.exe
204	mSXUoud8.exe
972	mSXUoud8.exe
1576	mSXUoud8.exe
1752	mSXUoud8.exe
1604	mSXUoud8.exe
1720	mSXUoud8.exe
236	mSXUoud8.exe
576	mSXUoud8.exe
2044	mSXUoud8.exe
1924	mSXUoud8.exe
1716	mSXUoud8.exe
940	mSXUoud8.exe
1084	mSXUoud8.exe
1748	mSXUoud8.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe	upx

Loads dropped DLL 64 IoCs

Processes:

new_jdpr.execmd.exemSXUoud8.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

pid	process
1656	new_jdpr.exe
1656	new_jdpr.exe
1840	cmd.exe
888	mSXUoud8.exe
2020	cmd.exe
936	cmd.exe
940	cmd.exe
744	cmd.exe
2020	cmd.exe
772	cmd.exe
1468	cmd.exe
676	cmd.exe
2016	cmd.exe
1196	cmd.exe
1224	cmd.exe
856	cmd.exe
1748	cmd.exe
1736	cmd.exe
1816	cmd.exe
1432	cmd.exe
292	cmd.exe
576	cmd.exe
804	cmd.exe
1816	cmd.exe
1608	cmd.exe
940	cmd.exe
1732	cmd.exe
1912	cmd.exe
2020	cmd.exe
2008	cmd.exe
940	cmd.exe
1608	cmd.exe
1696	cmd.exe
1196	cmd.exe
984	cmd.exe
1576	cmd.exe
2040	cmd.exe
1912	cmd.exe
972	cmd.exe
1104	cmd.exe
1744	cmd.exe
2020	cmd.exe
1196	cmd.exe
1816	cmd.exe
1744	cmd.exe
848	cmd.exe
216	cmd.exe
1512	cmd.exe
1736	cmd.exe
1808	cmd.exe
1432	cmd.exe
1924	cmd.exe
1512	cmd.exe
224	cmd.exe
1808	cmd.exe
908	cmd.exe
1452	cmd.exe
1104	cmd.exe
1292	cmd.exe
972	cmd.exe
2016	cmd.exe
1744	cmd.exe
232	cmd.exe
936	cmd.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
2376	takeown.exe
2044	takeown.exe
936	takeown.exe
1808	takeown.exe
212	takeown.exe
1300	takeown.exe
2760	takeown.exe
1744	takeown.exe
2220	takeown.exe
1576	takeown.exe
1104	takeown.exe
1808	takeown.exe
1928	takeown.exe
1752	takeown.exe
1468	takeown.exe
2640
1432	takeown.exe
576	takeown.exe
744	takeown.exe
1752	takeown.exe
2368	takeown.exe
2780
1608	takeown.exe
744	takeown.exe
1192	takeown.exe
1312	takeown.exe
856	takeown.exe
1732	takeown.exe
1608	takeown.exe
1748	takeown.exe
1696	takeown.exe
1512	takeown.exe
908	takeown.exe
972	takeown.exe
228	takeown.exe
576	takeown.exe
1584	takeown.exe
292	takeown.exe
1312	takeown.exe
1300	takeown.exe
848	takeown.exe
2872	takeown.exe
2156	takeown.exe
308	takeown.exe
848	takeown.exe
1192	takeown.exe
1120	takeown.exe
1192	takeown.exe
1808	takeown.exe
292	takeown.exe
1312	takeown.exe
1928	takeown.exe
232	takeown.exe
2444	takeown.exe
2040	takeown.exe
1696	takeown.exe
1740	takeown.exe
1720	takeown.exe
2160
1816	takeown.exe
1196	takeown.exe
224	takeown.exe
1696	takeown.exe
628	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 34 IoCs

Processes:

new_jdpr.exe

description	ioc	process
File opened for modification	C:\Users\Public\Libraries\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6O9TWDTA\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	new_jdpr.exe
File opened for modification	C:\Program Files\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\X6969WXQ\desktop.ini	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\XHJ74TZW\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\5JH7AFHU\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	new_jdpr.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	new_jdpr.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WINWORD.EXEnew_jdpr.exemSXUoud864.exe

description	ioc	process
File opened (read-only)	\??\F:
File opened (read-only)	\??\M:
File opened (read-only)	\??\Y:	WINWORD.EXE
File opened (read-only)	\??\V:	new_jdpr.exe
File opened (read-only)	\??\F:	new_jdpr.exe
File opened (read-only)	\??\B:	mSXUoud864.exe
File opened (read-only)	\??\S:	mSXUoud864.exe
File opened (read-only)	\??\Q:
File opened (read-only)	\??\E:	mSXUoud864.exe
File opened (read-only)	\??\E:
File opened (read-only)	\??\R:
File opened (read-only)	\??\W:
File opened (read-only)	\??\J:	WINWORD.EXE
File opened (read-only)	\??\U:	new_jdpr.exe
File opened (read-only)	\??\R:	new_jdpr.exe
File opened (read-only)	\??\O:	new_jdpr.exe
File opened (read-only)	\??\R:	WINWORD.EXE
File opened (read-only)	\??\U:	mSXUoud864.exe
File opened (read-only)	\??\V:	mSXUoud864.exe
File opened (read-only)	\??\H:
File opened (read-only)	\??\N:
File opened (read-only)	\??\F:	WINWORD.EXE
File opened (read-only)	\??\N:	new_jdpr.exe
File opened (read-only)	\??\L:	new_jdpr.exe
File opened (read-only)	\??\L:	mSXUoud864.exe
File opened (read-only)	\??\O:	WINWORD.EXE
File opened (read-only)	\??\W:	WINWORD.EXE
File opened (read-only)	\??\X:	mSXUoud864.exe
File opened (read-only)	\??\Y:	mSXUoud864.exe
File opened (read-only)	\??\G:
File opened (read-only)	\??\O:
File opened (read-only)	\??\Y:
File opened (read-only)	\??\E:	new_jdpr.exe
File opened (read-only)	\??\M:	mSXUoud864.exe
File opened (read-only)	\??\P:	mSXUoud864.exe
File opened (read-only)	\??\A:	WINWORD.EXE
File opened (read-only)	\??\K:	WINWORD.EXE
File opened (read-only)	\??\Z:	WINWORD.EXE
File opened (read-only)	\??\K:	new_jdpr.exe
File opened (read-only)	\??\S:
File opened (read-only)	\??\M:	WINWORD.EXE
File opened (read-only)	\??\X:
File opened (read-only)	\??\Z:
File opened (read-only)	\??\B:	WINWORD.EXE
File opened (read-only)	\??\L:	WINWORD.EXE
File opened (read-only)	\??\P:	WINWORD.EXE
File opened (read-only)	\??\I:	new_jdpr.exe
File opened (read-only)	\??\W:	mSXUoud864.exe
File opened (read-only)	\??\L:
File opened (read-only)	\??\N:	mSXUoud864.exe
File opened (read-only)	\??\J:
File opened (read-only)	\??\K:
File opened (read-only)	\??\T:
File opened (read-only)	\??\E:	WINWORD.EXE
File opened (read-only)	\??\Y:	new_jdpr.exe
File opened (read-only)	\??\S:	new_jdpr.exe
File opened (read-only)	\??\H:	new_jdpr.exe
File opened (read-only)	\??\Q:	WINWORD.EXE
File opened (read-only)	\??\S:	WINWORD.EXE
File opened (read-only)	\??\M:	new_jdpr.exe
File opened (read-only)	\??\A:	mSXUoud864.exe
File opened (read-only)	\??\T:	WINWORD.EXE
File opened (read-only)	\??\I:
File opened (read-only)	\??\P:

Drops file in System32 directory 1 IoCs

Processes:

description ioc process

File opened for modification C:\Windows\system32\wbem\AutoRecover\14C5A2A3C41254184B007011E5565E5B.mof

description	ioc	process
File opened for modification	C:\Windows\system32\wbem\AutoRecover\14C5A2A3C41254184B007011E5565E5B.mof

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\cg0xxAeU.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

new_jdpr.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro_3.4.200.v20130326-1254.jar	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application.jar	new_jdpr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\vlc.mo	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.api	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Anchorage	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiBold.ttf	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Ushuaia	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rainy_River	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\JDPR_README.rtf	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.c	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfoInternal.zip	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT	new_jdpr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSans.ttf	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yekaterinburg	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Baku	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\mailapi.jar	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{ED12A50C-ADCB-4FB6-B0B7-713544A9D99B}\CR_EB8C7.tmp\setup.exe	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\AppConfigurationInternal.zip	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nome	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_zh_CN.jar	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	new_jdpr.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\fil.pak	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Bogota	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_zh_CN.jar	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\EST5	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-queries.jar	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Paris	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.password.template	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Easter	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\CST6CDT	new_jdpr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Boa_Vista	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santo_Domingo	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Lord_Howe	new_jdpr.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm	new_jdpr.exe
File opened for modification	C:\Program Files\EnterTrace.mpg	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuala_Lumpur	new_jdpr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\vlc.mo	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\PST8PDT	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Magadan	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_ja.jar	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Halifax	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Funafuti	new_jdpr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png	new_jdpr.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\JDPR_README.rtf	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbynet.jar	new_jdpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt_3.103.1.v20140903-1938.jar	new_jdpr.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\JDPR_README.rtf	new_jdpr.exe

Drops file in Windows directory 64 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI68D9.tmp
File opened for modification	C:\Windows\Installer\MSI81F5.tmp
File opened for modification	C:\Windows\Installer\MSID017.tmp
File opened for modification	C:\Windows\Installer\MSI8DBC.tmp
File opened for modification	C:\Windows\Installer\MSIB4E4.tmp
File opened for modification	C:\Windows\Installer\MSI9461.tmp
File opened for modification	C:\Windows\Installer\MSID6B2.tmp
File opened for modification	C:\Windows\Installer\MSIEB4E.tmp
File opened for modification	C:\Windows\Installer\f75c44e.ipi
File opened for modification	C:\Windows\Installer\MSI83D0.tmp
File opened for modification	C:\Windows\Installer\MSIC34.tmp
File opened for modification	C:\Windows\Installer\MSI482D.tmp
File opened for modification	C:\Windows\Installer\MSIE927.tmp
File opened for modification	C:\Windows\Installer\MSI88FE.tmp
File opened for modification	C:\Windows\Installer\MSIADA9.tmp
File opened for modification	C:\Windows\Installer\MSI2C3C.tmp
File created	C:\Windows\Installer\f75c46b.mst
File opened for modification	C:\Windows\Installer\MSI53E1.tmp
File opened for modification	C:\Windows\Installer\MSI8DCC.tmp
File opened for modification	C:\Windows\Installer\MSI168B.tmp
File opened for modification	C:\Windows\Installer\f75c45d.ipi
File opened for modification	C:\Windows\Installer\MSIDD38.tmp
File opened for modification	C:\Windows\Installer\MSI57D.tmp
File opened for modification	C:\Windows\Installer\MSI7049.tmp
File created	C:\Windows\Installer\f75c48c.ipi
File opened for modification	C:\Windows\Installer\MSI75A5.tmp
File opened for modification	C:\Windows\Installer\MSI897C.tmp
File opened for modification	C:\Windows\Installer\MSID75C.tmp
File opened for modification	C:\Windows\Installer\MSIEBDF.tmp
File opened for modification	C:\Windows\Installer\MSIE4D.tmp
File created	C:\Windows\Installer\f75c464.ipi
File opened for modification	C:\Windows\Installer\MSI6D64.tmp
File opened for modification	C:\Windows\Installer\MSI878F.tmp
File opened for modification	C:\Windows\Installer\MSIC6A9.tmp
File opened for modification	C:\Windows\Installer\MSIC38E.tmp
File created	C:\Windows\Installer\f75c42a.ipi
File opened for modification	C:\Windows\Installer\MSICE0B.tmp
File opened for modification	C:\Windows\Installer\MSI167B.tmp
File opened for modification	C:\Windows\Installer\MSI34B1.tmp
File created	C:\Windows\Installer\f75c46e.mst
File opened for modification	C:\Windows\Installer\MSID819.tmp
File opened for modification	C:\Windows\Installer\MSIEB6E.tmp
File opened for modification	C:\Windows\Installer\MSI788.tmp
File opened for modification	C:\Windows\Installer\f75c45a.ipi
File opened for modification	C:\Windows\Installer\MSI2021.tmp
File opened for modification	C:\Windows\Installer\MSIC89A.tmp
File opened for modification	C:\Windows\Installer\MSI2042.tmp
File opened for modification	C:\Windows\Installer\MSI5C3F.tmp
File opened for modification	C:\Windows\Installer\MSI773C.tmp
File opened for modification	C:\Windows\Installer\MSI5431.tmp
File opened for modification	C:\Windows\Installer\MSIA356.tmp
File opened for modification	C:\Windows\Installer\MSIB7F5.tmp
File created	C:\Windows\Installer\f75c433.ipi
File opened for modification	C:\Windows\Installer\MSIFC7B.tmp
File opened for modification	C:\Windows\Installer\MSIFE80.tmp
File opened for modification	C:\Windows\Installer\MSI248D.tmp
File opened for modification	C:\Windows\Installer\MSIF550.tmp
File opened for modification	C:\Windows\Installer\MSI5D4B.tmp
File opened for modification	C:\Windows\Installer\MSI6B3E.tmp
File opened for modification	C:\Windows\Installer\MSIB2D8.tmp
File opened for modification	C:\Windows\Installer\MSIB9D2.tmp
File opened for modification	C:\Windows\Installer\MSI249E.tmp
File opened for modification	C:\Windows\Installer\f75c47a.ipi
File opened for modification	C:\Windows\Installer\MSI8126.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1904 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1720 vssadmin.exe

pid	process
1904	schtasks.exe

pid	process
1720	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE

Modifies data under HKEY_USERS 64 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\32
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\36
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\3F
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\42
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\46
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\36
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\37
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\3D
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\3E
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\4A
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\35
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\3B
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\3D
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\45
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\46
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\26
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\40
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\43
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\48
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2B
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\39
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\3C
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\43
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\49
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\32
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\34
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\3A
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\27
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2C
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2C
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\3B
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\41
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\4B
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\4B
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\49
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\27
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2B
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\3C
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\3E
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\48
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\26
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2A
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\38
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\44
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\47
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\28
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\35
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\37
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\41
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\42
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\4C
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\4D
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\40

Modifies registry class 64 IoCs

Processes:

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\8F622368F04F7B849A7B2021EE668F21\1033\EssentialMergeLetter.dotx = 7800620027004200560050002800380041002400210021002100210021004d004b004b0053006b0057004f005200440044006f00630075006d0065006e007400540065006d0070006c00610074006500730049006e0074006c005f0031003000330033003e007500590069004b004d003100740073004e0041006a004c005f0025005e0029003000610052005f005b005e00340032005d005c0045007300730065006e007400690061006c0020004d00650072006700650020004c00650074007400650072002e0064006f007400780000000000
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00004109B10090400000000000F01FEC\WhiteRabbitHiddenIntl_1033
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00004109E60090400000000000F01FEC\UICaptionsCompanionIntl_1033 = "ProductFilesIntl_1033"
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\1388E932434EA1242A73205BAD92D9CE\Excel\1033 = 780062002700420056004b002800380041002400210021002100210021004d004b004b0053006b0045005800430045004c00460069006c006500730049006e0074006c005f0031003000330033003e0025004700340071004d0050002c004f004500390028004900280048004f0064006a004500470029007300650074006c0061006e0067000000780062002700420056004d002800380041002400210021002100210021004d004b004b0053006b0045007800630065006c0043006f006e007600650072007400650072003100320049006e0074006c005f0031003000330033003e0025004700340071004d0050002c004f004500390028004900280048004f0064006a004500470029007300650074006c0061006e00670000007800620027004200560050002800380041002400210021002100210021004d004b004b0053006b0045007800630065006c0043006f006e007600650072007400650072003100320049006e0074006c005f0031003000330033003e0025004700340071004d0050002c004f004500390028004900280048004f0064006a004500470029007300650074006c0061006e00670000000000
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LR.LexRefBilingualTextContext.1.0\ = "LexRefBilingualTextContext Class"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\36D0A086BEFF5CD46B8920ABFA2A9819
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\8F622368F04F7B849A7B2021EE668F21\1033\BlackTieMergeLetter.dotx = 7800620027004200560050002800380041002400210021002100210021004d004b004b0053006b0057004f005200440044006f00630075006d0065006e007400540065006d0070006c00610074006500730049006e0074006c005f0031003000330033003e003d003f0021006c002100260044006000770040004800400078003d00390035003d007e0051005e005b005e00340032005d005c0042006c00610063006b00200054006900650020004d00650072006700650020004c00650074007400650072002e0064006f007400780000000000
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\8F622368F04F7B849A7B2021EE668F21\1033\EquiLett.dot = 7800620027004200560050002800380041002400210021002100210021004d004b004b0053006b0057004f005200440044006f00630075006d0065006e007400540065006d0070006c00610074006500730049006e0074006c005f0031003000330033003e002e00460072002a0034006e004e004a0074003d002c0068006300510027004c0040007e0037006d005b005e00340032005d005c0045007100750069007400790020004c00650074007400650072002e0064006f007400780000000000
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{5F401D48-328B-454F-B01D-523658C364C6},{0002CE02-0000-0000-C000-000000000046} = 780062002700420056004e002900380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c004500710075006100740069006f006e0045006400690074006f007200460069006c006500730000000000
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{239E8831-E434-421A-A237-02B5DA299DEC},List\1033 = 780062002700420056004b002800380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c0045005800430045004c00460069006c00650073000000780062002700420056004e002900380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c004c00490053005400460069006c00650073000000780062002700420056004a002800380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c00410043004300450053005300460069006c006500730000000000
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{CC29EB5D-7BC2-11D1-A921-00A0C91E2AA2},outex.ecf = 780062002700420056004f002800380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c004f00550054004c004f004f004b00460069006c006500730000000000
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\749801C0E1F98EA4FBD0985566B22EFF\1036 = 7800620027004200560057003f00570041002400210021002100210021004d004b004b0053006b005300700065006c006c0069006e00670041006e0064004700720061006d006d0061007200460069006c00650073005f0031003000330036003e006a003700250062005300730059002800670028003f00750024002100210036007e0039003700460000000000
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00004109910090400000000000F01FEC\PubPaperDirectA4Intl_1033
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\000041091A0090400000000000F01FEC\OneNoteHelpFilesIntl_1033 = "OneNoteFilesIntl_1033"
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\95ABB819C9B84584CBD9C0F8FA658F27\1033 = 7800620027004200560050002800380041002400210021002100210021004d004b004b0053006b0057006f007200640044006f00630075006d0065006e00740050006100720074007300460069006c006500730049006e0074006c005f0031003000330033003c0000000000
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{239E8831-E434-421A-A237-02B5DA299DEC},CLVIEW\1033 = 780062002700420056004e002900380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c0041006c00770061007900730049006e007300740061006c006c006500640000000000
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00004109810090400000000000F01FEC\SetupControllerFiles
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{3A737E86-3543-4DC2-A33A-2757674258C5},1033\Discussion.gta = 7800620027004200560045002a00380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c00470072006f006f0076006500460069006c006500730000000000
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\CAFF1E24517F24441899E380A0889CC0\1033\OMSINTL.DLL = 780062002700420056004f002800380041002400210021002100210021004d004b004b0053006b004f00750074006c006f006f006b004f006d00730049006e0074006c005f0031003000330033003e006b003d007a0067006c002b003d00330046004000710072005a00620055006600210041004700710000000000
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00004109F10090400000000000F01FEC\SpellingAndGrammarFiles_1033
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{C9DA77FC-18F8-4172-8D65-0DAE5D1CED1A},ProofModelFile\1033 = 7800620027004200560054002800380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c005300700065006c006c0069006e00670041006e0064004700720061006d006d0061007200460069006c00650073005f00310030003300330000000000
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{0979747D-C33E-413D-9737-046F1473EB19},1033 = 780062002700420056004e002900380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c00560042004100460069006c006500730000000000
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{AD722A80-AD66-4974-A4D6-034C37CE8BB7},1033\excel.hxs = 780062002700420056004b002800380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c0045007800630065006c00480065006c007000460069006c006500730000000000
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\6DCB319E06591D11781C00AA007AE1D2\1033\jungle.gif = 780062002700420056004f002800380041002400210021002100210021004d004b004b0053006b004f00750074006c006f006f006b00530074006100740069006f006e0065007200790045007800740065006e0064006500640049006e0074006c005f0031003000330033003c0000000000
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\2145AEDD47EF16C49A5F7133E322CB20
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LR.LexRefStFrObject.1.0\CurVer\ = "LR.LexRefStFrObject.1.0.1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\B347638FCC3D5BE438A7B3A875C058E2
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00004109A20000000100000000F01FEC\ExcelPiaReg64
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\8940DAE453F43FF46A6AA36E3829ABE5\1033 = 780062002700420056004f002800380041002400210021002100210021004d004b004b0053006b0057006800690074006500520061006200620069007400480069006400640065006e0049006e0074006c005f0031003000330033003e006b003d00280078005e005f006000410062003d002500750026003600310026007700720033002c0000007800620027004200560050002800380041002400210021002100210021004d004b004b0053006b0057006800690074006500520061006200620069007400480069006400640065006e0049006e0074006c005f0031003000330033003e006b003d00280078005e005f006000410062003d002500750026003600310026007700720033002c000000780062002700420056004b002800380041002400210021002100210021004d004b004b0053006b0057006800690074006500520061006200620069007400480069006400640065006e0049006e0074006c005f0031003000330033003e006b003d00280078005e005f006000410062003d002500750026003600310026007700720033002c0000000000
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\4097559C474E7AE408017D1F0870E7AC
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00004109AB0090400000000000F01FEC\SetupControllerFiles
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\219DB75EC8032D11A9A90006794C4E25\1033 = 780062002700420056004f002800380041002400210021002100210021004d004b004b0053006b004f00750074006c006f006f006b004400560045007800740065006e00730069006f006e007300460069006c006500730049006e0074006c005f0031003000330033003e00600055005a006500210071007900560024003d007d00560027002600690026006a005a002700710000000000
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{CC29EDE3-7BC2-11D1-A921-00A0C91E2AA2},1033\ImportAccounts = 780062002700420056004f002800380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c004f00750074006c006f006f006b0049006d0070006f00720074004500780070006f0072007400460069006c006500730000000000
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LR.LexRefBilingualTextContext.1.0\CurVer\ = "LR.LexRefBilingualTextContext.1.0.1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VisShe.CVisioFileFilter\CLSID
Key created	\REGISTRY\MACHINE\Software\Classes\OSPPWMI.OSppWmiTokenActivationSigner\CLSID
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00004109A20000000100000000F01FEC\Outlook64SearchShellReg
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{AD722A80-AD66-4974-A4D6-034C37CE8BB7},1033\xlmacro.chm = 780062002700420056004b002800380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c0045007800630065006c00480065006c007000460069006c006500730000000000
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\338BBE69B1DA06C4EB82874E79F60449\1033\OMSSMS.CFG = 780062002700420056004f002800380041002400210021002100210021004d004b004b0053006b004f00750074006c006f006f006b004f006d00730049006e0074006c005f0031003000330033003e002e002c005d004700390036006c006a004c003f0078006e005f0065006a004b0029002c004e00680000000000
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\2145AEDD47EF16C49A5F7133E322CB20\1033\mapishellr.dll.x86 = 780062002700420056004f002800380041002400210021002100210021004d004b004b0053006b004f00750074006c006f006f006b005300650061007200630068005300680065006c006c0052006500670049006e0074006c005f0031003000330033003c0000000000
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{E913BCD6-9560-11D1-87C1-00AA00A71E2D},1033\techtool.gif = 780062002700420056004f002800380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c004f00750074006c006f006f006b00530074006100740069006f006e0065007200790042006100730069006300460069006c006500730000000000
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{863226F8-F40F-48B7-A9B7-0212EE66F812},1033\Tasks_Part.accdt = 780062002700420056004a002800380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c00410063006300650073007300540065006d0070006c00610074006500730049006e0074006c0000000000
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00004109611090400100000000F01FEC\Gimme_OnDemandData
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{863226F8-F40F-48B7-A9B7-0212EE66F812},1033\1Right_Part.accdt = 780062002700420056004a002800380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c00410063006300650073007300540065006d0070006c00610074006500730049006e0074006c0000000000
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{EDDCFF16-3AEE-4883-BD91-0F3978640DFB}\1.0
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{863226F8-F40F-48B7-A9B7-0212EE66F812},1033\WideScre.pot = 780062002700420056004d002800380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c00500050005400500072006500730065006e0074006100740069006f006e00540065006d0070006c00610074006500730000000000
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00004109810090400000000000F01FEC\PPTNonBootFilesIntl_1033 = "PPTFilesIntl_1033"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\4DCB319E06591D11781C00AA007AE1D2
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\6DCB319E06591D11781C00AA007AE1D2\1033\currency.gif = 780062002700420056004f002800380041002400210021002100210021004d004b004b0053006b004f00750074006c006f006f006b00530074006100740069006f006e0065007200790042006100730069006300460069006c006500730049006e0074006c005f0031003000330033003c0000000000
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\A09DB75EC8032D11A9A90006794C4E25
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00004109A20000000100000000F01FEC\MsoCommonShellHandler64bit
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Equations\ = "Microsoft Equation"
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\8F622368F04F7B849A7B2021EE668F21\1033\OlMergLe.dot = 7800620027004200560050002800380041002400210021002100210021004d004b004b0053006b0057004f005200440044006f00630075006d0065006e007400540065006d0070006c00610074006500730049006e0074006c005f0031003000330033003e004f005600780076007300390060005500580041004e005e004b0052004e005e0041007a006a0071005b005e00340032005d005c004f007200690065006c0020004d00650072006700650020004c00650074007400650072002e0064006f007400780000000000
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{CC29EC0F-7BC2-11D1-A921-00A0C91E2AA2},jpeg = 780062002700420056004e002900380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c0047007200610070006800690063007300460069006c0074006500720073004a00500045004700460069006c006500730000000000
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{00141843-32F2-4860-A813-77B69DDFA3B5},3082\3082 = 780062002700420056005e007d00740072002600210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c005300700065006c006c0069006e00670041006e0064004700720061006d006d0061007200460069006c00650073005f00330030003800320000000000
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\CF77AD9C8F812714D856D0EAD5C1DEA1\ProofModelFile\1036 = 7800620027004200560057003f00570041002400210021002100210021004d004b004b0053006b005300700065006c006c0069006e00670041006e0064004700720061006d006d0061007200460069006c00650073005f0031003000330036003e0030004a0025004c004100320051006f004d003900640055002400690060006f00430037002c00560000000000
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{C3C48C3D-37B6-4C96-859A-C84F57D2D108},1025/1036 = 7800620027004200560057003f00570041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c005400720061006e0073006c006100740069006f006e00460069006c00650073005f00310030003300360000000000
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\5ABBC7A3529892F48975D0224E1A43DA\1033 = 7800620027004200560027002a00380041002400210021002100210021004d004b004b0053006b004f006e0065004e006f00740065004e006f006e0042006f006f007400460069006c006500730049006e0074006c005f0031003000330033003e00740043005100380043005700780033005100390070007a0043002500390074005a0076002400270000000000
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5BF6FE9-913F-4117-94C7-5040C7E3A6C1}\ProgID
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\E59E417A6B063D11D83000054038584D
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{AD722A80-AD66-4974-A4D6-034C37CE8BB7},1033\fm20.chm = 780062002700420056004e002900380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c00500072006f006400750063007400460069006c006500730000000000
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\216490E0EFC183C4FB4DD378CA809599
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{F836743B-D3CC-4EB5-837A-3B8A570C852E},1033\thatch.dotx = 7800620027004200560050002800380041002400210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c0057006f007200640051007500690063006b0046006f0072006d00610074007300460069006c006500730000000000
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\VersionIndependentProgID

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2008 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

mSXUoud864.exe

pid process

1712 mSXUoud864.exe
1712 mSXUoud864.exe
1712 mSXUoud864.exe
3068
3068
3068
3068
3068
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

mSXUoud864.exe

pid process

1712 mSXUoud864.exe

pid	process
2008	WINWORD.EXE

pid	process
1712	mSXUoud864.exe
1712	mSXUoud864.exe
1712	mSXUoud864.exe
3068
3068
3068
3068
3068

pid	process
1712	mSXUoud864.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

mSXUoud864.exevssvc.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeWMIC.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	1712	mSXUoud864.exe
Token: SeLoadDriverPrivilege	1712	mSXUoud864.exe
Token: SeBackupPrivilege	2004	vssvc.exe
Token: SeRestorePrivilege	2004	vssvc.exe
Token: SeAuditPrivilege	2004	vssvc.exe
Token: SeTakeOwnershipPrivilege	1512	takeown.exe
Token: SeTakeOwnershipPrivilege	1192	takeown.exe
Token: SeTakeOwnershipPrivilege	1752	takeown.exe
Token: SeTakeOwnershipPrivilege	1924	takeown.exe
Token: SeTakeOwnershipPrivilege	1576	takeown.exe
Token: SeTakeOwnershipPrivilege	1292	takeown.exe
Token: SeTakeOwnershipPrivilege	1500	takeown.exe
Token: SeTakeOwnershipPrivilege	1104	takeown.exe
Token: SeTakeOwnershipPrivilege	1748	takeown.exe
Token: SeTakeOwnershipPrivilege	1104	takeown.exe
Token: SeTakeOwnershipPrivilege	2008	takeown.exe
Token: SeTakeOwnershipPrivilege	204	takeown.exe
Token: SeTakeOwnershipPrivilege	1816	takeown.exe
Token: SeIncreaseQuotaPrivilege	676	WMIC.exe
Token: SeSecurityPrivilege	676	WMIC.exe
Token: SeTakeOwnershipPrivilege	676	WMIC.exe
Token: SeLoadDriverPrivilege	676	WMIC.exe
Token: SeSystemProfilePrivilege	676	WMIC.exe
Token: SeSystemtimePrivilege	676	WMIC.exe
Token: SeProfSingleProcessPrivilege	676	WMIC.exe
Token: SeIncBasePriorityPrivilege	676	WMIC.exe
Token: SeCreatePagefilePrivilege	676	WMIC.exe
Token: SeBackupPrivilege	676	WMIC.exe
Token: SeRestorePrivilege	676	WMIC.exe
Token: SeShutdownPrivilege	676	WMIC.exe
Token: SeDebugPrivilege	676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	676	WMIC.exe
Token: SeRemoteShutdownPrivilege	676	WMIC.exe
Token: SeUndockPrivilege	676	WMIC.exe
Token: SeManageVolumePrivilege	676	WMIC.exe
Token: 33	676	WMIC.exe
Token: 34	676	WMIC.exe
Token: 35	676	WMIC.exe
Token: SeTakeOwnershipPrivilege	1912	takeown.exe
Token: SeTakeOwnershipPrivilege	236	takeown.exe
Token: SeTakeOwnershipPrivilege	1608	takeown.exe
Token: SeTakeOwnershipPrivilege	548	takeown.exe
Token: SeIncreaseQuotaPrivilege	676	WMIC.exe
Token: SeSecurityPrivilege	676	WMIC.exe
Token: SeTakeOwnershipPrivilege	676	WMIC.exe
Token: SeLoadDriverPrivilege	676	WMIC.exe
Token: SeSystemProfilePrivilege	676	WMIC.exe
Token: SeSystemtimePrivilege	676	WMIC.exe
Token: SeProfSingleProcessPrivilege	676	WMIC.exe
Token: SeIncBasePriorityPrivilege	676	WMIC.exe
Token: SeCreatePagefilePrivilege	676	WMIC.exe
Token: SeBackupPrivilege	676	WMIC.exe
Token: SeRestorePrivilege	676	WMIC.exe
Token: SeShutdownPrivilege	676	WMIC.exe
Token: SeDebugPrivilege	676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	676	WMIC.exe
Token: SeRemoteShutdownPrivilege	676	WMIC.exe
Token: SeUndockPrivilege	676	WMIC.exe
Token: SeManageVolumePrivilege	676	WMIC.exe
Token: 33	676	WMIC.exe
Token: 34	676	WMIC.exe
Token: 35	676	WMIC.exe
Token: SeTakeOwnershipPrivilege	2040	takeown.exe
Token: SeTakeOwnershipPrivilege	1928	takeown.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WINWORD.EXE

pid process

2008 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2008 WINWORD.EXE
2008 WINWORD.EXE

pid	process
2008	WINWORD.EXE

pid	process
2008	WINWORD.EXE
2008	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

new_jdpr.execmd.execmd.execmd.exewscript.execmd.execmd.exemSXUoud8.exe

description	pid	process	target process
PID 1656 wrote to memory of 1236	1656	new_jdpr.exe	cmd.exe
PID 1656 wrote to memory of 1236	1656	new_jdpr.exe	cmd.exe
PID 1656 wrote to memory of 1236	1656	new_jdpr.exe	cmd.exe
PID 1656 wrote to memory of 1236	1656	new_jdpr.exe	cmd.exe
PID 1656 wrote to memory of 2044	1656	new_jdpr.exe	NWDTzyuS.exe
PID 1656 wrote to memory of 2044	1656	new_jdpr.exe	NWDTzyuS.exe
PID 1656 wrote to memory of 2044	1656	new_jdpr.exe	NWDTzyuS.exe
PID 1656 wrote to memory of 2044	1656	new_jdpr.exe	NWDTzyuS.exe
PID 1656 wrote to memory of 1648	1656	new_jdpr.exe	cmd.exe
PID 1656 wrote to memory of 1648	1656	new_jdpr.exe	cmd.exe
PID 1656 wrote to memory of 1648	1656	new_jdpr.exe	cmd.exe
PID 1656 wrote to memory of 1648	1656	new_jdpr.exe	cmd.exe
PID 1656 wrote to memory of 908	1656	new_jdpr.exe	cmd.exe
PID 1656 wrote to memory of 908	1656	new_jdpr.exe	cmd.exe
PID 1656 wrote to memory of 908	1656	new_jdpr.exe	cmd.exe
PID 1656 wrote to memory of 908	1656	new_jdpr.exe	cmd.exe
PID 1648 wrote to memory of 1720	1648	cmd.exe	reg.exe
PID 1648 wrote to memory of 1720	1648	cmd.exe	reg.exe
PID 1648 wrote to memory of 1720	1648	cmd.exe	reg.exe
PID 1648 wrote to memory of 1720	1648	cmd.exe	reg.exe
PID 1648 wrote to memory of 268	1648	cmd.exe	reg.exe
PID 1648 wrote to memory of 268	1648	cmd.exe	reg.exe
PID 1648 wrote to memory of 268	1648	cmd.exe	reg.exe
PID 1648 wrote to memory of 268	1648	cmd.exe	reg.exe
PID 1648 wrote to memory of 1140	1648	cmd.exe	reg.exe
PID 1648 wrote to memory of 1140	1648	cmd.exe	reg.exe
PID 1648 wrote to memory of 1140	1648	cmd.exe	reg.exe
PID 1648 wrote to memory of 1140	1648	cmd.exe	reg.exe
PID 908 wrote to memory of 1580	908	cmd.exe	wscript.exe
PID 908 wrote to memory of 1580	908	cmd.exe	wscript.exe
PID 908 wrote to memory of 1580	908	cmd.exe	wscript.exe
PID 908 wrote to memory of 1580	908	cmd.exe	wscript.exe
PID 1656 wrote to memory of 1524	1656	new_jdpr.exe	cmd.exe
PID 1656 wrote to memory of 1524	1656	new_jdpr.exe	cmd.exe
PID 1656 wrote to memory of 1524	1656	new_jdpr.exe	cmd.exe
PID 1656 wrote to memory of 1524	1656	new_jdpr.exe	cmd.exe
PID 1524 wrote to memory of 1512	1524	cmd.exe	cacls.exe
PID 1524 wrote to memory of 1512	1524	cmd.exe	cacls.exe
PID 1524 wrote to memory of 1512	1524	cmd.exe	cacls.exe
PID 1524 wrote to memory of 1512	1524	cmd.exe	cacls.exe
PID 1580 wrote to memory of 1924	1580	wscript.exe	cmd.exe
PID 1580 wrote to memory of 1924	1580	wscript.exe	cmd.exe
PID 1580 wrote to memory of 1924	1580	wscript.exe	cmd.exe
PID 1580 wrote to memory of 1924	1580	wscript.exe	cmd.exe
PID 1524 wrote to memory of 308	1524	cmd.exe	takeown.exe
PID 1524 wrote to memory of 308	1524	cmd.exe	takeown.exe
PID 1524 wrote to memory of 308	1524	cmd.exe	takeown.exe
PID 1524 wrote to memory of 308	1524	cmd.exe	takeown.exe
PID 1924 wrote to memory of 1904	1924	cmd.exe	schtasks.exe
PID 1924 wrote to memory of 1904	1924	cmd.exe	schtasks.exe
PID 1924 wrote to memory of 1904	1924	cmd.exe	schtasks.exe
PID 1924 wrote to memory of 1904	1924	cmd.exe	schtasks.exe
PID 1524 wrote to memory of 1840	1524	cmd.exe	cmd.exe
PID 1524 wrote to memory of 1840	1524	cmd.exe	cmd.exe
PID 1524 wrote to memory of 1840	1524	cmd.exe	cmd.exe
PID 1524 wrote to memory of 1840	1524	cmd.exe	cmd.exe
PID 1840 wrote to memory of 888	1840	cmd.exe	mSXUoud8.exe
PID 1840 wrote to memory of 888	1840	cmd.exe	mSXUoud8.exe
PID 1840 wrote to memory of 888	1840	cmd.exe	mSXUoud8.exe
PID 1840 wrote to memory of 888	1840	cmd.exe	mSXUoud8.exe
PID 888 wrote to memory of 1712	888	mSXUoud8.exe	mSXUoud864.exe
PID 888 wrote to memory of 1712	888	mSXUoud8.exe	mSXUoud864.exe
PID 888 wrote to memory of 1712	888	mSXUoud8.exe	mSXUoud864.exe
PID 888 wrote to memory of 1712	888	mSXUoud8.exe	mSXUoud864.exe

C:\Users\Admin\AppData\Local\Temp\new_jdpr.exe
"C:\Users\Admin\AppData\Local\Temp\new_jdpr.exe"
1⤵
- Matrix Ransomware
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\new_jdpr.exe" "C:\Users\Admin\AppData\Local\Temp\NWDTzyuS.exe"
2⤵
PID:1236

C:\Users\Admin\AppData\Local\Temp\NWDTzyuS.exe
"C:\Users\Admin\AppData\Local\Temp\NWDTzyuS.exe" -n
2⤵
- Executes dropped EXE
PID:2044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\cg0xxAeU.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\cg0xxAeU.bmp" /f
3⤵
- Sets desktop wallpaper using registry
PID:1720

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
3⤵
PID:268

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
3⤵
PID:1140

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\VuVav6cq.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\wscript.exe
wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\VuVav6cq.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\lSLN9S9H.bat" /sc minute /mo 5 /RL HIGHEST /F
4⤵
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\lSLN9S9H.bat" /sc minute /mo 5 /RL HIGHEST /F
5⤵
- Creates scheduled task(s)
PID:1904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
4⤵
PID:2044

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /I /tn DSHCA
5⤵
PID:1716

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""
2⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C
3⤵
PID:1512

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"
3⤵
- Modifies file permissions
PID:308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "AdobeID.pdf" -nobanner
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1840

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "AdobeID.pdf" -nobanner
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:888

C:\Users\Admin\AppData\Local\Temp\mSXUoud864.exe
mSXUoud8.exe -accepteula "AdobeID.pdf" -nobanner
5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""
2⤵
- Loads dropped DLL
PID:936

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C
3⤵
PID:1536

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
3⤵
PID:1432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "DefaultID.pdf" -nobanner
3⤵
- Loads dropped DLL
PID:2020

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "DefaultID.pdf" -nobanner
4⤵
- Executes dropped EXE
PID:1744

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""
2⤵
- Loads dropped DLL
PID:744

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C
3⤵
PID:1904

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
3⤵
PID:676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
3⤵
- Loads dropped DLL
PID:940

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
4⤵
- Executes dropped EXE
PID:1452

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:856

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""
2⤵
- Loads dropped DLL
PID:772

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C
3⤵
PID:1740

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"
3⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Dynamic.pdf" -nobanner
3⤵
- Loads dropped DLL
PID:2020

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "Dynamic.pdf" -nobanner
4⤵
- Executes dropped EXE
PID:1752

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:1732

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""
2⤵
- Loads dropped DLL
PID:676

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C
3⤵
PID:940

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"
3⤵
- Modifies file permissions
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "SignHere.pdf" -nobanner
3⤵
- Loads dropped DLL
PID:1468

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "SignHere.pdf" -nobanner
4⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:2004

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""
2⤵
- Loads dropped DLL
PID:1196

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C
3⤵
PID:1928

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
3⤵
- Modifies file permissions
PID:1192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "StandardBusiness.pdf" -nobanner
3⤵
- Loads dropped DLL
PID:2016

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "StandardBusiness.pdf" -nobanner
4⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1104

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""
2⤵
- Loads dropped DLL
PID:856

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C
3⤵
PID:1720

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
3⤵
- Executes dropped EXE
PID:1716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "ENUtxt.pdf" -nobanner
3⤵
- Loads dropped DLL
PID:1224

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "ENUtxt.pdf" -nobanner
4⤵
- Executes dropped EXE
PID:316

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:464

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""
2⤵
- Loads dropped DLL
PID:1736

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C
3⤵
PID:772

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"
3⤵
PID:984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "classes.jsa" -nobanner
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "classes.jsa" -nobanner
4⤵
- Executes dropped EXE
PID:1576

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:1104

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Java\jre7\bin\server\classes.jsa""
2⤵
- Loads dropped DLL
PID:1432

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Java\jre7\bin\server\classes.jsa" /E /G Admin:F /C
3⤵
PID:1912

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"
3⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "classes.jsa" -nobanner
3⤵
- Loads dropped DLL
PID:1816

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "classes.jsa" -nobanner
4⤵
- Executes dropped EXE
PID:628

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:1196

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
2⤵
- Loads dropped DLL
PID:576

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
3⤵
PID:2008

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Workflow.Targets" -nobanner
3⤵
- Loads dropped DLL
PID:292

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "Workflow.Targets" -nobanner
4⤵
- Executes dropped EXE
PID:1912

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:548

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
2⤵
- Loads dropped DLL
PID:1816

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
3⤵
PID:1448

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
3⤵
- Loads dropped DLL
PID:804

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
4⤵
- Executes dropped EXE
PID:2008

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\en-US\Journal.exe.mui""
2⤵
- Loads dropped DLL
PID:940

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\en-US\Journal.exe.mui" /E /G Admin:F /C
3⤵
PID:576

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\en-US\Journal.exe.mui"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Journal.exe.mui" -nobanner
3⤵
- Loads dropped DLL
PID:1608

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "Journal.exe.mui" -nobanner
4⤵
- Executes dropped EXE
PID:1928

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:1500

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\Templates\Graph.jtp""
2⤵
- Loads dropped DLL
PID:1912

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\Templates\Graph.jtp" /E /G Admin:F /C
3⤵
PID:1196

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\Templates\Graph.jtp"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Graph.jtp" -nobanner
3⤵
- Loads dropped DLL
PID:1732

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "Graph.jtp" -nobanner
4⤵
- Executes dropped EXE
PID:2040

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:984

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Mail\wabmig.exe""
2⤵
- Loads dropped DLL
PID:2008

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Admin:F /C
3⤵
PID:628

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Mail\wabmig.exe"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "wabmig.exe" -nobanner
3⤵
- Loads dropped DLL
PID:2020

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "wabmig.exe" -nobanner
4⤵
- Executes dropped EXE
PID:1736

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:1432

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui""
2⤵
- Loads dropped DLL
PID:1608

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui" /E /G Admin:F /C
3⤵
PID:292

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "jnwmon.dll.mui" -nobanner
3⤵
- Loads dropped DLL
PID:940

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "jnwmon.dll.mui" -nobanner
4⤵
- Executes dropped EXE
PID:1816

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:1192

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\Templates\Genko_2.jtp""
2⤵
- Loads dropped DLL
PID:1196

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\Templates\Genko_2.jtp" /E /G Admin:F /C
3⤵
PID:576

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\Templates\Genko_2.jtp"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Genko_2.jtp" -nobanner
3⤵
- Loads dropped DLL
PID:1696

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "Genko_2.jtp" -nobanner
4⤵
- Executes dropped EXE
PID:1904

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:292

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Mail\wab.exe""
2⤵
- Loads dropped DLL
PID:1576

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Mail\wab.exe" /E /G Admin:F /C
3⤵
PID:1736

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Mail\wab.exe"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "wab.exe" -nobanner
3⤵
- Loads dropped DLL
PID:984

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "wab.exe" -nobanner
4⤵
- Executes dropped EXE
PID:2016

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:804

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html""
2⤵
- Loads dropped DLL
PID:1912

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html" /E /G Admin:F /C
3⤵
PID:908

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html"
3⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "license.html" -nobanner
3⤵
- Loads dropped DLL
PID:2040

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "license.html" -nobanner
4⤵
- Executes dropped EXE
PID:1512

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:1192

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe""
2⤵
- Loads dropped DLL
PID:1104

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe" /E /G Admin:F /C
3⤵
PID:576

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe"
3⤵
PID:804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "LogTransport2.exe" -nobanner
3⤵
- Loads dropped DLL
PID:972

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "LogTransport2.exe" -nobanner
4⤵
- Executes dropped EXE
PID:940

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:1732

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui""
2⤵
- Loads dropped DLL
PID:2020

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui" /E /G Admin:F /C
3⤵
PID:1448

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "PDIALOG.exe.mui" -nobanner
3⤵
- Loads dropped DLL
PID:1744

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "PDIALOG.exe.mui" -nobanner
4⤵
- Executes dropped EXE
PID:2016

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:576

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\Templates\Music.jtp""
2⤵
- Loads dropped DLL
PID:1816

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\Templates\Music.jtp" /E /G Admin:F /C
3⤵
PID:1732

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\Templates\Music.jtp"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Music.jtp" -nobanner
3⤵
- Loads dropped DLL
PID:1196

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "Music.jtp" -nobanner
4⤵
- Executes dropped EXE
PID:1192

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\PDIALOG.exe""
2⤵
- Loads dropped DLL
PID:848

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\PDIALOG.exe" /E /G Admin:F /C
3⤵
PID:1292

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\PDIALOG.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "PDIALOG.exe" -nobanner
3⤵
- Loads dropped DLL
PID:1744

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "PDIALOG.exe" -nobanner
4⤵
- Executes dropped EXE
PID:804

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\Templates\Shorthand.jtp""
2⤵
- Loads dropped DLL
PID:1512

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\Templates\Shorthand.jtp" /E /G Admin:F /C
3⤵
PID:1928

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\Templates\Shorthand.jtp"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Shorthand.jtp" -nobanner
3⤵
- Loads dropped DLL
PID:216

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "Shorthand.jtp" -nobanner
4⤵
- Executes dropped EXE
PID:224

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:236

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui""
2⤵
- Loads dropped DLL
PID:1808

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui" /E /G Admin:F /C
3⤵
PID:1960

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "NBMapTIP.dll.mui" -nobanner
3⤵
- Loads dropped DLL
PID:1736

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "NBMapTIP.dll.mui" -nobanner
4⤵
- Executes dropped EXE
PID:1748

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp""
2⤵
- Loads dropped DLL
PID:1924

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp" /E /G Admin:F /C
3⤵
PID:1448

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Month_Calendar.jtp" -nobanner
3⤵
- Loads dropped DLL
PID:1432

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "Month_Calendar.jtp" -nobanner
4⤵
- Executes dropped EXE
PID:1928

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:204

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui""
2⤵
- Loads dropped DLL
PID:224

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui" /E /G Admin:F /C
3⤵
PID:1720

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "ImagingDevices.exe.mui" -nobanner
3⤵
- Loads dropped DLL
PID:1512

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "ImagingDevices.exe.mui" -nobanner
4⤵
- Executes dropped EXE
PID:972

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:1576

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe""
2⤵
- Loads dropped DLL
PID:908

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
3⤵
PID:1736

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "ImagingDevices.exe" -nobanner
3⤵
- Loads dropped DLL
PID:1808

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "ImagingDevices.exe" -nobanner
4⤵
- Executes dropped EXE
PID:1752

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:1604

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
2⤵
- Loads dropped DLL
PID:1104

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
3⤵
PID:2020

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "PhotoAcq.dll.mui" -nobanner
3⤵
- Loads dropped DLL
PID:1452

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "PhotoAcq.dll.mui" -nobanner
4⤵
- Executes dropped EXE
PID:1720

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:236

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif""
2⤵
- Loads dropped DLL
PID:972

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif" /E /G Admin:F /C
3⤵
PID:1084

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif"
3⤵
PID:1468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "bl.gif" -nobanner
3⤵
- Loads dropped DLL
PID:1292

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "bl.gif" -nobanner
4⤵
- Executes dropped EXE
PID:576

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:2044

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini""
2⤵
- Loads dropped DLL
PID:1744

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini" /E /G Admin:F /C
3⤵
PID:1604

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini"
3⤵
- Modifies file permissions
PID:908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "AGMGPUOptIn.ini" -nobanner
3⤵
- Loads dropped DLL
PID:2016

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "AGMGPUOptIn.ini" -nobanner
4⤵
- Executes dropped EXE
PID:1924

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:1716

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig""
2⤵
- Loads dropped DLL
PID:936

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig" /E /G Admin:F /C
3⤵
PID:292

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig"
3⤵
PID:1928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "cryptocme2.sig" -nobanner
3⤵
- Loads dropped DLL
PID:232

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "cryptocme2.sig" -nobanner
4⤵
- Executes dropped EXE
PID:940

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
- Executes dropped EXE
PID:1084

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif""
2⤵
PID:1192

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif" /E /G Admin:F /C
3⤵
PID:1608

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif"
3⤵
- Modifies file permissions
PID:1732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "forms_super.gif" -nobanner
3⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "forms_super.gif" -nobanner
4⤵
- Executes dropped EXE
PID:1748

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1300

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif""
2⤵
PID:1448

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif" /E /G Admin:F /C
3⤵
PID:204

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif"
3⤵
PID:1104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "review_browser.gif" -nobanner
3⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "review_browser.gif" -nobanner
4⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1468

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc""
2⤵
PID:1452

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc" /E /G Admin:F /C
3⤵
PID:1960

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc"
3⤵
- Modifies file permissions
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "adobepdf.xdc" -nobanner
3⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "adobepdf.xdc" -nobanner
4⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:848

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif""
2⤵
PID:1292

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif" /E /G Admin:F /C
3⤵
PID:204

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif"
3⤵
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "tl.gif" -nobanner
3⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "tl.gif" -nobanner
4⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V""
2⤵
PID:1196

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V" /E /G Admin:F /C
3⤵
PID:1912

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Identity-V" -nobanner
3⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "Identity-V" -nobanner
4⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2008

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf""
2⤵
PID:1720

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf" /E /G Admin:F /C
3⤵
PID:1432

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf"
3⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "MyriadPro-Bold.otf" -nobanner
3⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "MyriadPro-Bold.otf" -nobanner
4⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:236

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe""
2⤵
PID:292

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe" /E /G Admin:F /C
3⤵
PID:1808

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe"
3⤵
PID:984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "SC_Reader.exe" -nobanner
3⤵
PID:676

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "SC_Reader.exe" -nobanner
4⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1716

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths""
2⤵
PID:2008

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths" /E /G Admin:F /C
3⤵
PID:1104

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths"
3⤵
- Modifies file permissions
PID:1432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "brt55.ths" -nobanner
3⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "brt55.ths" -nobanner
4⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp""
2⤵
PID:236

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp" /E /G Admin:F /C
3⤵
PID:228

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp"
3⤵
- Modifies file permissions
PID:1808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "usa03.hsp" -nobanner
3⤵
PID:984

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "usa03.hsp" -nobanner
4⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:676

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT""
2⤵
PID:1716

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT" /E /G Admin:F /C
3⤵
PID:1196

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT"
3⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CYRILLIC.TXT" -nobanner
3⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "CYRILLIC.TXT" -nobanner
4⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT""
2⤵
PID:1432

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT" /E /G Admin:F /C
3⤵
PID:576

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT"
3⤵
- Modifies file permissions
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CP1252.TXT" -nobanner
3⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "CP1252.TXT" -nobanner
4⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\Journal.exe""
2⤵
PID:1808

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\Journal.exe" /E /G Admin:F /C
3⤵
PID:1312

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\Journal.exe"
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Journal.exe" -nobanner
3⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "Journal.exe" -nobanner
4⤵
PID:292

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1196

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\Templates\Seyes.jtp""
2⤵
PID:232

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\Templates\Seyes.jtp" /E /G Admin:F /C
3⤵
PID:1104

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\Templates\Seyes.jtp"
3⤵
PID:1912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Seyes.jtp" -nobanner
3⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "Seyes.jtp" -nobanner
4⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
2⤵
PID:1720

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
3⤵
PID:1816

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
3⤵
PID:1432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "PhotoViewer.dll.mui" -nobanner
3⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "PhotoViewer.dll.mui" -nobanner
4⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:936

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer""
2⤵
PID:1452

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer" /E /G Admin:F /C
3⤵
PID:1196

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer"
3⤵
- Modifies file permissions
PID:1808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "AUMProduct.cer" -nobanner
3⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "AUMProduct.cer" -nobanner
4⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:208

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif""
2⤵
PID:576

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif" /E /G Admin:F /C
3⤵
PID:2044

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif"
3⤵
PID:744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "add_reviewer.gif" -nobanner
3⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "add_reviewer.gif" -nobanner
4⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif""
2⤵
PID:1432

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif" /E /G Admin:F /C
3⤵
PID:908

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif"
3⤵
- Modifies file permissions
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "forms_received.gif" -nobanner
3⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "forms_received.gif" -nobanner
4⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1192

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif""
2⤵
PID:1808

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif" /E /G Admin:F /C
3⤵
PID:1912

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif"
3⤵
- Modifies file permissions
PID:292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "reviews_super.gif" -nobanner
3⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "reviews_super.gif" -nobanner
4⤵
PID:204

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif""
2⤵
PID:744

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif" /E /G Admin:F /C
3⤵
PID:1744

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif"
3⤵
- Modifies file permissions
PID:1696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "submission_history.gif" -nobanner
3⤵
PID:576

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "submission_history.gif" -nobanner
4⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1928

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H""
2⤵
PID:2040

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H" /E /G Admin:F /C
3⤵
PID:984

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H"
3⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Identity-H" -nobanner
3⤵
PID:676

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "Identity-H" -nobanner
4⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1912

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf""
2⤵
PID:1040

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf" /E /G Admin:F /C
3⤵
PID:2044

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf"
3⤵
PID:1104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "MinionPro-Regular.otf" -nobanner
3⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "MinionPro-Regular.otf" -nobanner
4⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB""
2⤵
PID:936

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB" /E /G Admin:F /C
3⤵
PID:908

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB"
3⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "ZY______.PFB" -nobanner
3⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "ZY______.PFB" -nobanner
4⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:984

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx""
2⤵
PID:1736

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx" /E /G Admin:F /C
3⤵
PID:292

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx"
3⤵
- Modifies file permissions
PID:228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "brt32.clx" -nobanner
3⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "brt32.clx" -nobanner
4⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca""
2⤵
PID:1104

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca" /E /G Admin:F /C
3⤵
PID:1696

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca"
3⤵
- Modifies file permissions
PID:1740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "usa.fca" -nobanner
3⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "usa.fca" -nobanner
4⤵
PID:204

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1928

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT""
2⤵
PID:1448

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT" /E /G Admin:F /C
3⤵
PID:236

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT"
3⤵
- Modifies file permissions
PID:576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CROATIAN.TXT" -nobanner
3⤵
PID:936

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "CROATIAN.TXT" -nobanner
4⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:292

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT""
2⤵
PID:1732

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT" /E /G Admin:F /C
3⤵
PID:2044

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT"
3⤵
PID:1716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CP1251.TXT" -nobanner
3⤵
PID:676

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "CP1251.TXT" -nobanner
4⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe""
2⤵
PID:1468

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe" /E /G Admin:F /C
3⤵
PID:908

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe"
3⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "GoogleUpdateSetup.exe" -nobanner
3⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "GoogleUpdateSetup.exe" -nobanner
4⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:236

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf""
2⤵
PID:1452

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf" /E /G Admin:F /C
3⤵
PID:932

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf"
3⤵
- Modifies file permissions
PID:1196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "MyriadCAD.otf" -nobanner
3⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "MyriadCAD.otf" -nobanner
4⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2044

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif""
2⤵
PID:224

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif" /E /G Admin:F /C
3⤵
PID:1120

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif"
3⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "create_form.gif" -nobanner
3⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "create_form.gif" -nobanner
4⤵
PID:232

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:908

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif""
2⤵
PID:984

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif" /E /G Admin:F /C
3⤵
PID:628

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif"
3⤵
PID:1300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "info.gif" -nobanner
3⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "info.gif" -nobanner
4⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:932

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif""
2⤵
PID:1584

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif" /E /G Admin:F /C
3⤵
PID:1736

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif"
3⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "review_same_reviewers.gif" -nobanner
3⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "review_same_reviewers.gif" -nobanner
4⤵
PID:208

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1120

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif""
2⤵
PID:1928

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif" /E /G Admin:F /C
3⤵
PID:1104

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif"
3⤵
PID:1740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "trash.gif" -nobanner
3⤵
PID:676

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "trash.gif" -nobanner
4⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:628

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf""
2⤵
PID:292

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf" /E /G Admin:F /C
3⤵
PID:1448

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf"
3⤵
PID:1432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CourierStd-Bold.otf" -nobanner
3⤵
PID:576

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "CourierStd-Bold.otf" -nobanner
4⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf""
2⤵
PID:1808

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf" /E /G Admin:F /C
3⤵
PID:1732

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf"
3⤵
- Modifies file permissions
PID:1312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "MyriadPro-It.otf" -nobanner
3⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "MyriadPro-It.otf" -nobanner
4⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1104

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt""
2⤵
PID:236

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt" /E /G Admin:F /C
3⤵
PID:1468

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt"
3⤵
- Modifies file permissions
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
3⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
4⤵
PID:204

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp""
2⤵
PID:2044

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp" /E /G Admin:F /C
3⤵
PID:1452

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp"
3⤵
PID:292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "can.hyp" -nobanner
3⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "can.hyp" -nobanner
4⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp""
2⤵
PID:908

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp" /E /G Admin:F /C
3⤵
PID:224

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp"
3⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "usa37.hyp" -nobanner
3⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "usa37.hyp" -nobanner
4⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1468

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT""
2⤵
PID:848

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT" /E /G Admin:F /C
3⤵
PID:984

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT"
3⤵
PID:744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "ICELAND.TXT" -nobanner
3⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "ICELAND.TXT" -nobanner
4⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1452

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT""
2⤵
PID:1120

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT" /E /G Admin:F /C
3⤵
PID:1584

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT"
3⤵
- Modifies file permissions
PID:936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CP1254.TXT" -nobanner
3⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "CP1254.TXT" -nobanner
4⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
2⤵
PID:628

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G Admin:F /C
3⤵
PID:1928

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
3⤵
PID:1740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Workflow.Targets" -nobanner
3⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "Workflow.Targets" -nobanner
4⤵
PID:676

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:236

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui""
2⤵
PID:1264

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui" /E /G Admin:F /C
3⤵
PID:1452

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui"
3⤵
- Modifies file permissions
PID:848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
3⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "MSPVWCTL.DLL.mui" -nobanner
4⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:936

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui""
2⤵
PID:1720

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G Admin:F /C
3⤵
PID:1040

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"
3⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "PhotoViewer.dll.mui" -nobanner
3⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "PhotoViewer.dll.mui" -nobanner
4⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1740

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\Templates\Memo.jtp""
2⤵
PID:232

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\Templates\Memo.jtp" /E /G Admin:F /C
3⤵
PID:228

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\Templates\Memo.jtp"
3⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Memo.jtp" -nobanner
3⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "Memo.jtp" -nobanner
4⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:848

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Mail\WinMail.exe""
2⤵
PID:1732

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Mail\WinMail.exe" /E /G Admin:F /C
3⤵
PID:1684

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Mail\WinMail.exe"
3⤵
- Modifies file permissions
PID:292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "WinMail.exe" -nobanner
3⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "WinMail.exe" -nobanner
4⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui""
2⤵
PID:1928

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G Admin:F /C
3⤵
PID:1808

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"
3⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "PhotoAcq.dll.mui" -nobanner
3⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "PhotoAcq.dll.mui" -nobanner
4⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer""
2⤵
PID:1452

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer" /E /G Admin:F /C
3⤵
PID:236

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer"
3⤵
- Modifies file permissions
PID:744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "pmd.cer" -nobanner
3⤵
PID:1104

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "pmd.cer" -nobanner
4⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif""
2⤵
PID:208

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif" /E /G Admin:F /C
3⤵
PID:1312

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif"
3⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "email_initiator.gif" -nobanner
3⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "email_initiator.gif" -nobanner
4⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif""
2⤵
PID:2008

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif" /E /G Admin:F /C
3⤵
PID:1432

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif"
3⤵
- Modifies file permissions
PID:1468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "pdf.gif" -nobanner
3⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "pdf.gif" -nobanner
4⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:236

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif""
2⤵
PID:972

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif" /E /G Admin:F /C
3⤵
PID:292

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif"
3⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "server_issue.gif" -nobanner
3⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "server_issue.gif" -nobanner
4⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif""
2⤵
PID:1808

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif" /E /G Admin:F /C
3⤵
PID:1960

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif"
3⤵
PID:1040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
3⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
4⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1432

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf""
2⤵
PID:212

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf" /E /G Admin:F /C
3⤵
PID:676

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf"
3⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CourierStd.otf" -nobanner
3⤵
PID:204

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "CourierStd.otf" -nobanner
4⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:292

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm""
2⤵
PID:1748

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm" /E /G Admin:F /C
3⤵
PID:936

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm"
3⤵
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "zx______.pfm" -nobanner
3⤵
PID:1104

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "zx______.pfm" -nobanner
4⤵
PID:1448

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt""
2⤵
PID:1752

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt" /E /G Admin:F /C
3⤵
PID:1928

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt"
3⤵
PID:1192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
3⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
4⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:676

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx""
2⤵
PID:848

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx" /E /G Admin:F /C
3⤵
PID:1452

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx"
3⤵
PID:212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "can32.clx" -nobanner
3⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "can32.clx" -nobanner
4⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:936

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt""
2⤵
PID:1736

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt" /E /G Admin:F /C
3⤵
PID:208

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt"
3⤵
- Modifies file permissions
PID:576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "symbol.txt" -nobanner
3⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "symbol.txt" -nobanner
4⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1928

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT""
2⤵
PID:236

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT" /E /G Admin:F /C
3⤵
PID:2008

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT"
3⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "SYMBOL.TXT" -nobanner
3⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "SYMBOL.TXT" -nobanner
4⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1452

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif""
2⤵
PID:1312

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif" /E /G Admin:F /C
3⤵
PID:1292

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif"
3⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "email_all.gif" -nobanner
3⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "email_all.gif" -nobanner
4⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:208

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif""
2⤵
PID:1432

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif" /E /G Admin:F /C
3⤵
PID:1808

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif"
3⤵
PID:940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "open_original_form.gif" -nobanner
3⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "open_original_form.gif" -nobanner
4⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2008

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif""
2⤵
PID:292

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif" /E /G Admin:F /C
3⤵
PID:744

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif"
3⤵
- Modifies file permissions
PID:1300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "rss.gif" -nobanner
3⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "rss.gif" -nobanner
4⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1292

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif""
2⤵
PID:1960

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif" /E /G Admin:F /C
3⤵
PID:1748

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif"
3⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
3⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
4⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1808

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf""
2⤵
PID:676

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf" /E /G Admin:F /C
3⤵
PID:1468

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf"
3⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CourierStd-Oblique.otf" -nobanner
3⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "CourierStd-Oblique.otf" -nobanner
4⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:744

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM""
2⤵
PID:236

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM" /E /G Admin:F /C
3⤵
PID:1608

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM"
3⤵
PID:1292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "SY______.PFM" -nobanner
3⤵
PID:292

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "SY______.PFM" -nobanner
4⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:972

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt""
2⤵
PID:1312

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt" /E /G Admin:F /C
3⤵
PID:1740

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt"
3⤵
- Modifies file permissions
PID:1808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
3⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
4⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1192

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp""
2⤵
PID:1432

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp" /E /G Admin:F /C
3⤵
PID:2044

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp"
3⤵
- Modifies file permissions
PID:744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "can129.hsp" -nobanner
3⤵
PID:984

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "can129.hsp" -nobanner
4⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:848

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat""
2⤵
PID:232

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat" /E /G Admin:F /C
3⤵
PID:292

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat"
3⤵
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "icudt26l.dat" -nobanner
3⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "icudt26l.dat" -nobanner
4⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT""
2⤵
PID:576

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT" /E /G Admin:F /C
3⤵
PID:1732

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT"
3⤵
- Modifies file permissions
PID:1192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "ROMANIAN.TXT" -nobanner
3⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "ROMANIAN.TXT" -nobanner
4⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT""
2⤵
PID:1752

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT" /E /G Admin:F /C
3⤵
PID:984

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT"
3⤵
PID:848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CP1258.TXT" -nobanner
3⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "CP1258.TXT" -nobanner
4⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:208

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif""
2⤵
PID:1584

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif" /E /G Admin:F /C
3⤵
PID:1300

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif"
3⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "distribute_form.gif" -nobanner
3⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "distribute_form.gif" -nobanner
4⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2008

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css""
2⤵
PID:1120

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css" /E /G Admin:F /C
3⤵
PID:1684

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css"
3⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "main.css" -nobanner
3⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "main.css" -nobanner
4⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif""
2⤵
PID:628

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif" /E /G Admin:F /C
3⤵
PID:1432

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif"
3⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "review_shared.gif" -nobanner
3⤵
PID:676

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "review_shared.gif" -nobanner
4⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:204

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif""
2⤵
PID:1300

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif" /E /G Admin:F /C
3⤵
PID:232

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif"
3⤵
PID:1468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
3⤵
PID:236

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
4⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1928

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf""
2⤵
PID:1684

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf" /E /G Admin:F /C
3⤵
PID:1696

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf"
3⤵
- Modifies file permissions
PID:1312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
3⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
4⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1432

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf""
2⤵
PID:936

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf" /E /G Admin:F /C
3⤵
PID:940

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf"
3⤵
- Modifies file permissions
PID:848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "MyriadPro-Regular.otf" -nobanner
3⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "MyriadPro-Regular.otf" -nobanner
4⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:232

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt""
2⤵
PID:1104

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt" /E /G Admin:F /C
3⤵
PID:1512

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt"
3⤵
- Modifies file permissions
PID:212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
3⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
4⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths""
2⤵
PID:224

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths" /E /G Admin:F /C
3⤵
PID:208

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths"
3⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "can03.ths" -nobanner
3⤵
PID:1448

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "can03.ths" -nobanner
4⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:940

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp""
2⤵
PID:1292

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp" /E /G Admin:F /C
3⤵
PID:2008

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp"
3⤵
PID:1040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
3⤵
PID:676

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
4⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT""
2⤵
PID:1608

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT" /E /G Admin:F /C
3⤵
PID:1120

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT"
3⤵
- Modifies file permissions
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "ROMAN.TXT" -nobanner
3⤵
PID:236

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "ROMAN.TXT" -nobanner
4⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:208

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT""
2⤵
PID:204

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT" /E /G Admin:F /C
3⤵
PID:628

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT"
3⤵
- Modifies file permissions
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CP1257.TXT" -nobanner
3⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "CP1257.TXT" -nobanner
4⤵
PID:280

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2008

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui""
2⤵
PID:1928

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
3⤵
PID:1300

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui"
3⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "WinMail.exe.mui" -nobanner
3⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "WinMail.exe.mui" -nobanner
4⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1104

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Windows Mail\wab.exe""
2⤵
PID:1816

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Mail\wab.exe" /E /G Admin:F /C
3⤵
PID:208

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Mail\wab.exe"
3⤵
- Modifies file permissions
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "wab.exe" -nobanner
3⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "wab.exe" -nobanner
4⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata""
2⤵
PID:228

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C
3⤵
PID:1448

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"
3⤵
PID:848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "directories.acrodata" -nobanner
3⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "directories.acrodata" -nobanner
4⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1292

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif""
2⤵
PID:2044

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif" /E /G Admin:F /C
3⤵
PID:1104

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif"
3⤵
- Modifies file permissions
PID:1928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "br.gif" -nobanner
3⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "br.gif" -nobanner
4⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif""
2⤵
PID:1748

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif" /E /G Admin:F /C
3⤵
PID:232

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif"
3⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "form_responses.gif" -nobanner
3⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "form_responses.gif" -nobanner
4⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif""
2⤵
PID:1716

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif" /E /G Admin:F /C
3⤵
PID:1732

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif"
3⤵
PID:280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "review_email.gif" -nobanner
3⤵
PID:936

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "review_email.gif" -nobanner
4⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1104

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif""
2⤵
PID:208

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif" /E /G Admin:F /C
3⤵
PID:908

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif"
3⤵
- Modifies file permissions
PID:1696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "tr.gif" -nobanner
3⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "tr.gif" -nobanner
4⤵
PID:292

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:232

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf""
2⤵
PID:1452

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf" /E /G Admin:F /C
3⤵
PID:744

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf"
3⤵
- Modifies file permissions
PID:1748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "AdobePiStd.otf" -nobanner
3⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "AdobePiStd.otf" -nobanner
4⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf""
2⤵
PID:212

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf" /E /G Admin:F /C
3⤵
PID:676

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf"
3⤵
PID:1300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
3⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
4⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:908

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt""
2⤵
PID:224

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt" /E /G Admin:F /C
3⤵
PID:1816

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt"
3⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
3⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
4⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:744

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca""
2⤵
PID:1292

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca" /E /G Admin:F /C
3⤵
PID:228

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca"
3⤵
PID:204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "can.fca" -nobanner
3⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "can.fca" -nobanner
4⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:676

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths""
2⤵
PID:1744

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths" /E /G Admin:F /C
3⤵
PID:2044

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths"
3⤵
PID:1196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "usa03.ths" -nobanner
3⤵
PID:936

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "usa03.ths" -nobanner
4⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT""
2⤵
PID:1448

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT" /E /G Admin:F /C
3⤵
PID:1740

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT"
3⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "GREEK.TXT" -nobanner
3⤵
PID:292

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "GREEK.TXT" -nobanner
4⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1452

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT""
2⤵
PID:1120

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT" /E /G Admin:F /C
3⤵
PID:676

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT"
3⤵
PID:1468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CP1253.TXT" -nobanner
3⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "CP1253.TXT" -nobanner
4⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:232

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui""
2⤵
PID:1264

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
3⤵
PID:1720

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui"
3⤵
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "msoeres.dll.mui" -nobanner
3⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "msoeres.dll.mui" -nobanner
4⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:628

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui""
2⤵
PID:1960

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui" /E /G Admin:F /C
3⤵
PID:2044

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui"
3⤵
PID:1192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "JNTFiltr.dll.mui" -nobanner
3⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "JNTFiltr.dll.mui" -nobanner
4⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp""
2⤵
PID:744

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp" /E /G Admin:F /C
3⤵
PID:228

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp"
3⤵
- Modifies file permissions
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Dotted_Line.jtp" -nobanner
3⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "Dotted_Line.jtp" -nobanner
4⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui""
2⤵
PID:908

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui" /E /G Admin:F /C
3⤵
PID:1120

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui"
3⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "msoeres.dll.mui" -nobanner
3⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "msoeres.dll.mui" -nobanner
4⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets""
2⤵
PID:628

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Admin:F /C
3⤵
PID:936

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
3⤵
PID:1196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
3⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
4⤵
PID:236

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
2⤵
PID:212

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
3⤵
PID:1576

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
3⤵
PID:228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "background.png" -nobanner
3⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "background.png" -nobanner
4⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe""
2⤵
PID:936

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /E /G Admin:F /C
3⤵
PID:236

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
3⤵
PID:1716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "ImagingDevices.exe" -nobanner
3⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "ImagingDevices.exe" -nobanner
4⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:676

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
2⤵
PID:228

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
3⤵
PID:1736

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
3⤵
- Modifies file permissions
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "watermark.png" -nobanner
3⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "watermark.png" -nobanner
4⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:236

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Users\All Users\Microsoft Help\MS.GROOVE.14.1033.hxn""
2⤵
PID:1584

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft Help\MS.GROOVE.14.1033.hxn" /E /G Admin:F /C
3⤵
PID:744

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft Help\MS.GROOVE.14.1033.hxn"
3⤵
- Modifies file permissions
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "MS.GROOVE.14.1033.hxn" -nobanner
3⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "MS.GROOVE.14.1033.hxn" -nobanner
4⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1120

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Users\All Users\Microsoft Help\MS.ONENOTE.14.1033.hxn""
2⤵
PID:1196

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft Help\MS.ONENOTE.14.1033.hxn" /E /G Admin:F /C
3⤵
PID:1300

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft Help\MS.ONENOTE.14.1033.hxn"
3⤵
- Modifies file permissions
PID:1192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "MS.ONENOTE.14.1033.hxn" -nobanner
3⤵
PID:936

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "MS.ONENOTE.14.1033.hxn" -nobanner
4⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\Windows6.1-KB2999226-x64.msu""
2⤵
PID:1736

C:\Windows\SysWOW64\cacls.exe
cacls "C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\Windows6.1-KB2999226-x64.msu" /E /G Admin:F /C
3⤵
PID:1584

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\Windows6.1-KB2999226-x64.msu"
3⤵
- Modifies file permissions
PID:1720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Windows6.1-KB2999226-x64.msu" -nobanner
3⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "Windows6.1-KB2999226-x64.msu" -nobanner
4⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der""
2⤵
PID:936

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der" /E /G Admin:F /C
3⤵
PID:1196

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der"
3⤵
- Modifies file permissions
PID:1120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "RTC.der" -nobanner
3⤵
PID:676

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "RTC.der" -nobanner
4⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:232

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif""
2⤵
PID:1608

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif" /E /G Admin:F /C
3⤵
PID:1960

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif"
3⤵
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "end_review.gif" -nobanner
3⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "end_review.gif" -nobanner
4⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif""
2⤵
PID:676

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif" /E /G Admin:F /C
3⤵
PID:936

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif"
3⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "reviews_joined.gif" -nobanner
3⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "reviews_joined.gif" -nobanner
4⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:628

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif""
2⤵
PID:1584

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif" /E /G Admin:F /C
3⤵
PID:1512

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif"
3⤵
PID:292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "server_ok.gif" -nobanner
3⤵
PID:936

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "server_ok.gif" -nobanner
4⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:628

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif""
2⤵
PID:1300

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif" /E /G Admin:F /C
3⤵
PID:1720

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif"
3⤵
- Modifies file permissions
PID:1312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "warning.gif" -nobanner
3⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "warning.gif" -nobanner
4⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:228

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf""
2⤵
PID:1576

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf" /E /G Admin:F /C
3⤵
PID:1696

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf"
3⤵
PID:212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
3⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
4⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:292

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
2⤵
PID:1608

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
3⤵
PID:232

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
3⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "background.png" -nobanner
3⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "background.png" -nobanner
4⤵
PID:936

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:236

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB""
2⤵
PID:228

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB" /E /G Admin:F /C
3⤵
PID:2040

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB"
3⤵
- Modifies file permissions
PID:628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "SY______.PFB" -nobanner
3⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "SY______.PFB" -nobanner
4⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:236

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp""
2⤵
PID:628

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp" /E /G Admin:F /C
3⤵
PID:1608

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp"
3⤵
PID:208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "brt.hyp" -nobanner
3⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "brt.hyp" -nobanner
4⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx""
2⤵
PID:208

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx" /E /G Admin:F /C
3⤵
PID:232

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx"
3⤵
- Modifies file permissions
PID:1300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "eng32.clx" -nobanner
3⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "eng32.clx" -nobanner
4⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT""
2⤵
PID:1300

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT" /E /G Admin:F /C
3⤵
PID:2040

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT"
3⤵
PID:208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CENTEURO.TXT" -nobanner
3⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "CENTEURO.TXT" -nobanner
4⤵
PID:236

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:228

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT""
2⤵
PID:1584

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT" /E /G Admin:F /C
3⤵
PID:1608

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT"
3⤵
- Modifies file permissions
PID:1696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "UKRAINE.TXT" -nobanner
3⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "UKRAINE.TXT" -nobanner
4⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui""
2⤵
PID:2040

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui" /E /G Admin:F /C
3⤵
PID:236

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui"
3⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "jnwdui.dll.mui" -nobanner
3⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "jnwdui.dll.mui" -nobanner
4⤵
PID:236

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\Templates\Genko_1.jtp""
2⤵
PID:2068

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\Templates\Genko_1.jtp" /E /G Admin:F /C
3⤵
PID:2092

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\Templates\Genko_1.jtp"
3⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "Genko_1.jtp" -nobanner
3⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "Genko_1.jtp" -nobanner
4⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2144

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui""
2⤵
PID:2160

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui" /E /G Admin:F /C
3⤵
PID:2188

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui"
3⤵
PID:2200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "WinMail.exe.mui" -nobanner
3⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "WinMail.exe.mui" -nobanner
4⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2240

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini""
2⤵
PID:2252

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini" /E /G Admin:F /C
3⤵
PID:2276

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini"
3⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "eula.ini" -nobanner
3⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "eula.ini" -nobanner
4⤵
PID:2308

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc""
2⤵
PID:2332

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc" /E /G Admin:F /C
3⤵
PID:2356

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc"
3⤵
- Modifies file permissions
PID:2368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "AcroSign.prc" -nobanner
3⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "AcroSign.prc" -nobanner
4⤵
PID:2384

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\Templates\blank.jtp""
2⤵
PID:2408

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\Templates\blank.jtp" /E /G Admin:F /C
3⤵
PID:2432

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\Templates\blank.jtp"
3⤵
- Modifies file permissions
PID:2444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "blank.jtp" -nobanner
3⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "blank.jtp" -nobanner
4⤵
PID:2464

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp""
2⤵
PID:2488

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp" /E /G Admin:F /C
3⤵
PID:2512

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files\Windows Journal\Templates\To_Do_List.jtp"
3⤵
PID:2524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "To_Do_List.jtp" -nobanner
3⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "To_Do_List.jtp" -nobanner
4⤵
PID:2544

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2556

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Windows Mail\WinMail.exe""
2⤵
PID:2568

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Windows Mail\WinMail.exe" /E /G Admin:F /C
3⤵
PID:2592

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Windows Mail\WinMail.exe"
3⤵
PID:2604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "WinMail.exe" -nobanner
3⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "WinMail.exe" -nobanner
4⤵
PID:2624

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2636

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat""
2⤵
PID:2648

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat" /E /G Admin:F /C
3⤵
PID:2672

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat"
3⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "qmgr0.dat" -nobanner
3⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "qmgr0.dat" -nobanner
4⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2712

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat""
2⤵
PID:2724

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat" /E /G Admin:F /C
3⤵
PID:2748

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat"
3⤵
- Modifies file permissions
PID:2760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "qmgr1.dat" -nobanner
3⤵
PID:2768

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "qmgr1.dat" -nobanner
4⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif""
2⤵
PID:2804

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif" /E /G Admin:F /C
3⤵
PID:2860

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif"
3⤵
- Modifies file permissions
PID:2872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "forms_distributed.gif" -nobanner
3⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "forms_distributed.gif" -nobanner
4⤵
PID:2892

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif""
2⤵
PID:2924

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif" /E /G Admin:F /C
3⤵
PID:2960

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif"
3⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "reviews_sent.gif" -nobanner
3⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "reviews_sent.gif" -nobanner
4⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:3048

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif""
2⤵
PID:3060

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif" /E /G Admin:F /C
3⤵
PID:1584

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif"
3⤵
PID:2060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "stop_collection_data.gif" -nobanner
3⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "stop_collection_data.gif" -nobanner
4⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2080

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm""
2⤵
PID:2092

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm" /E /G Admin:F /C
3⤵
PID:2132

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm"
3⤵
- Modifies file permissions
PID:2156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "ReadMe.htm" -nobanner
3⤵
PID:2144

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "ReadMe.htm" -nobanner
4⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2076

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf""
2⤵
PID:2196

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf" /E /G Admin:F /C
3⤵
PID:2232

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf"
3⤵
- Modifies file permissions
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "MinionPro-It.otf" -nobanner
3⤵
PID:2244

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "MinionPro-It.otf" -nobanner
4⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2176

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB""
2⤵
PID:2280

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB" /E /G Admin:F /C
3⤵
PID:2312

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB"
3⤵
PID:2300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "ZX______.PFB" -nobanner
3⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "ZX______.PFB" -nobanner
4⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2272

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp""
2⤵
PID:2360

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp" /E /G Admin:F /C
3⤵
PID:2388

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp"
3⤵
- Modifies file permissions
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "brt04.hsp" -nobanner
3⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "brt04.hsp" -nobanner
4⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2348

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env""
2⤵
PID:2440

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env" /E /G Admin:F /C
3⤵
PID:2472

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env"
3⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "engphon.env" -nobanner
3⤵
PID:2484

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "engphon.env" -nobanner
4⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2408

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT""
2⤵
PID:2500

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT" /E /G Admin:F /C
3⤵
PID:2524

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT"
3⤵
PID:2544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CORPCHAR.TXT" -nobanner
3⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "CORPCHAR.TXT" -nobanner
4⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2492

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT""
2⤵
PID:2496

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT" /E /G Admin:F /C
3⤵
PID:2608

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT"
3⤵
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "CP1250.TXT" -nobanner
3⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "CP1250.TXT" -nobanner
4⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula -c Run -y -p extract -nobanner
3⤵
PID:2588

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif""
2⤵
PID:2584

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif" /E /G Admin:F /C
3⤵
PID:2688

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif"
3⤵
PID:2704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mSXUoud8.exe -accepteula "ended_review_or_form.gif" -nobanner
3⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
mSXUoud8.exe -accepteula "ended_review_or_form.gif" -nobanner
4⤵
PID:2720

C:\Windows\system32\taskeng.exe
taskeng.exe {8E1A1768-8F34-4C18-9CF9-AC3A6DBEDE98} S-1-5-21-293278959-2699126792-324916226-1000:TUICJFPF\Admin:Interactive:[1]
1⤵
PID:2028

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\lSLN9S9H.bat"
2⤵
PID:1264

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1720

C:\Windows\System32\Wbem\WMIC.exe
wmic SHADOWCOPY DELETE
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No
3⤵
- Modifies boot configuration data using bcdedit
PID:1816

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:932

C:\Windows\system32\schtasks.exe
SCHTASKS /Delete /TN DSHCA /F
3⤵
PID:1748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Public\Desktop\JDPR_README.rtf"
1⤵
- Enumerates connected drives
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2008

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe" -Embedding
1⤵
PID:212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NWDTzyuS.exe
MD5
2c52f3918b636736bdf0022c64115b26

SHA1
88cf55ae8c77ed23219e7c8fe794afa93301ad6d

SHA256
224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914

SHA512
551f22bc10ceb1af2d6f8da6a27ec842176a14108383a2d46a37f4ee3bdfda0b08732aa5549e4a07d3dc337f1ebb07ca1852eb7b0ed9320fe5117b2d5cb62495

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWDTzyuS.exe
MD5
2c52f3918b636736bdf0022c64115b26

SHA1
88cf55ae8c77ed23219e7c8fe794afa93301ad6d

SHA256
224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914

SHA512
551f22bc10ceb1af2d6f8da6a27ec842176a14108383a2d46a37f4ee3bdfda0b08732aa5549e4a07d3dc337f1ebb07ca1852eb7b0ed9320fe5117b2d5cb62495

Download Submit
C:\Users\Admin\AppData\Local\Temp\k0nLDtZm.bat
MD5
5b15496cbf87759e2437da6f40b89160

SHA1
dff24af6a984033494625b3eea4abef69cdeb826

SHA256
2a0e462053cee112516169829a7fa05e4506c8f566a328eea2091b5f6f854544

SHA512
39f9edb236f4e9250ae7330a6ba449a2493f092741cc912069060592769080d595dd43cd19651d5d5e0ed4d7513fbdcd36943f6a365fa43c9d67663b450400e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSXUoud864.exe
MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Roaming\VuVav6cq.vbs
MD5
775e24efb6c88e38012470e6ed5a51f3

SHA1
93dedb9c5b915eafef17d8378e5102e7ee56db13

SHA256
3986c9909cf4f83345ffbf03c02a683128934975109ef97d35b550c6332ef4d6

SHA512
7551b06083f7b2c0b985e1c14111f5829d819f2df9d2f4c21a39eb48d62fc65f9d46740816825b1e625c0afdc44f5a200ec227eed7d74c44796a6de2f7053058

Download Submit
C:\Users\Admin\AppData\Roaming\lSLN9S9H.bat
MD5
54e0878619239d2a08f2e9da03382fa3

SHA1
014c546b0b0aabbbe0f8f5968cfa787c1fbbdcd5

SHA256
99bc3e0e2ec794dedef715249320843eb0858fda914be83281772b9a27bd3e9a

SHA512
f1fd12aec58de6757c44f0b0ecfd98e063ba3c279d9c30595f1b8908becd6676181e970074ce452576a9ba87215e09c2894677dcc79390d7edca81b6bbecf6ea

Download Submit
\Users\Admin\AppData\Local\Temp\NWDTzyuS.exe
MD5
2c52f3918b636736bdf0022c64115b26

SHA1
88cf55ae8c77ed23219e7c8fe794afa93301ad6d

SHA256
224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914

SHA512
551f22bc10ceb1af2d6f8da6a27ec842176a14108383a2d46a37f4ee3bdfda0b08732aa5549e4a07d3dc337f1ebb07ca1852eb7b0ed9320fe5117b2d5cb62495

Download Submit
\Users\Admin\AppData\Local\Temp\NWDTzyuS.exe
MD5
2c52f3918b636736bdf0022c64115b26

SHA1
88cf55ae8c77ed23219e7c8fe794afa93301ad6d

SHA256
224ce0605b6840d7953729cee972f9e79198cb0d45a2cd3f16198444f6d2f914

SHA512
551f22bc10ceb1af2d6f8da6a27ec842176a14108383a2d46a37f4ee3bdfda0b08732aa5549e4a07d3dc337f1ebb07ca1852eb7b0ed9320fe5117b2d5cb62495

Download Submit
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\mSXUoud8.exe
MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\mSXUoud864.exe
MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
memory/212-576-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/212-432-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/212-430-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/268-13-0x0000000000000000-mapping.dmp

Download
memory/308-22-0x0000000000000000-mapping.dmp

Download
memory/316-102-0x0000000000000000-mapping.dmp

Download
memory/464-106-0x0000000000000000-mapping.dmp

Download
memory/676-73-0x0000000000000000-mapping.dmp

Download
memory/676-51-0x0000000000000000-mapping.dmp

Download
memory/744-49-0x0000000000000000-mapping.dmp

Download
memory/772-61-0x0000000000000000-mapping.dmp

Download
memory/772-110-0x0000000000000000-mapping.dmp

Download
memory/856-58-0x0000000000000000-mapping.dmp

Download
memory/856-97-0x0000000000000000-mapping.dmp

Download
memory/856-75-0x0000000000000000-mapping.dmp

Download
memory/888-27-0x0000000000000000-mapping.dmp

Download
memory/908-11-0x0000000000000000-mapping.dmp

Download
memory/936-37-0x0000000000000000-mapping.dmp

Download
memory/940-74-0x0000000000000000-mapping.dmp

Download
memory/940-52-0x0000000000000000-mapping.dmp

Download
memory/984-111-0x0000000000000000-mapping.dmp

Download
memory/1104-94-0x0000000000000000-mapping.dmp

Download
memory/1104-118-0x0000000000000000-mapping.dmp

Download
memory/1140-14-0x0000000000000000-mapping.dmp

Download
memory/1192-87-0x0000000000000000-mapping.dmp

Download
memory/1196-85-0x0000000000000000-mapping.dmp

Download
memory/1224-100-0x0000000000000000-mapping.dmp

Download
memory/1236-3-0x0000000000000000-mapping.dmp

Download
memory/1264-36-0x0000000000000000-mapping.dmp

Download
memory/1432-123-0x0000000000000000-mapping.dmp

Download
memory/1432-382-0x000007FEF7BD0000-0x000007FEF7E4A000-memory.dmp

Filesize
2.5MB

Download
memory/1432-39-0x0000000000000000-mapping.dmp

Download
memory/1452-54-0x0000000000000000-mapping.dmp

Download
memory/1468-76-0x0000000000000000-mapping.dmp

Download
memory/1512-20-0x0000000000000000-mapping.dmp

Download
memory/1524-18-0x0000000000000000-mapping.dmp

Download
memory/1536-38-0x0000000000000000-mapping.dmp

Download
memory/1576-114-0x0000000000000000-mapping.dmp

Download
memory/1580-34-0x0000000002880000-0x0000000002884000-memory.dmp

Filesize
16KB

Download
memory/1580-15-0x0000000000000000-mapping.dmp

Download
memory/1648-10-0x0000000000000000-mapping.dmp

Download
memory/1656-2-0x00000000765A1000-0x00000000765A3000-memory.dmp

Filesize
8KB

Download
memory/1712-31-0x0000000000000000-mapping.dmp

Download
memory/1716-78-0x0000000000000000-mapping.dmp

Download
memory/1716-35-0x0000000000000000-mapping.dmp

Download
memory/1716-99-0x0000000000000000-mapping.dmp

Download
memory/1720-98-0x0000000000000000-mapping.dmp

Download
memory/1720-12-0x0000000000000000-mapping.dmp

Download
memory/1720-122-0x0000000000000000-mapping.dmp

Download
memory/1732-70-0x0000000000000000-mapping.dmp

Download
memory/1736-109-0x0000000000000000-mapping.dmp

Download
memory/1740-62-0x0000000000000000-mapping.dmp

Download
memory/1744-42-0x0000000000000000-mapping.dmp

Download
memory/1748-90-0x0000000000000000-mapping.dmp

Download
memory/1748-112-0x0000000000000000-mapping.dmp

Download
memory/1752-46-0x0000000000000000-mapping.dmp

Download
memory/1752-66-0x0000000000000000-mapping.dmp

Download
memory/1840-24-0x0000000000000000-mapping.dmp

Download
memory/1904-50-0x0000000000000000-mapping.dmp

Download
memory/1904-23-0x0000000000000000-mapping.dmp

Download
memory/1912-124-0x0000000000000000-mapping.dmp

Download
memory/1924-21-0x0000000000000000-mapping.dmp

Download
memory/1928-86-0x0000000000000000-mapping.dmp

Download
memory/1996-63-0x0000000000000000-mapping.dmp

Download
memory/2004-82-0x0000000000000000-mapping.dmp

Download
memory/2008-387-0x0000000070801000-0x0000000070803000-memory.dmp

Filesize
8KB

Download
memory/2008-381-0x0000000072D81000-0x0000000072D84000-memory.dmp

Filesize
12KB

Download
memory/2008-394-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2016-88-0x0000000000000000-mapping.dmp

Download
memory/2020-64-0x0000000000000000-mapping.dmp

Download
memory/2020-40-0x0000000000000000-mapping.dmp

Download
memory/2044-7-0x0000000000000000-mapping.dmp

Download
memory/2044-33-0x0000000000000000-mapping.dmp

Download
memory/2792-566-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/3068-505-0x000007FEFC251000-0x000007FEFC253000-memory.dmp

Filesize
8KB

Download